quasar | cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SGVPClientUsers.exe
Size

3.1MB
MD5

2fcfe990de818ff742c6723b8c6e0d33
SHA1

9d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256

cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA512

4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613
SSDEEP

49152:PvXz92YpaQI6oPZlhP3Reybewoklwuv1JHloGGWTHHB72eh2NT:PvD92YpaQI6oPZlhP3YybewoklwuV

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/2020-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016ab9-6.dat	family_quasar
behavioral1/memory/2548-8-0x0000000000EB0000-0x00000000011D4000-memory.dmp	family_quasar
behavioral1/memory/3024-24-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar
behavioral1/memory/1264-36-0x0000000000220000-0x0000000000544000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2548	User Application Data.exe
3024	User Application Data.exe
1264	User Application Data.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1704	PING.EXE
644	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
644	PING.EXE
1704	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe
2864	schtasks.exe
2468	schtasks.exe
2080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	SGVPClientUsers.exe
Token: SeDebugPrivilege	2548	User Application Data.exe
Token: SeDebugPrivilege	3024	User Application Data.exe
Token: SeDebugPrivilege	1264	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2548	User Application Data.exe
3024	User Application Data.exe
1264	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2184	2020	SGVPClientUsers.exe	30
PID 2020 wrote to memory of 2184	2020	SGVPClientUsers.exe	30
PID 2020 wrote to memory of 2184	2020	SGVPClientUsers.exe	30
PID 2020 wrote to memory of 2548	2020	SGVPClientUsers.exe	32
PID 2020 wrote to memory of 2548	2020	SGVPClientUsers.exe	32
PID 2020 wrote to memory of 2548	2020	SGVPClientUsers.exe	32
PID 2548 wrote to memory of 2864	2548	User Application Data.exe	33
PID 2548 wrote to memory of 2864	2548	User Application Data.exe	33
PID 2548 wrote to memory of 2864	2548	User Application Data.exe	33
PID 2548 wrote to memory of 2648	2548	User Application Data.exe	36
PID 2548 wrote to memory of 2648	2548	User Application Data.exe	36
PID 2548 wrote to memory of 2648	2548	User Application Data.exe	36
PID 2648 wrote to memory of 3036	2648	cmd.exe	38
PID 2648 wrote to memory of 3036	2648	cmd.exe	38
PID 2648 wrote to memory of 3036	2648	cmd.exe	38
PID 2648 wrote to memory of 644	2648	cmd.exe	39
PID 2648 wrote to memory of 644	2648	cmd.exe	39
PID 2648 wrote to memory of 644	2648	cmd.exe	39
PID 2648 wrote to memory of 3024	2648	cmd.exe	40
PID 2648 wrote to memory of 3024	2648	cmd.exe	40
PID 2648 wrote to memory of 3024	2648	cmd.exe	40
PID 3024 wrote to memory of 2468	3024	User Application Data.exe	41
PID 3024 wrote to memory of 2468	3024	User Application Data.exe	41
PID 3024 wrote to memory of 2468	3024	User Application Data.exe	41
PID 3024 wrote to memory of 2400	3024	User Application Data.exe	43
PID 3024 wrote to memory of 2400	3024	User Application Data.exe	43
PID 3024 wrote to memory of 2400	3024	User Application Data.exe	43
PID 2400 wrote to memory of 1520	2400	cmd.exe	45
PID 2400 wrote to memory of 1520	2400	cmd.exe	45
PID 2400 wrote to memory of 1520	2400	cmd.exe	45
PID 2400 wrote to memory of 1704	2400	cmd.exe	46
PID 2400 wrote to memory of 1704	2400	cmd.exe	46
PID 2400 wrote to memory of 1704	2400	cmd.exe	46
PID 2400 wrote to memory of 1264	2400	cmd.exe	47
PID 2400 wrote to memory of 1264	2400	cmd.exe	47
PID 2400 wrote to memory of 1264	2400	cmd.exe	47
PID 1264 wrote to memory of 2080	1264	User Application Data.exe	48
PID 1264 wrote to memory of 2080	1264	User Application Data.exe	48
PID 1264 wrote to memory of 2080	1264	User Application Data.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SGVPClientUsers.exe
"C:\Users\Admin\AppData\Local\Temp\SGVPClientUsers.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2184
- C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
  "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2864
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ErqyxaKBNO1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3036
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:644
  - - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
      "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\6ELKZKYDCTlJ.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1520
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1704
      - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
        
        "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ErqyxaKBNO1.bat

Filesize
222B

MD5
3709e68eeefee008c72d58a16ee83dcb

SHA1
04d1fe50f41002623efbad84dec8909d9744cdca

SHA256
d0b03dba4fbc05785fc536a2d2219b649c70698f421ebe8b0aeeae98b493d3ad

SHA512
7e96ef372273259f3c73a003e53237eb0d5cc45531053e0a79ee22c0f0f06f946a158cd53497d30e98e459247f6bc48d164759adfe48c5238b25cb924e998b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ELKZKYDCTlJ.bat

Filesize
222B

MD5
805a11415b6fe06c90d5b16e60831822

SHA1
71f2b93f300c7d586836dd3d226f6fff961e0b53

SHA256
dd3ddfd3234d7cf10333e19d5068bb1c4080b5c27fdb272512133141841b0e58

SHA512
f7eb0e62b439ea0e853ea6996e1bd2aafef1e4b7de51f25c8a8bed6f647e82f216ba7de0390a9d51546cc9f1255aeb351fa613a46d1a9cad26eab1a3af463827

Download Submit
C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
memory/1264-36-0x0000000000220000-0x0000000000544000-memory.dmp

Filesize
3.1MB

Download
memory/2020-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2020-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2020-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp

Filesize
3.1MB

Download
memory/2548-9-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-8-0x0000000000EB0000-0x00000000011D4000-memory.dmp

Filesize
3.1MB

Download
memory/2548-10-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-12-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-22-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-24-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads