quasar | 854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09

General

Target

test.exe
Size

3.1MB
MD5

051bfba0c640694d241f6b3621e241b6
SHA1

a5269b7485203914af50cb932d952c10440878c9
SHA256

854fc659414fc88605337694eb6b6f4f177389c9cbb69ca0b0e705f555ebbb09
SHA512

bdfea5dfca423c4d66de1c9f435a1c0403b8615a0b7627fff665876fa2da48e8914cc2961ca9e66b7d32d2bc4004354e5e932297a479fcc90d495327d14577dc
SSDEEP

49152:AvKgo2QSaNpzyPllgamb0CZof/JDj5RbR4jRoGdMOAuTHHB72eh2NT:Avjo2QSaNpzyPllgamYCZof/JDj5wFc

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

2464c7bf-a165-4397-85fe-def5290750b0

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1088-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3524	PING.EXE
636	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3524	PING.EXE
636	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3168	schtasks.exe
4560	schtasks.exe
4568	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	test.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1088	test.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3168	1088	test.exe	83
PID 1088 wrote to memory of 3168	1088	test.exe	83
PID 1088 wrote to memory of 2000	1088	test.exe	102
PID 1088 wrote to memory of 2000	1088	test.exe	102
PID 2000 wrote to memory of 3416	2000	cmd.exe	104
PID 2000 wrote to memory of 3416	2000	cmd.exe	104
PID 2000 wrote to memory of 3524	2000	cmd.exe	105
PID 2000 wrote to memory of 3524	2000	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IL7ni3rz2NTj.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3416
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3524
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    3⤵
    PID:1932
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SPSAjSVeXa5l.bat" "
      4⤵
      PID:2664
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4336
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:636
    - - C:\Users\Admin\AppData\Local\Temp\test.exe
        
        "C:\Users\Admin\AppData\Local\Temp\test.exe"
        5⤵
        
        PID:228
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\test.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IL7ni3rz2NTj.bat

Filesize
201B

MD5
c6b365b4fde375eb5b4c54ecf24ac98b

SHA1
fdebaca53e16ab9a42c04d4b002be2c81084498b

SHA256
442851939bb56c6f9817f31048173eee2e4c98cbd533fd10da1ec996370c6bd5

SHA512
94e8fd3c3c4640ffb191fbb69a157a76f2c222d51068b789d815cef72e547762f66badcb9e149d278e2f54f841254a4802cbb83cd978dc73c65bf5fe2b1f88c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SPSAjSVeXa5l.bat

Filesize
201B

MD5
2ddee9fae8aa8d5ef2817ae0e33fb6c1

SHA1
3bf5244dcee82083bd0d0bce6eb0d3292db3de47

SHA256
90ea52872a8337abc4e1d6c4b284b3498b6b0d1cb764710b4a9f85c389633c16

SHA512
256ec97bff2057e6a12aa25a8fc2befab1f42478661421d28aa0b62addf02f0bd87459fb9ae6be5d5c1074bea54e4f9a2a5bbabb164be19733d58c2449d3bf11

Download Submit
memory/1088-0-0x00007FFDE12E3000-0x00007FFDE12E5000-memory.dmp

Filesize
8KB

Download
memory/1088-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp

Filesize
3.1MB

Download
memory/1088-2-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1088-4-0x000000001C5F0000-0x000000001C6A2000-memory.dmp

Filesize
712KB

Download
memory/1088-3-0x000000001C4E0000-0x000000001C530000-memory.dmp

Filesize
320KB

Download
memory/1088-5-0x00007FFDE12E3000-0x00007FFDE12E5000-memory.dmp

Filesize
8KB

Download
memory/1088-6-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1088-12-0x00007FFDE12E0000-0x00007FFDE1DA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads