quasar | 5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

General

Target

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Size

3.1MB
MD5

2fbabfd67d127a2e7c317b0f92ff82bb
SHA1

a57aaecb6f20306c20dd169c674278e53bf19f41
SHA256

5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b
SHA512

c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145
SSDEEP

49152:7vTz92YpaQI6oPZlhP3ReybewoqC01JWRoGdl2XTHHB72eh2NTB:7vn92YpaQI6oPZlhP3YybewoqCZ5

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

eeeb55fc-ba05-43e4-97f6-732f35b891b4

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3092-1-0x0000000000710000-0x0000000000A34000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023c97-6.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	User Application Data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	User Application Data.exe

Executes dropped EXE 3 IoCs

pid	Process
4244	User Application Data.exe
4540	User Application Data.exe
1788	User Application Data.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe
File created	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar	User Application Data.exe
File opened for modification	C:\Program Files\Quasar	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
File opened for modification	C:\Program Files\Quasar\User Application Data.exe	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2928	PING.EXE
2572	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2928	PING.EXE
2572	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3940	schtasks.exe
1628	schtasks.exe
880	schtasks.exe
3980	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
Token: SeDebugPrivilege	4244	User Application Data.exe
Token: SeDebugPrivilege	4540	User Application Data.exe
Token: SeDebugPrivilege	1788	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4244	User Application Data.exe
4540	User Application Data.exe
1788	User Application Data.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3940	3092	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	83
PID 3092 wrote to memory of 3940	3092	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	83
PID 3092 wrote to memory of 4244	3092	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	85
PID 3092 wrote to memory of 4244	3092	5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe	85
PID 4244 wrote to memory of 1628	4244	User Application Data.exe	86
PID 4244 wrote to memory of 1628	4244	User Application Data.exe	86
PID 4244 wrote to memory of 2016	4244	User Application Data.exe	106
PID 4244 wrote to memory of 2016	4244	User Application Data.exe	106
PID 2016 wrote to memory of 1016	2016	cmd.exe	108
PID 2016 wrote to memory of 1016	2016	cmd.exe	108
PID 2016 wrote to memory of 2928	2016	cmd.exe	109
PID 2016 wrote to memory of 2928	2016	cmd.exe	109
PID 2016 wrote to memory of 4540	2016	cmd.exe	111
PID 2016 wrote to memory of 4540	2016	cmd.exe	111
PID 4540 wrote to memory of 880	4540	User Application Data.exe	112
PID 4540 wrote to memory of 880	4540	User Application Data.exe	112
PID 4540 wrote to memory of 4112	4540	User Application Data.exe	115
PID 4540 wrote to memory of 4112	4540	User Application Data.exe	115
PID 4112 wrote to memory of 3888	4112	cmd.exe	117
PID 4112 wrote to memory of 3888	4112	cmd.exe	117
PID 4112 wrote to memory of 2572	4112	cmd.exe	118
PID 4112 wrote to memory of 2572	4112	cmd.exe	118
PID 4112 wrote to memory of 1788	4112	cmd.exe	120
PID 4112 wrote to memory of 1788	4112	cmd.exe	120
PID 1788 wrote to memory of 3980	1788	User Application Data.exe	121
PID 1788 wrote to memory of 3980	1788	User Application Data.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe
"C:\Users\Admin\AppData\Local\Temp\5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3940
- C:\Program Files\Quasar\User Application Data.exe
  "C:\Program Files\Quasar\User Application Data.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWeoGJhTpiNA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1016
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2928
  - - C:\Program Files\Quasar\User Application Data.exe
      "C:\Program Files\Quasar\User Application Data.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W8sxqEeQgnGX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3888
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2572
      - C:\Program Files\Quasar\User Application Data.exe
        
        "C:\Program Files\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Program Files\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fbabfd67d127a2e7c317b0f92ff82bb

SHA1
a57aaecb6f20306c20dd169c674278e53bf19f41

SHA256
5635d897dd5b3ee97bf94e1ad08de46ee35776fb5095baa3c89396b51658eb2b

SHA512
c9646395bab0457c4524c0e1d078cd3662da2d32f15f37087fc8a47f7134685b536916affd3aee2b58c8aca5b18b6981d923296e7ab27592872d82799d38e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\W8sxqEeQgnGX.bat

Filesize
208B

MD5
55d512e4567f2df4ac1fb7991d87f8b2

SHA1
edeef19f755a7c69e7a44c3a58f75c4d193c9ff4

SHA256
9745e64883742e9db5a5be59d34d180e14490b7efa17da0280241d3c98f5714b

SHA512
42a2ee0922c361a39a2df589fb4cbed9bd1f597748e0d7588a1e3aff6b1011f0c188ea1daab0facd420ce9b40392e4f1f8619771c9797fdc44ce1b4e6a1bbb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWeoGJhTpiNA.bat

Filesize
208B

MD5
499c6cc65a22cad657cf56a9bd048f0b

SHA1
84ead47bc00c86914517d4f187c5037977ed7df5

SHA256
b6724ce8687f9d5e19c3425ceb84269bedb56286123b4d66852c2911701f06d6

SHA512
daca77d068c5f5d00e9306c9937d028a824d73028bdbfad8e251d8688e9c9df06bfa9e52aff6f26f3b64b0e5c9370f6b227af4a012ff7131608e66e9cd485322

Download Submit
memory/3092-1-0x0000000000710000-0x0000000000A34000-memory.dmp

Filesize
3.1MB

Download
memory/3092-2-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

Filesize
10.8MB

Download
memory/3092-9-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

Filesize
10.8MB

Download
memory/3092-0-0x00007FFA24463000-0x00007FFA24465000-memory.dmp

Filesize
8KB

Download
memory/4244-11-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

Filesize
10.8MB

Download
memory/4244-14-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

Filesize
10.8MB

Download
memory/4244-19-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

Filesize
10.8MB

Download
memory/4244-13-0x000000001C4D0000-0x000000001C582000-memory.dmp

Filesize
712KB

Download
memory/4244-12-0x000000001C3C0000-0x000000001C410000-memory.dmp

Filesize
320KB

Download
memory/4244-10-0x00007FFA24460000-0x00007FFA24F21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads