quasar | c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

General

Target

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Size

3.1MB
MD5

1ece671b499dd687e3154240e73ff8a0
SHA1

f66daf528e91d1d0050f93ad300447142d8d48bc
SHA256

c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1
SHA512

0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NT:7vn92YpaQI6oPZlhP3YybewoqCZ

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4492-1-0x0000000000CD0000-0x0000000000FF4000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023ca4-6.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	User Application Data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	User Application Data.exe

Executes dropped EXE 3 IoCs

pid	Process
3652	User Application Data.exe
3228	User Application Data.exe
4492	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1748	PING.EXE
1756	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1748	PING.EXE
1756	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4740	schtasks.exe
1140	schtasks.exe
1580	schtasks.exe
4448	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
Token: SeDebugPrivilege	3652	User Application Data.exe
Token: SeDebugPrivilege	3228	User Application Data.exe
Token: SeDebugPrivilege	4492	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3652	User Application Data.exe
3228	User Application Data.exe
4492	User Application Data.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4740	4492	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	82
PID 4492 wrote to memory of 4740	4492	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	82
PID 4492 wrote to memory of 3652	4492	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	84
PID 4492 wrote to memory of 3652	4492	c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe	84
PID 3652 wrote to memory of 1140	3652	User Application Data.exe	85
PID 3652 wrote to memory of 1140	3652	User Application Data.exe	85
PID 3652 wrote to memory of 1976	3652	User Application Data.exe	95
PID 3652 wrote to memory of 1976	3652	User Application Data.exe	95
PID 1976 wrote to memory of 4992	1976	cmd.exe	97
PID 1976 wrote to memory of 4992	1976	cmd.exe	97
PID 1976 wrote to memory of 1748	1976	cmd.exe	98
PID 1976 wrote to memory of 1748	1976	cmd.exe	98
PID 1976 wrote to memory of 3228	1976	cmd.exe	100
PID 1976 wrote to memory of 3228	1976	cmd.exe	100
PID 3228 wrote to memory of 1580	3228	User Application Data.exe	101
PID 3228 wrote to memory of 1580	3228	User Application Data.exe	101
PID 3228 wrote to memory of 1888	3228	User Application Data.exe	103
PID 3228 wrote to memory of 1888	3228	User Application Data.exe	103
PID 1888 wrote to memory of 2268	1888	cmd.exe	105
PID 1888 wrote to memory of 2268	1888	cmd.exe	105
PID 1888 wrote to memory of 1756	1888	cmd.exe	106
PID 1888 wrote to memory of 1756	1888	cmd.exe	106
PID 1888 wrote to memory of 4492	1888	cmd.exe	107
PID 1888 wrote to memory of 4492	1888	cmd.exe	107
PID 4492 wrote to memory of 4448	4492	User Application Data.exe	108
PID 4492 wrote to memory of 4448	4492	User Application Data.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe
"C:\Users\Admin\AppData\Local\Temp\c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4740
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwgwetaaeaY8.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4992
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1748
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PjcmyI67A58z.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2268
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
1ece671b499dd687e3154240e73ff8a0

SHA1
f66daf528e91d1d0050f93ad300447142d8d48bc

SHA256
c72756ca6344b675d8951b16ff305d1f8e145bddac1dcac101bfdb79939831a1

SHA512
0cb5d1084e5e8ec0c30e6d5c559f5a0fd509f96bd5cec7b311d72b8d279e2ffcd9ffbbacb5b428d5ee84aa339743535db0d70afaa3008c6d46508ccaae37adcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjcmyI67A58z.bat

Filesize
208B

MD5
af74d1626082d2adda3ee32fd1194eaf

SHA1
f1eaa15749689e2e468d4eaa440b5e263a08835b

SHA256
fe798c17cd05b7b51cf0d7db157eeb3829aaad0b1788e1b71df69e105da7ce66

SHA512
4e08904c4475e3a93ccfe8dd62b0fb00bcef986767a2d5cc7ce145d98a7d0c17eb14771039c70dc4c6fa0f035d25f5070bfdf43b01de480c76519f32c3540a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwgwetaaeaY8.bat

Filesize
208B

MD5
50e8a085988de51f617a7adb973a8fc6

SHA1
829c161eb12b525411f0be7697f019da0ec5e1c9

SHA256
b22f308269eecb8d6464d9a25ee16d4fa1bb0c637d26e2ff1f50973e2ed6b788

SHA512
b8601519121ee9151a05fc372d95e86d4f29b7bd30af824e8b7083a7ffb880b92f82c2e35680906ca1844118680145af85dbdc9216865a2ecb59cad2afb16926

Download Submit
memory/3652-11-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-9-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-12-0x000000001B410000-0x000000001B460000-memory.dmp

Filesize
320KB

Download
memory/3652-13-0x000000001D640000-0x000000001D6F2000-memory.dmp

Filesize
712KB

Download
memory/3652-14-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3652-19-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/4492-10-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-1-0x0000000000CD0000-0x0000000000FF4000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads