quasar | ea72fe8ea0f99fc5bbef1c3903fbc94bd439b37d1989a9b642c80ce5f6675e3c

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe
Size

3.1MB
MD5

2fcfe990de818ff742c6723b8c6e0d33
SHA1

9d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256

cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA512

4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613
SSDEEP

49152:PvXz92YpaQI6oPZlhP3Reybewoklwuv1JHloGGWTHHB72eh2NT:PvD92YpaQI6oPZlhP3YybewoklwuV

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 5 IoCs

resource	yara_rule
behavioral1/memory/1808-1-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/files/0x0008000000015d0e-6.dat	family_quasar
behavioral1/memory/2728-10-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/1444-24-0x0000000000DB0000-0x00000000010D4000-memory.dmp	family_quasar
behavioral1/memory/636-35-0x0000000000FF0000-0x0000000001314000-memory.dmp	family_quasar

Executes dropped EXE 3 IoCs

pid	Process
2728	User Application Data.exe
1444	User Application Data.exe
636	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2680	PING.EXE
688	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2680	PING.EXE
688	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe
2592	schtasks.exe
1512	schtasks.exe
1652	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe
Token: SeDebugPrivilege	2728	User Application Data.exe
Token: SeDebugPrivilege	1444	User Application Data.exe
Token: SeDebugPrivilege	636	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2728	User Application Data.exe
1444	User Application Data.exe
636	User Application Data.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2204	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	28
PID 1808 wrote to memory of 2204	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	28
PID 1808 wrote to memory of 2204	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	28
PID 1808 wrote to memory of 2728	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	30
PID 1808 wrote to memory of 2728	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	30
PID 1808 wrote to memory of 2728	1808	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	30
PID 2728 wrote to memory of 2592	2728	User Application Data.exe	31
PID 2728 wrote to memory of 2592	2728	User Application Data.exe	31
PID 2728 wrote to memory of 2592	2728	User Application Data.exe	31
PID 2728 wrote to memory of 1236	2728	User Application Data.exe	35
PID 2728 wrote to memory of 1236	2728	User Application Data.exe	35
PID 2728 wrote to memory of 1236	2728	User Application Data.exe	35
PID 1236 wrote to memory of 2432	1236	cmd.exe	37
PID 1236 wrote to memory of 2432	1236	cmd.exe	37
PID 1236 wrote to memory of 2432	1236	cmd.exe	37
PID 1236 wrote to memory of 2680	1236	cmd.exe	38
PID 1236 wrote to memory of 2680	1236	cmd.exe	38
PID 1236 wrote to memory of 2680	1236	cmd.exe	38
PID 1236 wrote to memory of 1444	1236	cmd.exe	39
PID 1236 wrote to memory of 1444	1236	cmd.exe	39
PID 1236 wrote to memory of 1444	1236	cmd.exe	39
PID 1444 wrote to memory of 1512	1444	User Application Data.exe	40
PID 1444 wrote to memory of 1512	1444	User Application Data.exe	40
PID 1444 wrote to memory of 1512	1444	User Application Data.exe	40
PID 1444 wrote to memory of 380	1444	User Application Data.exe	42
PID 1444 wrote to memory of 380	1444	User Application Data.exe	42
PID 1444 wrote to memory of 380	1444	User Application Data.exe	42
PID 380 wrote to memory of 988	380	cmd.exe	44
PID 380 wrote to memory of 988	380	cmd.exe	44
PID 380 wrote to memory of 988	380	cmd.exe	44
PID 380 wrote to memory of 688	380	cmd.exe	45
PID 380 wrote to memory of 688	380	cmd.exe	45
PID 380 wrote to memory of 688	380	cmd.exe	45
PID 380 wrote to memory of 636	380	cmd.exe	46
PID 380 wrote to memory of 636	380	cmd.exe	46
PID 380 wrote to memory of 636	380	cmd.exe	46
PID 636 wrote to memory of 1652	636	User Application Data.exe	47
PID 636 wrote to memory of 1652	636	User Application Data.exe	47
PID 636 wrote to memory of 1652	636	User Application Data.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe
"C:\Users\Admin\AppData\Local\Temp\cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2204
- C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
  "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2592
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\mcbygCfZcdbl.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2432
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2680
  - - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
      "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\rKZj8SlqCWSX.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:988
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:688
      - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
        
        "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mcbygCfZcdbl.bat

Filesize
222B

MD5
f96fb3677c9ac1aee3736a40d999e0f8

SHA1
597d6fcadd926d047c1bd9afb29869df151b8a70

SHA256
38153dea6b55c4ccd8dcda6b85e59da10c06522a63ec08ed92b426b6e10df1bb

SHA512
bd4ad8c123f46a9a6e2cb9579cc7906fff169a59de33165826997f28f3bcd1f59cd844753cb38885d3d6cba43f0aa9085b26493ab7b94cc7140c07e968284ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rKZj8SlqCWSX.bat

Filesize
222B

MD5
c71d8b81f7b3ab4e7f6a903d867799d4

SHA1
e8c65c72281ef222c2266f93c6590a188a51eb40

SHA256
c71913275768db3084a67dc34b1a15c14e67daf3370ff141d12ec25fad658409

SHA512
0d7cdbcf482eb1cbf63d1460500239f92dc15801c0ec4adbc1757cae1eb4ec7dc2db7d58534b2c7f0f4a9080a33d7779e1ddc351b91112f2596a11eadf931f76

Download Submit
C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
memory/636-35-0x0000000000FF0000-0x0000000001314000-memory.dmp

Filesize
3.1MB

Download
memory/1444-24-0x0000000000DB0000-0x00000000010D4000-memory.dmp

Filesize
3.1MB

Download
memory/1808-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/1808-9-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1808-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1808-1-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/2728-8-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-10-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2728-11-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-12-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-22-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads