quasar | cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SGVP Client Users.exe
Size

3.1MB
MD5

2fcfe990de818ff742c6723b8c6e0d33
SHA1

9d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256

cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA512

4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613
SSDEEP

49152:PvXz92YpaQI6oPZlhP3Reybewoklwuv1JHloGGWTHHB72eh2NT:PvD92YpaQI6oPZlhP3YybewoklwuV

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/memory/1924-1-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/files/0x0007000000015d81-6.dat	family_quasar
behavioral1/memory/2432-9-0x0000000001190000-0x00000000014B4000-memory.dmp	family_quasar
behavioral1/memory/1264-34-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2432	User Application Data.exe
1032	User Application Data.exe
1264	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	PING.EXE
2712	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2088	PING.EXE
2712	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2180	schtasks.exe
3020	schtasks.exe
560	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	SGVP Client Users.exe
Token: SeDebugPrivilege	2432	User Application Data.exe
Token: SeDebugPrivilege	1032	User Application Data.exe
Token: SeDebugPrivilege	1264	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2432	User Application Data.exe
1032	User Application Data.exe
1264	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2700	1924	SGVP Client Users.exe	30
PID 1924 wrote to memory of 2700	1924	SGVP Client Users.exe	30
PID 1924 wrote to memory of 2700	1924	SGVP Client Users.exe	30
PID 1924 wrote to memory of 2432	1924	SGVP Client Users.exe	32
PID 1924 wrote to memory of 2432	1924	SGVP Client Users.exe	32
PID 1924 wrote to memory of 2432	1924	SGVP Client Users.exe	32
PID 2432 wrote to memory of 2180	2432	User Application Data.exe	33
PID 2432 wrote to memory of 2180	2432	User Application Data.exe	33
PID 2432 wrote to memory of 2180	2432	User Application Data.exe	33
PID 2432 wrote to memory of 2688	2432	User Application Data.exe	36
PID 2432 wrote to memory of 2688	2432	User Application Data.exe	36
PID 2432 wrote to memory of 2688	2432	User Application Data.exe	36
PID 2688 wrote to memory of 2436	2688	cmd.exe	38
PID 2688 wrote to memory of 2436	2688	cmd.exe	38
PID 2688 wrote to memory of 2436	2688	cmd.exe	38
PID 2688 wrote to memory of 2088	2688	cmd.exe	39
PID 2688 wrote to memory of 2088	2688	cmd.exe	39
PID 2688 wrote to memory of 2088	2688	cmd.exe	39
PID 2688 wrote to memory of 1032	2688	cmd.exe	40
PID 2688 wrote to memory of 1032	2688	cmd.exe	40
PID 2688 wrote to memory of 1032	2688	cmd.exe	40
PID 1032 wrote to memory of 3020	1032	User Application Data.exe	41
PID 1032 wrote to memory of 3020	1032	User Application Data.exe	41
PID 1032 wrote to memory of 3020	1032	User Application Data.exe	41
PID 1032 wrote to memory of 1824	1032	User Application Data.exe	43
PID 1032 wrote to memory of 1824	1032	User Application Data.exe	43
PID 1032 wrote to memory of 1824	1032	User Application Data.exe	43
PID 1824 wrote to memory of 2488	1824	cmd.exe	45
PID 1824 wrote to memory of 2488	1824	cmd.exe	45
PID 1824 wrote to memory of 2488	1824	cmd.exe	45
PID 1824 wrote to memory of 2712	1824	cmd.exe	46
PID 1824 wrote to memory of 2712	1824	cmd.exe	46
PID 1824 wrote to memory of 2712	1824	cmd.exe	46
PID 1824 wrote to memory of 1264	1824	cmd.exe	47
PID 1824 wrote to memory of 1264	1824	cmd.exe	47
PID 1824 wrote to memory of 1264	1824	cmd.exe	47
PID 1264 wrote to memory of 560	1264	User Application Data.exe	48
PID 1264 wrote to memory of 560	1264	User Application Data.exe	48
PID 1264 wrote to memory of 560	1264	User Application Data.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SGVP Client Users.exe
"C:\Users\Admin\AppData\Local\Temp\SGVP Client Users.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2700
- C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
  "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2180
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\lCLvEOtYIotE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2436
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2088
  - - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
      "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rFihAVkQnhMJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2488
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2712
      - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
        
        "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lCLvEOtYIotE.bat

Filesize
222B

MD5
3e5add60820da9de467d64f57883d521

SHA1
6453ca4a963ddb04f2e444add241e88a5d8c7ef6

SHA256
aaf20c89a758163a4d767daa2a330651a64a88e5a6d1ea1be5002386bdebdc79

SHA512
683914eef4448a7b6d5e17c8098f354b97e3266e5970637b321225c4d15abb001efd489f1d0b1c0c60d8c5b2f7ba921fe7217f505daa30c29ca87881aa910173

Download Submit
C:\Users\Admin\AppData\Local\Temp\rFihAVkQnhMJ.bat

Filesize
222B

MD5
5eed0777c7c1ddceb60be202fa749320

SHA1
a1fb8666ca1b04aca47b1f792a70aa5430b464f3

SHA256
8bdc980c649c5b5364ffde2f3fd509185cfe9dd68b7158ec1125f68dd0969f80

SHA512
1e76d94eb47dc83a4e57dcdb7ce3b07fd4f3f4b30ea65b56788e8bb7eb114cd6dc3f16cbdae698e64beb20cae9279d9fa75f08afda804de16b53821c928ebb48

Download Submit
C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
memory/1264-34-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/1924-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/1924-8-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-2-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/1924-1-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/2432-10-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-9-0x0000000001190000-0x00000000014B4000-memory.dmp

Filesize
3.1MB

Download
memory/2432-11-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-12-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-21-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads