quasar | ea72fe8ea0f99fc5bbef1c3903fbc94bd439b37d1989a9b642c80ce5f6675e3c

General

Target

cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe
Size

3.1MB
MD5

2fcfe990de818ff742c6723b8c6e0d33
SHA1

9d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256

cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA512

4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613
SSDEEP

49152:PvXz92YpaQI6oPZlhP3Reybewoklwuv1JHloGGWTHHB72eh2NT:PvD92YpaQI6oPZlhP3YybewoklwuV

Score

10^/10

quasar sgvp discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SGVP

C2

192.168.1.9:4782

150.129.206.176:4782

Ai-Sgvp-33452.portmap.host:33452

Mutex

a35ec7b7-5a95-4207-8f25-7af0a7847fa5

Attributes

encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
install_name
User Application Data.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windowns Client Startup
subdirectory
Quasar

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2328-1-0x0000000000B70000-0x0000000000E94000-memory.dmp	family_quasar
behavioral2/files/0x000d000000023a69-6.dat	family_quasar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	User Application Data.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	User Application Data.exe

Executes dropped EXE 3 IoCs

pid	Process
1572	User Application Data.exe
1128	User Application Data.exe
1680	User Application Data.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2088	PING.EXE
5024	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5024	PING.EXE
2088	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4588	schtasks.exe
2868	schtasks.exe
4932	schtasks.exe
4132	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe
Token: SeDebugPrivilege	1572	User Application Data.exe
Token: SeDebugPrivilege	1128	User Application Data.exe
Token: SeDebugPrivilege	1680	User Application Data.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1572	User Application Data.exe
1128	User Application Data.exe
1680	User Application Data.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 4588	2328	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	84
PID 2328 wrote to memory of 4588	2328	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	84
PID 2328 wrote to memory of 1572	2328	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	86
PID 2328 wrote to memory of 1572	2328	cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe	86
PID 1572 wrote to memory of 2868	1572	User Application Data.exe	87
PID 1572 wrote to memory of 2868	1572	User Application Data.exe	87
PID 1572 wrote to memory of 3300	1572	User Application Data.exe	106
PID 1572 wrote to memory of 3300	1572	User Application Data.exe	106
PID 3300 wrote to memory of 4916	3300	cmd.exe	108
PID 3300 wrote to memory of 4916	3300	cmd.exe	108
PID 3300 wrote to memory of 5024	3300	cmd.exe	109
PID 3300 wrote to memory of 5024	3300	cmd.exe	109
PID 3300 wrote to memory of 1128	3300	cmd.exe	112
PID 3300 wrote to memory of 1128	3300	cmd.exe	112
PID 1128 wrote to memory of 4932	1128	User Application Data.exe	113
PID 1128 wrote to memory of 4932	1128	User Application Data.exe	113
PID 1128 wrote to memory of 1332	1128	User Application Data.exe	116
PID 1128 wrote to memory of 1332	1128	User Application Data.exe	116
PID 1332 wrote to memory of 1496	1332	cmd.exe	118
PID 1332 wrote to memory of 1496	1332	cmd.exe	118
PID 1332 wrote to memory of 2088	1332	cmd.exe	119
PID 1332 wrote to memory of 2088	1332	cmd.exe	119
PID 1332 wrote to memory of 1680	1332	cmd.exe	121
PID 1332 wrote to memory of 1680	1332	cmd.exe	121
PID 1680 wrote to memory of 4132	1680	User Application Data.exe	122
PID 1680 wrote to memory of 4132	1680	User Application Data.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe
"C:\Users\Admin\AppData\Local\Temp\cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4588
- C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
  "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3UrvD9L555ZI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4916
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5024
  - - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
      "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sIZVzq2aLIXb.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1496
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2088
      - C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe
        
        "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windowns Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User Application Data.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3UrvD9L555ZI.bat

Filesize
222B

MD5
66f8bff994f2b59bcbdedf3736181749

SHA1
42d7884c29abe5ee4d4eb9a4e4abe7895412b88f

SHA256
48f5d725074fcbfa0fadce8575ba1ad3f45447330a7e667882f7f0f6ac63dd3b

SHA512
d43f45df3750fabfc61712d704bf782d48a467a7e5814689bd1fc59a85a2412d96a8683909ca32c0354dcf1cb0db1d1a34baf1c1fd8d7b07aad4edf623331b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIZVzq2aLIXb.bat

Filesize
222B

MD5
a3f68cc30ce37035e12b02a8ea609ea8

SHA1
4656b52422be2308374e2b196da25fe3ab69d482

SHA256
32cb02af08b6cf6bf356f401fc05317b2c4ec99652c852e115185a397aa6984e

SHA512
1b94236d52bd39eb89c43386f735a272446a4051719b69b882476ce0987827d216ec5dae61f3151586b4f374dffb8c0d335f3cc9959ad8723f294257a28e06e5

Download Submit
C:\Users\Admin\AppData\Roaming\Quasar\User Application Data.exe

Filesize
3.1MB

MD5
2fcfe990de818ff742c6723b8c6e0d33

SHA1
9d42cce564dcfa27b2c99450f54ba36d4b6eecaf

SHA256
cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740

SHA512
4f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613

Download Submit
memory/1572-11-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-12-0x000000001B270000-0x000000001B2C0000-memory.dmp

Filesize
320KB

Download
memory/1572-13-0x000000001BB80000-0x000000001BC32000-memory.dmp

Filesize
712KB

Download
memory/1572-14-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-10-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/1572-20-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-9-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-0-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

Filesize
8KB

Download
memory/2328-2-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

Filesize
10.8MB

Download
memory/2328-1-0x0000000000B70000-0x0000000000E94000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads