quasar | 5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

Analysis

max time kernel
111s
max time network
97s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Size

3.1MB
MD5

2fbabfd67d127a2e7c317b0f92ff82bb
SHA1

a57aaecb6f20306c20dd169c674278e53bf19f41
SHA256

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b
SHA512

c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NTB:7vn92YpaQI6oPZlhP3YybewoqCZ5

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2748-1-0x00000000008C0000-0x0000000000BE4000-memory.dmp	family_quasar
behavioral1/files/0x0007000000016d29-6.dat	family_quasar
behavioral1/memory/2728-10-0x0000000000A50000-0x0000000000D74000-memory.dmp	family_quasar
behavioral1/memory/2028-24-0x00000000010B0000-0x00000000013D4000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
2728	User Application Data.exe
2028	User Application Data.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
584	PING.EXE
1152	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
584	PING.EXE
1152	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2624	schtasks.exe
1052	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Token: SeDebugPrivilege	2728	User Application Data.exe
Token: SeDebugPrivilege	2028	User Application Data.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	User Application Data.exe
2028	User Application Data.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2676	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	31
PID 2748 wrote to memory of 2676	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	31
PID 2748 wrote to memory of 2676	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	31
PID 2748 wrote to memory of 2728	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	33
PID 2748 wrote to memory of 2728	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	33
PID 2748 wrote to memory of 2728	2748	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	33
PID 2728 wrote to memory of 2624	2728	User Application Data.exe	34
PID 2728 wrote to memory of 2624	2728	User Application Data.exe	34
PID 2728 wrote to memory of 2624	2728	User Application Data.exe	34
PID 2728 wrote to memory of 2956	2728	User Application Data.exe	36
PID 2728 wrote to memory of 2956	2728	User Application Data.exe	36
PID 2728 wrote to memory of 2956	2728	User Application Data.exe	36
PID 2956 wrote to memory of 2620	2956	cmd.exe	38
PID 2956 wrote to memory of 2620	2956	cmd.exe	38
PID 2956 wrote to memory of 2620	2956	cmd.exe	38
PID 2956 wrote to memory of 584	2956	cmd.exe	39
PID 2956 wrote to memory of 584	2956	cmd.exe	39
PID 2956 wrote to memory of 584	2956	cmd.exe	39
PID 2956 wrote to memory of 2028	2956	cmd.exe	40
PID 2956 wrote to memory of 2028	2956	cmd.exe	40
PID 2956 wrote to memory of 2028	2956	cmd.exe	40
PID 2028 wrote to memory of 1052	2028	User Application Data.exe	41
PID 2028 wrote to memory of 1052	2028	User Application Data.exe	41
PID 2028 wrote to memory of 1052	2028	User Application Data.exe	41
PID 2028 wrote to memory of 2076	2028	User Application Data.exe	44
PID 2028 wrote to memory of 2076	2028	User Application Data.exe	44
PID 2028 wrote to memory of 2076	2028	User Application Data.exe	44
PID 2076 wrote to memory of 444	2076	cmd.exe	46
PID 2076 wrote to memory of 444	2076	cmd.exe	46
PID 2076 wrote to memory of 444	2076	cmd.exe	46
PID 2076 wrote to memory of 1152	2076	cmd.exe	47
PID 2076 wrote to memory of 1152	2076	cmd.exe	47
PID 2076 wrote to memory of 1152	2076	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
"C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2676
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2624
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\XgcB7dd9CSbn.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2620
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:584
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\z8vfTbF2bJvm.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:444
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fbabfd67d127a2e7c317b0f92ff82bb

SHA1
a57aaecb6f20306c20dd169c674278e53bf19f41

SHA256
5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

SHA512
c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\XgcB7dd9CSbn.bat

Filesize
208B

MD5
942a33956e56a185dd47ca44ea88ebc0

SHA1
6b21bcd471a46ffe7e2985c731fda9e4d9ec0daf

SHA256
09b9373652491029e41378139b911b1efcb31861043ab05814db1b73252b4c8f

SHA512
631de2765b991973b5bfffeaf2c5c6e6b07a095726f8bc1a8574c7b966e450f61bf751fb47ca49c8567ac2c6724bfdb7b8f1e2fabb0fe541a51c21357aa426e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8vfTbF2bJvm.bat

Filesize
208B

MD5
560495bfc64a754994390ceaec924fa7

SHA1
6bbad23de2fe35a95e53ad1521b217c339b81c3b

SHA256
ce450b54b1fb5e03c6816ce3fde7ceb46c7fcd0968bd21f20f831d69e4b6fc98

SHA512
f5a48f6a440849cc00f29821962572e3d572e69b713ab1690ab872f02654438bc8ceca8ce0b1f75eb0b5bfa8c25c639fbe7082e14a6b21b440d0dc330b7e2ca0

Download Submit
memory/2028-24-0x00000000010B0000-0x00000000013D4000-memory.dmp

Filesize
3.1MB

Download
memory/2728-9-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-10-0x0000000000A50000-0x0000000000D74000-memory.dmp

Filesize
3.1MB

Download
memory/2728-11-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-12-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-21-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-2-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-1-0x00000000008C0000-0x0000000000BE4000-memory.dmp

Filesize
3.1MB

Download
memory/2748-8-0x000007FEF58C0000-0x000007FEF62AC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-0-0x000007FEF58C3000-0x000007FEF58C4000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads