quasar | c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Size

3.1MB
MD5

1ece671b499dd687e3154240e73ff8a0
SHA1

f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA512

0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2256-1-0x0000000000C60000-0x0000000000F84000-memory.dmp	family_quasar
behavioral1/files/0x0009000000016ccc-6.dat	family_quasar
behavioral1/memory/2652-10-0x0000000000E10000-0x0000000001134000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2652	User Application Data.exe
616	User Application Data.exe
888	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1424	PING.EXE
2416	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1424	PING.EXE
2416	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
2984	schtasks.exe
2496	schtasks.exe
2716	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Token: SeDebugPrivilege	2652	User Application Data.exe
Token: SeDebugPrivilege	616	User Application Data.exe
Token: SeDebugPrivilege	888	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2652	User Application Data.exe
616	User Application Data.exe
888	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2716	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	30
PID 2256 wrote to memory of 2716	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	30
PID 2256 wrote to memory of 2716	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	30
PID 2256 wrote to memory of 2652	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	32
PID 2256 wrote to memory of 2652	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	32
PID 2256 wrote to memory of 2652	2256	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	32
PID 2652 wrote to memory of 3024	2652	User Application Data.exe	33
PID 2652 wrote to memory of 3024	2652	User Application Data.exe	33
PID 2652 wrote to memory of 3024	2652	User Application Data.exe	33
PID 2652 wrote to memory of 2608	2652	User Application Data.exe	35
PID 2652 wrote to memory of 2608	2652	User Application Data.exe	35
PID 2652 wrote to memory of 2608	2652	User Application Data.exe	35
PID 2608 wrote to memory of 776	2608	cmd.exe	37
PID 2608 wrote to memory of 776	2608	cmd.exe	37
PID 2608 wrote to memory of 776	2608	cmd.exe	37
PID 2608 wrote to memory of 1424	2608	cmd.exe	38
PID 2608 wrote to memory of 1424	2608	cmd.exe	38
PID 2608 wrote to memory of 1424	2608	cmd.exe	38
PID 2608 wrote to memory of 616	2608	cmd.exe	39
PID 2608 wrote to memory of 616	2608	cmd.exe	39
PID 2608 wrote to memory of 616	2608	cmd.exe	39
PID 616 wrote to memory of 2984	616	User Application Data.exe	40
PID 616 wrote to memory of 2984	616	User Application Data.exe	40
PID 616 wrote to memory of 2984	616	User Application Data.exe	40
PID 616 wrote to memory of 2432	616	User Application Data.exe	42
PID 616 wrote to memory of 2432	616	User Application Data.exe	42
PID 616 wrote to memory of 2432	616	User Application Data.exe	42
PID 2432 wrote to memory of 2404	2432	cmd.exe	44
PID 2432 wrote to memory of 2404	2432	cmd.exe	44
PID 2432 wrote to memory of 2404	2432	cmd.exe	44
PID 2432 wrote to memory of 2416	2432	cmd.exe	45
PID 2432 wrote to memory of 2416	2432	cmd.exe	45
PID 2432 wrote to memory of 2416	2432	cmd.exe	45
PID 2432 wrote to memory of 888	2432	cmd.exe	46
PID 2432 wrote to memory of 888	2432	cmd.exe	46
PID 2432 wrote to memory of 888	2432	cmd.exe	46
PID 888 wrote to memory of 2496	888	User Application Data.exe	47
PID 888 wrote to memory of 2496	888	User Application Data.exe	47
PID 888 wrote to memory of 2496	888	User Application Data.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
"C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2716
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3024
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\doePZKyu0JK1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:776
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1424
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Lc7x4q4XP2Yp.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2404
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lc7x4q4XP2Yp.bat

Filesize
208B

MD5
36bb34fc572f33e3199b52d8fc4c8548

SHA1
11d68c24c20dd7ed2ec9eda4e226abcc26fc345c

SHA256
d12397322aac0cb9f4dfcd2005acc9c454c09e0aa4c18b85f11c743a5af4a201

SHA512
06fc2cafde525094665ee3c9d44c1c6cd342716f0b2978cc752c0bd8a4117e43a9a04cd9f6e4a6fe18f41c3cf1ccc0876ec4ae3653746d216a8839e33d277026

Download Submit
C:\Users\Admin\AppData\Local\Temp\doePZKyu0JK1.bat

Filesize
208B

MD5
dc44d3938bb61d1ac94086d98fbcc674

SHA1
d5ac54443b1dcd7c16ccae3eaf5b3b5cde635954

SHA256
618cfbe564703e3f7c1bf03d0c706e3400e999e517f74bc7ff0962fd561338ff

SHA512
4029df80d985639302717b08b6e2f935444a0b2c258c3aa8abd5928342307479b56101e7f1e68ff35b8845ed843d7e1b00f9933e9ffb13d7365e9178e984d013

Download Submit
memory/2256-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-8-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x0000000000C60000-0x0000000000F84000-memory.dmp

Filesize
3.1MB

Download
memory/2652-9-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-10-0x0000000000E10000-0x0000000001134000-memory.dmp

Filesize
3.1MB

Download
memory/2652-11-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-12-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-22-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads