quasar | c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Size

3.1MB
MD5

1ece671b499dd687e3154240e73ff8a0
SHA1

f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA512

0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2332-1-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016ccc-6.dat	family_quasar
behavioral1/memory/2056-9-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/2920-24-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar
behavioral1/memory/988-35-0x0000000000BC0000-0x0000000000EE4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2056	User Application Data.exe
2920	User Application Data.exe
988	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2840	PING.EXE
1196	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2840	PING.EXE
1196	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2824	schtasks.exe
520	schtasks.exe
452	schtasks.exe
1948	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Token: SeDebugPrivilege	2056	User Application Data.exe
Token: SeDebugPrivilege	2920	User Application Data.exe
Token: SeDebugPrivilege	988	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2056	User Application Data.exe
2920	User Application Data.exe
988	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1948	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	31
PID 2332 wrote to memory of 1948	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	31
PID 2332 wrote to memory of 1948	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	31
PID 2332 wrote to memory of 2056	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	33
PID 2332 wrote to memory of 2056	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	33
PID 2332 wrote to memory of 2056	2332	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	33
PID 2056 wrote to memory of 2824	2056	User Application Data.exe	34
PID 2056 wrote to memory of 2824	2056	User Application Data.exe	34
PID 2056 wrote to memory of 2824	2056	User Application Data.exe	34
PID 2056 wrote to memory of 1064	2056	User Application Data.exe	36
PID 2056 wrote to memory of 1064	2056	User Application Data.exe	36
PID 2056 wrote to memory of 1064	2056	User Application Data.exe	36
PID 1064 wrote to memory of 2952	1064	cmd.exe	38
PID 1064 wrote to memory of 2952	1064	cmd.exe	38
PID 1064 wrote to memory of 2952	1064	cmd.exe	38
PID 1064 wrote to memory of 2840	1064	cmd.exe	39
PID 1064 wrote to memory of 2840	1064	cmd.exe	39
PID 1064 wrote to memory of 2840	1064	cmd.exe	39
PID 1064 wrote to memory of 2920	1064	cmd.exe	40
PID 1064 wrote to memory of 2920	1064	cmd.exe	40
PID 1064 wrote to memory of 2920	1064	cmd.exe	40
PID 2920 wrote to memory of 520	2920	User Application Data.exe	41
PID 2920 wrote to memory of 520	2920	User Application Data.exe	41
PID 2920 wrote to memory of 520	2920	User Application Data.exe	41
PID 2920 wrote to memory of 3016	2920	User Application Data.exe	44
PID 2920 wrote to memory of 3016	2920	User Application Data.exe	44
PID 2920 wrote to memory of 3016	2920	User Application Data.exe	44
PID 3016 wrote to memory of 1828	3016	cmd.exe	46
PID 3016 wrote to memory of 1828	3016	cmd.exe	46
PID 3016 wrote to memory of 1828	3016	cmd.exe	46
PID 3016 wrote to memory of 1196	3016	cmd.exe	47
PID 3016 wrote to memory of 1196	3016	cmd.exe	47
PID 3016 wrote to memory of 1196	3016	cmd.exe	47
PID 3016 wrote to memory of 988	3016	cmd.exe	48
PID 3016 wrote to memory of 988	3016	cmd.exe	48
PID 3016 wrote to memory of 988	3016	cmd.exe	48
PID 988 wrote to memory of 452	988	User Application Data.exe	49
PID 988 wrote to memory of 452	988	User Application Data.exe	49
PID 988 wrote to memory of 452	988	User Application Data.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
"C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1948
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2824
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\48qzYL4CqHwW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2952
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2840
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:520
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wd5O8FrA7fn4.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1828
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\48qzYL4CqHwW.bat

Filesize
208B

MD5
7398b8c89bdcb7946e983de7bf78aab4

SHA1
dc1c27f1e852f199bb39e0f7867703c2b98b9395

SHA256
4eafcc1932755c25c70a881134098915ff8081e8d6bbd74c7fd616689374c156

SHA512
a7b59561898a38a301718523fc4b043124f4af122b612232c80838a3254db7563a60d230fec16f2c124eea5dd1ef89ba179caac69053236874e6c125cf80bd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wd5O8FrA7fn4.bat

Filesize
208B

MD5
3ea9eb461db4f6ef1d80824f30f9a0bb

SHA1
924cc9d9bd48374439d644f90a6f38c0491577d7

SHA256
67e3de246d0478c822de9e3993a72b9b03c9e73a735f68233a20de59d92fc451

SHA512
0abe55ff82e78fa8807ccbc8b7cc080e45088f5382ee63e953daf1cc2bccef5ca81174b4db089ac100ddc8fa1f6b1b6ac29118253d0005af7ced8ad24269cb7a

Download Submit
memory/988-35-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

Filesize
3.1MB

Download
memory/2056-10-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-9-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/2056-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-12-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-22-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-1-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/2332-8-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/2920-24-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads