quasar | 5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

General

Target

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Size

3.1MB
MD5

2fbabfd67d127a2e7c317b0f92ff82bb
SHA1

a57aaecb6f20306c20dd169c674278e53bf19f41
SHA256

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b
SHA512

c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NTB:7vn92YpaQI6oPZlhP3YybewoqCZ5

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2228-1-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral2/files/0x0009000000023c36-6.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	User Application Data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	User Application Data.exe

Executes dropped EXE 2 IoCs

pid	Process
4904	User Application Data.exe
3504	User Application Data.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1576	PING.EXE
4496	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1576	PING.EXE
4496	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4304	schtasks.exe
4032	schtasks.exe
824	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Token: SeDebugPrivilege	4904	User Application Data.exe
Token: SeDebugPrivilege	3504	User Application Data.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4904	User Application Data.exe
3504	User Application Data.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4304	2228	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	84
PID 2228 wrote to memory of 4304	2228	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	84
PID 2228 wrote to memory of 4904	2228	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	86
PID 2228 wrote to memory of 4904	2228	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	86
PID 4904 wrote to memory of 4032	4904	User Application Data.exe	87
PID 4904 wrote to memory of 4032	4904	User Application Data.exe	87
PID 4904 wrote to memory of 1608	4904	User Application Data.exe	106
PID 4904 wrote to memory of 1608	4904	User Application Data.exe	106
PID 1608 wrote to memory of 904	1608	cmd.exe	108
PID 1608 wrote to memory of 904	1608	cmd.exe	108
PID 1608 wrote to memory of 1576	1608	cmd.exe	109
PID 1608 wrote to memory of 1576	1608	cmd.exe	109
PID 1608 wrote to memory of 3504	1608	cmd.exe	112
PID 1608 wrote to memory of 3504	1608	cmd.exe	112
PID 3504 wrote to memory of 824	3504	User Application Data.exe	113
PID 3504 wrote to memory of 824	3504	User Application Data.exe	113
PID 3504 wrote to memory of 3560	3504	User Application Data.exe	116
PID 3504 wrote to memory of 3560	3504	User Application Data.exe	116
PID 3560 wrote to memory of 1796	3560	cmd.exe	118
PID 3560 wrote to memory of 1796	3560	cmd.exe	118
PID 3560 wrote to memory of 4496	3560	cmd.exe	119
PID 3560 wrote to memory of 4496	3560	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
"C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4304
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hWhuEl3F8g5w.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:904
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1576
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FoUAPjgzB86w.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1796
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fbabfd67d127a2e7c317b0f92ff82bb

SHA1
a57aaecb6f20306c20dd169c674278e53bf19f41

SHA256
5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

SHA512
c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoUAPjgzB86w.bat

Filesize
208B

MD5
8ad4df14d67a7129aaea20c6a903a315

SHA1
a3bf4138142c38d93008898a6e8d75781dc97117

SHA256
a51225db3cb9acb923a74fb3c7a0a5283b192bb961633dee07f7080e66930eea

SHA512
26eb77fd604676cd58cc7017b89065736084eff410f894b8d8fc48bb75ba7402c8589a2e24ef3c8a0d794d7c7daa4622bad6b85b2221a0413a0d95453b04504d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hWhuEl3F8g5w.bat

Filesize
208B

MD5
90aa6cb900c1bc3cfbf4fa8a7c0f6cb3

SHA1
79f8948128fa82bd1e6894175cdaf1e21eb670b9

SHA256
3c73705721cdf0ab72bc6b1f7d8efa14a7f9062e8cfc2969c146b612bf0696ed

SHA512
9a7be5091bc21bef84b9c51dba8d23b7add8ee46621bffba6f1bc034f6cba092b147cc00cf1dadf24a3e51a56041c39c45a0d150e316d9a81573676c51db12cf

Download Submit
memory/2228-1-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/2228-2-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-9-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/2228-0-0x00007FF9A1C03000-0x00007FF9A1C05000-memory.dmp

Filesize
8KB

Download
memory/4904-11-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-14-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-19-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download
memory/4904-13-0x000000001BEC0000-0x000000001BF72000-memory.dmp

Filesize
712KB

Download
memory/4904-12-0x000000001BDB0000-0x000000001BE00000-memory.dmp

Filesize
320KB

Download
memory/4904-10-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads