quasar | 5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Size

3.1MB
MD5

2fbabfd67d127a2e7c317b0f92ff82bb
SHA1

a57aaecb6f20306c20dd169c674278e53bf19f41
SHA256

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b
SHA512

c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NTB:7vn92YpaQI6oPZlhP3YybewoqCZ5

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/2660-1-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar
behavioral1/files/0x0006000000019246-6.dat	family_quasar
behavioral1/memory/2696-10-0x0000000000F90000-0x00000000012B4000-memory.dmp	family_quasar
behavioral1/memory/1372-35-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2696	User Application Data.exe
1500	User Application Data.exe
1372	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
916	PING.EXE
1932	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
916	PING.EXE
1932	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
900	schtasks.exe
2784	schtasks.exe
3044	schtasks.exe
2820	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Token: SeDebugPrivilege	2696	User Application Data.exe
Token: SeDebugPrivilege	1500	User Application Data.exe
Token: SeDebugPrivilege	1372	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2696	User Application Data.exe
1500	User Application Data.exe
1372	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2784	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	30
PID 2660 wrote to memory of 2784	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	30
PID 2660 wrote to memory of 2784	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	30
PID 2660 wrote to memory of 2696	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	32
PID 2660 wrote to memory of 2696	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	32
PID 2660 wrote to memory of 2696	2660	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	32
PID 2696 wrote to memory of 3044	2696	User Application Data.exe	33
PID 2696 wrote to memory of 3044	2696	User Application Data.exe	33
PID 2696 wrote to memory of 3044	2696	User Application Data.exe	33
PID 2696 wrote to memory of 1432	2696	User Application Data.exe	35
PID 2696 wrote to memory of 1432	2696	User Application Data.exe	35
PID 2696 wrote to memory of 1432	2696	User Application Data.exe	35
PID 1432 wrote to memory of 1212	1432	cmd.exe	37
PID 1432 wrote to memory of 1212	1432	cmd.exe	37
PID 1432 wrote to memory of 1212	1432	cmd.exe	37
PID 1432 wrote to memory of 916	1432	cmd.exe	38
PID 1432 wrote to memory of 916	1432	cmd.exe	38
PID 1432 wrote to memory of 916	1432	cmd.exe	38
PID 1432 wrote to memory of 1500	1432	cmd.exe	39
PID 1432 wrote to memory of 1500	1432	cmd.exe	39
PID 1432 wrote to memory of 1500	1432	cmd.exe	39
PID 1500 wrote to memory of 2820	1500	User Application Data.exe	40
PID 1500 wrote to memory of 2820	1500	User Application Data.exe	40
PID 1500 wrote to memory of 2820	1500	User Application Data.exe	40
PID 1500 wrote to memory of 2504	1500	User Application Data.exe	43
PID 1500 wrote to memory of 2504	1500	User Application Data.exe	43
PID 1500 wrote to memory of 2504	1500	User Application Data.exe	43
PID 2504 wrote to memory of 3028	2504	cmd.exe	45
PID 2504 wrote to memory of 3028	2504	cmd.exe	45
PID 2504 wrote to memory of 3028	2504	cmd.exe	45
PID 2504 wrote to memory of 1932	2504	cmd.exe	46
PID 2504 wrote to memory of 1932	2504	cmd.exe	46
PID 2504 wrote to memory of 1932	2504	cmd.exe	46
PID 2504 wrote to memory of 1372	2504	cmd.exe	47
PID 2504 wrote to memory of 1372	2504	cmd.exe	47
PID 2504 wrote to memory of 1372	2504	cmd.exe	47
PID 1372 wrote to memory of 900	1372	User Application Data.exe	48
PID 1372 wrote to memory of 900	1372	User Application Data.exe	48
PID 1372 wrote to memory of 900	1372	User Application Data.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
"C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2784
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3044
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\78CHYePJD42Y.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1212
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:916
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQMoLU0FwkSj.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3028
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fbabfd67d127a2e7c317b0f92ff82bb

SHA1
a57aaecb6f20306c20dd169c674278e53bf19f41

SHA256
5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

SHA512
c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\78CHYePJD42Y.bat

Filesize
208B

MD5
29a07a64ffa1022eb3ee4bb166e8467c

SHA1
aebeb72eb2d52eee89d9f8ad843e3c484f505e63

SHA256
e8925e7cbe0c3a38f5eb48ec29de723a6b4d9f03293fd60426beeeb9e0e9f744

SHA512
db77750e4047a2b5431c90f5b7e223b64f48750ceec840b5af250f7189da214672d4269da4b4500e2e18a9941fe619000ffb88b826dfed10076af1884433a681

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQMoLU0FwkSj.bat

Filesize
208B

MD5
555ac1c85529c48395743f151ec36502

SHA1
04826b6fe5ed5a4fb62444db5abe9448e741c4ba

SHA256
4ef7880307a35f232f535041b0bb892d9a182f55b98e0c4e333dbce2020a18c4

SHA512
d46b0bb64b5aee3cad54847158f9a5b5e9d446509597c44dde1c50973db4f22147c8b31519cdcdcbbe16a0e88a7d1242fefe218ab3cc763b6d6c789e7c010edc

Download Submit
memory/1372-35-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/2660-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-1-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/2660-8-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2696-9-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-10-0x0000000000F90000-0x00000000012B4000-memory.dmp

Filesize
3.1MB

Download
memory/2696-11-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-12-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-21-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads