quasar | c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe
Size

3.1MB
MD5

1ece671b499dd687e3154240e73ff8a0
SHA1

f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA512

0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2836-1-0x0000000000020000-0x0000000000344000-memory.dmp	family_quasar
behavioral1/files/0x00370000000160db-6.dat	family_quasar
behavioral1/memory/2244-10-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2244	User Application Data.exe
3008	User Application Data.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe
File opened for modification	C:\Program Files\Quasar	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1692	PING.EXE
2532	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2532	PING.EXE
1692	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
2704	schtasks.exe
3068	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe
Token: SeDebugPrivilege	2244	User Application Data.exe
Token: SeDebugPrivilege	3008	User Application Data.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	User Application Data.exe
3008	User Application Data.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2832	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe	30
PID 2836 wrote to memory of 2832	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe	30
PID 2836 wrote to memory of 2832	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe	30
PID 2836 wrote to memory of 2244	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe	32
PID 2836 wrote to memory of 2244	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe	32
PID 2836 wrote to memory of 2244	2836	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe	32
PID 2244 wrote to memory of 2704	2244	User Application Data.exe	33
PID 2244 wrote to memory of 2704	2244	User Application Data.exe	33
PID 2244 wrote to memory of 2704	2244	User Application Data.exe	33
PID 2244 wrote to memory of 1988	2244	User Application Data.exe	36
PID 2244 wrote to memory of 1988	2244	User Application Data.exe	36
PID 2244 wrote to memory of 1988	2244	User Application Data.exe	36
PID 1988 wrote to memory of 3016	1988	cmd.exe	38
PID 1988 wrote to memory of 3016	1988	cmd.exe	38
PID 1988 wrote to memory of 3016	1988	cmd.exe	38
PID 1988 wrote to memory of 2532	1988	cmd.exe	39
PID 1988 wrote to memory of 2532	1988	cmd.exe	39
PID 1988 wrote to memory of 2532	1988	cmd.exe	39
PID 1988 wrote to memory of 3008	1988	cmd.exe	40
PID 1988 wrote to memory of 3008	1988	cmd.exe	40
PID 1988 wrote to memory of 3008	1988	cmd.exe	40
PID 3008 wrote to memory of 3068	3008	User Application Data.exe	41
PID 3008 wrote to memory of 3068	3008	User Application Data.exe	41
PID 3008 wrote to memory of 3068	3008	User Application Data.exe	41
PID 3008 wrote to memory of 2228	3008	User Application Data.exe	43
PID 3008 wrote to memory of 2228	3008	User Application Data.exe	43
PID 3008 wrote to memory of 2228	3008	User Application Data.exe	43
PID 2228 wrote to memory of 1096	2228	cmd.exe	45
PID 2228 wrote to memory of 1096	2228	cmd.exe	45
PID 2228 wrote to memory of 1096	2228	cmd.exe	45
PID 2228 wrote to memory of 1692	2228	cmd.exe	46
PID 2228 wrote to memory of 1692	2228	cmd.exe	46
PID 2228 wrote to memory of 1692	2228	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe
"C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1N.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2832
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2704
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\gwpFKXFaoHGH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3016
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2532
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SGtncKVN9jvU.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1096
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGtncKVN9jvU.bat

Filesize
208B

MD5
59ec2a8ebf08268f060cdec8254ae2e9

SHA1
5ccfa974ca40a07bc71bc1bdc3c8e605489fe2db

SHA256
911e3cdb120b1b847adc1770c7f1056d7cc172450bc707affc6773c044c96b85

SHA512
3cabfd4874fddc9cc0342f60c55ed590d5459a7cf6ee11796da1ea974517e2d5b1a43e77e4281548b5aface023c707e1ec528f2fdf68889fb2c49ba550773d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwpFKXFaoHGH.bat

Filesize
208B

MD5
23fbac72d96dc3907fc162c5eadb7073

SHA1
ad0b89b42b77ca7c34d0263bfd649d31c983f90b

SHA256
38325a5843ffdbe6348cdbaf298d1b4bddb54fbaf7852aa1fa2409bf410b6d31

SHA512
d85e01f160344b4288fbba265fffef9662fdaf397bbc8b8cf8ae78ab9621a1317aa82a70f45f26079f456c2dc4fda79a99da7b7a6adedb49cd1d1ae3bbb07db2

Download Submit
memory/2244-8-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-10-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/2244-11-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-12-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-22-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2836-1-0x0000000000020000-0x0000000000344000-memory.dmp

Filesize
3.1MB

Download
memory/2836-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-9-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads