quasar | c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

General

Target

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Size

3.1MB
MD5

1ece671b499dd687e3154240e73ff8a0
SHA1

f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA512

0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5016-1-0x0000000000120000-0x0000000000444000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb6-5.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	User Application Data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	User Application Data.exe

Executes dropped EXE 3 IoCs

pid	Process
4296	User Application Data.exe
620	User Application Data.exe
1020	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4652	PING.EXE
4540	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4652	PING.EXE
4540	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4848	schtasks.exe
2124	schtasks.exe
4460	schtasks.exe
4836	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Token: SeDebugPrivilege	4296	User Application Data.exe
Token: SeDebugPrivilege	620	User Application Data.exe
Token: SeDebugPrivilege	1020	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4296	User Application Data.exe
620	User Application Data.exe
1020	User Application Data.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4848	5016	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	83
PID 5016 wrote to memory of 4848	5016	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	83
PID 5016 wrote to memory of 4296	5016	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	85
PID 5016 wrote to memory of 4296	5016	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	85
PID 4296 wrote to memory of 2124	4296	User Application Data.exe	86
PID 4296 wrote to memory of 2124	4296	User Application Data.exe	86
PID 4296 wrote to memory of 1280	4296	User Application Data.exe	105
PID 4296 wrote to memory of 1280	4296	User Application Data.exe	105
PID 1280 wrote to memory of 456	1280	cmd.exe	107
PID 1280 wrote to memory of 456	1280	cmd.exe	107
PID 1280 wrote to memory of 4652	1280	cmd.exe	108
PID 1280 wrote to memory of 4652	1280	cmd.exe	108
PID 1280 wrote to memory of 620	1280	cmd.exe	111
PID 1280 wrote to memory of 620	1280	cmd.exe	111
PID 620 wrote to memory of 4460	620	User Application Data.exe	112
PID 620 wrote to memory of 4460	620	User Application Data.exe	112
PID 620 wrote to memory of 3256	620	User Application Data.exe	115
PID 620 wrote to memory of 3256	620	User Application Data.exe	115
PID 3256 wrote to memory of 3724	3256	cmd.exe	117
PID 3256 wrote to memory of 3724	3256	cmd.exe	117
PID 3256 wrote to memory of 4540	3256	cmd.exe	118
PID 3256 wrote to memory of 4540	3256	cmd.exe	118
PID 3256 wrote to memory of 1020	3256	cmd.exe	120
PID 3256 wrote to memory of 1020	3256	cmd.exe	120
PID 1020 wrote to memory of 4836	1020	User Application Data.exe	121
PID 1020 wrote to memory of 4836	1020	User Application Data.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
"C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4848
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U7mIKDTswPNo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:456
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4652
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8NY7uMTYHQtb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3724
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4540
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NY7uMTYHQtb.bat

Filesize
208B

MD5
3a4d1bf6df91ea64bf92adea2a5edf67

SHA1
e03b8d7ee1b4172b0ff6d7a1df2ad14a816c050a

SHA256
dafeadc106e796e856dc25660ba5f6443d846887488a055f7c68c233cee48ea1

SHA512
243585a13ca270ce6ce395f41856cef296a96e1c9a68d4302e408b6869330142db4dd43b10663b9e9b788aa0098c053a7b625289b8b968487a331e946f69aae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7mIKDTswPNo.bat

Filesize
208B

MD5
7c814688f8f4806e1e1972638e8de5ef

SHA1
ff7188febd4fb1333e09ff2e0f953030935ef78a

SHA256
b7bdd98ef173bee9937c20ba54359f7bbe51e60738451a7127653cbfe8211ef5

SHA512
f81c6cc5e2f0c20a72c77467fcae2aabac076535fbcf165b3714f454f064954f3f37359ccdcdc4512e104b5ee696e1bf04ad38141df82a809db9485f0caceec2

Download Submit
memory/4296-11-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4296-10-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4296-12-0x000000001BA30000-0x000000001BA80000-memory.dmp

Filesize
320KB

Download
memory/4296-13-0x000000001BB40000-0x000000001BBF2000-memory.dmp

Filesize
712KB

Download
memory/4296-14-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/4296-19-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/5016-0-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

Filesize
8KB

Download
memory/5016-9-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/5016-2-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/5016-1-0x0000000000120000-0x0000000000444000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads