quasar | c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Size

3.1MB
MD5

1ece671b499dd687e3154240e73ff8a0
SHA1

f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA512

0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2060-1-0x00000000002F0000-0x0000000000614000-memory.dmp	family_quasar
behavioral1/files/0x0030000000019326-6.dat	family_quasar
behavioral1/memory/2772-9-0x0000000000870000-0x0000000000B94000-memory.dmp	family_quasar
behavioral1/memory/2336-24-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/1236-35-0x00000000013A0000-0x00000000016C4000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2772	User Application Data.exe
2336	User Application Data.exe
1236	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2044	PING.EXE
1432	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2044	PING.EXE
1432	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1248	schtasks.exe
2948	schtasks.exe
972	schtasks.exe
2092	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Token: SeDebugPrivilege	2772	User Application Data.exe
Token: SeDebugPrivilege	2336	User Application Data.exe
Token: SeDebugPrivilege	1236	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2772	User Application Data.exe
2336	User Application Data.exe
1236	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1248	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	29
PID 2060 wrote to memory of 1248	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	29
PID 2060 wrote to memory of 1248	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	29
PID 2060 wrote to memory of 2772	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	31
PID 2060 wrote to memory of 2772	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	31
PID 2060 wrote to memory of 2772	2060	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	31
PID 2772 wrote to memory of 2948	2772	User Application Data.exe	32
PID 2772 wrote to memory of 2948	2772	User Application Data.exe	32
PID 2772 wrote to memory of 2948	2772	User Application Data.exe	32
PID 2772 wrote to memory of 2212	2772	User Application Data.exe	34
PID 2772 wrote to memory of 2212	2772	User Application Data.exe	34
PID 2772 wrote to memory of 2212	2772	User Application Data.exe	34
PID 2212 wrote to memory of 2456	2212	cmd.exe	36
PID 2212 wrote to memory of 2456	2212	cmd.exe	36
PID 2212 wrote to memory of 2456	2212	cmd.exe	36
PID 2212 wrote to memory of 2044	2212	cmd.exe	37
PID 2212 wrote to memory of 2044	2212	cmd.exe	37
PID 2212 wrote to memory of 2044	2212	cmd.exe	37
PID 2212 wrote to memory of 2336	2212	cmd.exe	38
PID 2212 wrote to memory of 2336	2212	cmd.exe	38
PID 2212 wrote to memory of 2336	2212	cmd.exe	38
PID 2336 wrote to memory of 972	2336	User Application Data.exe	39
PID 2336 wrote to memory of 972	2336	User Application Data.exe	39
PID 2336 wrote to memory of 972	2336	User Application Data.exe	39
PID 2336 wrote to memory of 2296	2336	User Application Data.exe	41
PID 2336 wrote to memory of 2296	2336	User Application Data.exe	41
PID 2336 wrote to memory of 2296	2336	User Application Data.exe	41
PID 2296 wrote to memory of 2536	2296	cmd.exe	43
PID 2296 wrote to memory of 2536	2296	cmd.exe	43
PID 2296 wrote to memory of 2536	2296	cmd.exe	43
PID 2296 wrote to memory of 1432	2296	cmd.exe	44
PID 2296 wrote to memory of 1432	2296	cmd.exe	44
PID 2296 wrote to memory of 1432	2296	cmd.exe	44
PID 2296 wrote to memory of 1236	2296	cmd.exe	45
PID 2296 wrote to memory of 1236	2296	cmd.exe	45
PID 2296 wrote to memory of 1236	2296	cmd.exe	45
PID 1236 wrote to memory of 2092	1236	User Application Data.exe	46
PID 1236 wrote to memory of 2092	1236	User Application Data.exe	46
PID 1236 wrote to memory of 2092	1236	User Application Data.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
"C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1248
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\becbYgsAueC1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2456
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2044
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\0zU6vBeugnVR.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2536
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1432
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0zU6vBeugnVR.bat

Filesize
208B

MD5
3257f6c45a2f883ac2f625ec65856bae

SHA1
2912c21c9482c2a17b48c7823997c53ae7902606

SHA256
5b82be6dddf9c864b92a052cb0c358188b5cdb1f317583f3f5ef2f623ed0f9cd

SHA512
989d3d78d88612737876d56e459165fd5e63060ab4a70b1410474facb5fbab2d3c66e1a334f4ec07b4af3e6ea86d44baebd8a8f9fcef793005706a1861df4bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\becbYgsAueC1.bat

Filesize
208B

MD5
13e8df041126275240f7484315457772

SHA1
ca7202a227be9c10a2de3872f6916796be72b76f

SHA256
637afbc67c58e789dcef4d32a1ee2e85f452ae34cb4a941b76f08a9c7dfa955f

SHA512
fbd9ed5a4c8ad4829ba33ae8d56de0e9100311c8c76a1d13582ec0e6c036afc032eeddd6cfb4da0d554d0caa53e5ed82a27d68113d8b69c74519fb0d5a2dcf67

Download Submit
memory/1236-35-0x00000000013A0000-0x00000000016C4000-memory.dmp

Filesize
3.1MB

Download
memory/2060-2-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-10-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x00000000002F0000-0x0000000000614000-memory.dmp

Filesize
3.1MB

Download
memory/2336-24-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/2772-8-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-9-0x0000000000870000-0x0000000000B94000-memory.dmp

Filesize
3.1MB

Download
memory/2772-11-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-12-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-22-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads