quasar | d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
Size

3.1MB
MD5

f611f4dd12e51ca7a946f308ebd5e04c
SHA1

2f7d049ec2b3ae6a8113b499d92ebc117eed890c
SHA256

d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73
SHA512

7057884406612bff108f1e315efacf83a99f1ec725b4496e737a57938b67edf5f23476b8f99395ec9f8ba355a68779fd5a2668b9caf0ca32b8862529eb413b83
SSDEEP

49152:rvuz92YpaQI6oPZlhP3ReybewozV+vJH4RoGdeJYTHHB72eh2NT:rv092YpaQI6oPZlhP3YybewozV+e

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a27420c6-f346-4b84-b7bd-6b3eab5a43cb

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2744-1-0x0000000001160000-0x0000000001484000-memory.dmp	family_quasar
behavioral1/files/0x00070000000186d9-6.dat	family_quasar
behavioral1/memory/2804-9-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
behavioral1/memory/2320-24-0x00000000011A0000-0x00000000014C4000-memory.dmp	family_quasar
behavioral1/memory/1060-35-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2804	User Application Data.exe
2320	User Application Data.exe
1060	User Application Data.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\system32\Quasar\User Application Data.exe	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
File opened for modification	C:\Windows\system32\Quasar\User Application Data.exe	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
File opened for modification	C:\Windows\system32\Quasar	User Application Data.exe
File opened for modification	C:\Windows\system32\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Windows\system32\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Windows\system32\Quasar	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
File opened for modification	C:\Windows\system32\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Windows\system32\Quasar	User Application Data.exe
File opened for modification	C:\Windows\system32\Quasar	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2116	PING.EXE
1876	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2116	PING.EXE
1876	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2168	schtasks.exe
2076	schtasks.exe
2788	schtasks.exe
2976	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
Token: SeDebugPrivilege	2804	User Application Data.exe
Token: SeDebugPrivilege	2320	User Application Data.exe
Token: SeDebugPrivilege	1060	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2804	User Application Data.exe
2320	User Application Data.exe
1060	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2076	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe	30
PID 2744 wrote to memory of 2076	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe	30
PID 2744 wrote to memory of 2076	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe	30
PID 2744 wrote to memory of 2804	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe	32
PID 2744 wrote to memory of 2804	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe	32
PID 2744 wrote to memory of 2804	2744	d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe	32
PID 2804 wrote to memory of 2788	2804	User Application Data.exe	33
PID 2804 wrote to memory of 2788	2804	User Application Data.exe	33
PID 2804 wrote to memory of 2788	2804	User Application Data.exe	33
PID 2804 wrote to memory of 1572	2804	User Application Data.exe	35
PID 2804 wrote to memory of 1572	2804	User Application Data.exe	35
PID 2804 wrote to memory of 1572	2804	User Application Data.exe	35
PID 1572 wrote to memory of 2272	1572	cmd.exe	37
PID 1572 wrote to memory of 2272	1572	cmd.exe	37
PID 1572 wrote to memory of 2272	1572	cmd.exe	37
PID 1572 wrote to memory of 2116	1572	cmd.exe	38
PID 1572 wrote to memory of 2116	1572	cmd.exe	38
PID 1572 wrote to memory of 2116	1572	cmd.exe	38
PID 1572 wrote to memory of 2320	1572	cmd.exe	39
PID 1572 wrote to memory of 2320	1572	cmd.exe	39
PID 1572 wrote to memory of 2320	1572	cmd.exe	39
PID 2320 wrote to memory of 2976	2320	User Application Data.exe	40
PID 2320 wrote to memory of 2976	2320	User Application Data.exe	40
PID 2320 wrote to memory of 2976	2320	User Application Data.exe	40
PID 2320 wrote to memory of 1592	2320	User Application Data.exe	43
PID 2320 wrote to memory of 1592	2320	User Application Data.exe	43
PID 2320 wrote to memory of 1592	2320	User Application Data.exe	43
PID 1592 wrote to memory of 2192	1592	cmd.exe	45
PID 1592 wrote to memory of 2192	1592	cmd.exe	45
PID 1592 wrote to memory of 2192	1592	cmd.exe	45
PID 1592 wrote to memory of 1876	1592	cmd.exe	46
PID 1592 wrote to memory of 1876	1592	cmd.exe	46
PID 1592 wrote to memory of 1876	1592	cmd.exe	46
PID 1592 wrote to memory of 1060	1592	cmd.exe	47
PID 1592 wrote to memory of 1060	1592	cmd.exe	47
PID 1592 wrote to memory of 1060	1592	cmd.exe	47
PID 1060 wrote to memory of 2168	1060	User Application Data.exe	48
PID 1060 wrote to memory of 2168	1060	User Application Data.exe	48
PID 1060 wrote to memory of 2168	1060	User Application Data.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe
"C:\Users\Admin\AppData\Local\Temp\d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2076
- C:\Windows\system32\Quasar\User Application Data.exe
  "C:\Windows\system32\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2788
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMiJN5uAFyTN.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2272
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2116
  - - C:\Windows\system32\Quasar\User Application Data.exe
      "C:\Windows\system32\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2976
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ayhSlgdLigbu.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2192
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
      - C:\Windows\system32\Quasar\User Application Data.exe
        
        "C:\Windows\system32\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Windows\system32\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VMiJN5uAFyTN.bat

Filesize
211B

MD5
85049ad6adde1ed63aa0f8066379c379

SHA1
89cc522ada86bc743825453c4eb40e63ba90a571

SHA256
bc6b97efc9c39268e78ce1e666a2f0f2d6a40208dca6d8b2df78e36edad85629

SHA512
c53d8a9d24595e61884a72420e283bc7092ad457232a5c4948326a86a801b2c1f212f7bfd4f9fd70f9b15f7dc585b978d8c896e06d7320d591a1e545e58399c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayhSlgdLigbu.bat

Filesize
211B

MD5
2f7f371a0f76d70604aebcc02c41c21f

SHA1
1b72030e74fb908998f5ce5ca3a9725f267d4197

SHA256
b3fe71c6ade97da37fa23941ee3aa59cc820b53ce0077d75bdcff43212ab6543

SHA512
8fd63a5229a60b7b14b4092f26253257ee59a273b146ee3ff3e8c04cbfdb8c3de590825792527ee2195cf6fa6708b5ddb4fed4d63a439a3689d7e402def758be

Download Submit
C:\Windows\System32\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
f611f4dd12e51ca7a946f308ebd5e04c

SHA1
2f7d049ec2b3ae6a8113b499d92ebc117eed890c

SHA256
d0ff0914a4014573716701a665b7950e49594452a6a7418a049553f8c7c1be73

SHA512
7057884406612bff108f1e315efacf83a99f1ec725b4496e737a57938b67edf5f23476b8f99395ec9f8ba355a68779fd5a2668b9caf0ca32b8862529eb413b83

Download Submit
memory/1060-35-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/2320-24-0x00000000011A0000-0x00000000014C4000-memory.dmp

Filesize
3.1MB

Download
memory/2744-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2744-8-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2744-1-0x0000000001160000-0x0000000001484000-memory.dmp

Filesize
3.1MB

Download
memory/2804-10-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-9-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/2804-11-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-12-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-21-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads