quasar | af12a0fe7ac38dc5fe35e9bc07e2c4e94b52fb895fde35991f77477519991562

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

truepepe-qt.exe
Size

85.2MB
MD5

157a22896cc610d6310a2fa0f4a13005
SHA1

5e62076cad33e22d62413264113627114cbc8887
SHA256

af12a0fe7ac38dc5fe35e9bc07e2c4e94b52fb895fde35991f77477519991562
SHA512

1eba39a21c01950a12e78582e99253a48b3984564c4826890a577b849abfde20f3012eeea4a0c972f94faa153ba6aef90af57b8d0762b0920cf6a940ccd86b75
SSDEEP

393216:34TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa25:3KRVQxhu0P8Lq1LEvxOOx5Sv

Score

10^/10

quasar senshipepe defense_evasion execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

SenshiPepe

51.15.17.193:4782

Mutex

3cedc6f6-6ab5-4aba-8d7d-5cda1b7ffa72

Attributes

encryption_key
97599F6E5D14A784CC4DD36B18A277119042FDA8
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/1452-39-0x000002C17D260000-0x000002C17D584000-memory.dmp	family_quasar

System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

Abuse Regasm to proxy execution of malicious code.

defense_evasion

Regsvcs/Regasm

T1218.009

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RegAsm.exe	truepepe-qt.exe
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempup.url	truepepe-qt.exe

Executes dropped EXE 1 IoCs

pid	Process
1452	RegAsm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2484	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	powershell.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1452	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1836	2260	truepepe-qt.exe	86
PID 2260 wrote to memory of 1836	2260	truepepe-qt.exe	86
PID 1836 wrote to memory of 1400	1836	cmd.exe	87
PID 1836 wrote to memory of 1400	1836	cmd.exe	87
PID 1836 wrote to memory of 2484	1836	cmd.exe	88
PID 1836 wrote to memory of 2484	1836	cmd.exe	88
PID 2484 wrote to memory of 4556	2484	powershell.exe	89
PID 2484 wrote to memory of 4556	2484	powershell.exe	89
PID 4556 wrote to memory of 4104	4556	csc.exe	90
PID 4556 wrote to memory of 4104	4556	csc.exe	90
PID 2260 wrote to memory of 5032	2260	truepepe-qt.exe	91
PID 2260 wrote to memory of 5032	2260	truepepe-qt.exe	91
PID 5032 wrote to memory of 1452	5032	cmd.exe	92
PID 5032 wrote to memory of 1452	5032	cmd.exe	92
PID 2260 wrote to memory of 4628	2260	truepepe-qt.exe	93
PID 2260 wrote to memory of 4628	2260	truepepe-qt.exe	93

C:\Users\Admin\AppData\Local\Temp\truepepe-qt.exe
"C:\Users\Admin\AppData\Local\Temp\truepepe-qt.exe"
1⤵
- System Binary Proxy Execution: Regsvcs/Regasm
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
    3⤵
    PID:1400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aufcpl1g\aufcpl1g.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4556
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF39.tmp" "c:\Users\Admin\AppData\Local\Temp\aufcpl1g\CSC981F75D36DB747DD9DE0986E25D09685.TMP"
        5⤵
        
        PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - System Binary Proxy Execution: Regsvcs/Regasm
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\TruePepe.exe"
  2⤵
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Regsvcs/Regasm

T1218.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBF39.tmp

Filesize
1KB

MD5
3e85a1e22f462bf89bb7e4e2b29e313f

SHA1
2162f6cb8374adda7e10c3ba37e554d4e1e59bb2

SHA256
b53bac36508b2f8091806003df2e191036e7d59a387bb9366bae27eed93a46b4

SHA512
fbe43780dc709d413c63e821fb5ca082e65be1b247d58a9dbcd4fd54dbbeb8a46229fd93de4e393c36ac728546513cb92bd162925a1a2719da08f82d00623742

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
5.5MB

MD5
68ca89f542a3e864fe99e2391b178e22

SHA1
0ee003ff3b991f0c18e6b3d00f5e7f146ad2b746

SHA256
8b2c157588514f8e5210a12c54e5e723cc3d92b0c5b7a30e8343aec6d33837d8

SHA512
c411060d308d6294687e8590f303e9b2401f881410ff6051cb5d38ade8522ec99975bd8f123705c441021c6932dc2e95a0393e15b44254a738ebfbad8882997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TruePepe.exe

Filesize
1KB

MD5
1326c16a18441423830933fbb3a6a290

SHA1
d62b5f0ec9ae7a82209938c347311519b9fc1084

SHA256
3bb40456027c77d05b991e4686f10e51739a6ebdca3e33ec5edcd1e2c28b34cf

SHA512
2b9076d43ccc836c89bcd4cc1946008b1d0268edf432d37659960f4ffb9836ca65e638b61305f374ba71b2fa21ac3210482c0e6287288e75bcd44d4fbeb3e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kgtgdnzz.w2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aufcpl1g\aufcpl1g.dll

Filesize
3KB

MD5
1823565ab096acf88c096f9994bf7d40

SHA1
5a7d4f028bd34b1ef924248e3a18adc9ac86519a

SHA256
99fc4198b46a8fd58714c35fa694b9a0a20ebd532ec4858b5be290644ac7cb70

SHA512
60180ad965d4ff469ea9c42229e44317c299faea43d335deed814f22ef047bf39a329e13552621caa00b50e1942ca7126d3babadd41810644d76b03bbfe13b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aufcpl1g\CSC981F75D36DB747DD9DE0986E25D09685.TMP

Filesize
652B

MD5
c31cb1505feeeae122176719eb01ac2d

SHA1
d2645e463a3ecf441be8cf988f9281686c5dd6a0

SHA256
98f59bacabe48beb6f7be5000e7846b661fc2b8d1414eb73bf8bf959da3942da

SHA512
513397cefafe3df422264997c0c81f5c613da64e1d0f1ecf0b5e5434f707150516e0ce0c72944faee54e1de4c424e1f3b74a8cc7b034ef599c75f4ea5fc21ebe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aufcpl1g\aufcpl1g.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aufcpl1g\aufcpl1g.cmdline

Filesize
369B

MD5
6708bc340cb6c5787a4fa16cddf6c682

SHA1
d7adb2e171b5906548aaec5dc2c0b751bb745ccc

SHA256
768f28e153e85c2aa34e8b5dae3ea1219a54fdf4a20facc192d110d79bc10011

SHA512
94eb0542fd8f958900351611c23831c6c7bafbfad4dd88bc2bb08bffdb798d11d4035d632850052fa27f4d756b23852ef5e0fbec20214f90c10eb6ca54ef97b6

Download Submit
memory/1452-39-0x000002C17D260000-0x000002C17D584000-memory.dmp

Filesize
3.1MB

Download
memory/1452-40-0x000002C17CCB0000-0x000002C17CD00000-memory.dmp

Filesize
320KB

Download
memory/1452-41-0x000002C17F330000-0x000002C17F3E2000-memory.dmp

Filesize
712KB

Download
memory/1452-44-0x000002C17D670000-0x000002C17D682000-memory.dmp

Filesize
72KB

Download
memory/1452-45-0x000002C17D6D0000-0x000002C17D70C000-memory.dmp

Filesize
240KB

Download
memory/2484-14-0x000001D04B780000-0x000001D04B7F6000-memory.dmp

Filesize
472KB

Download
memory/2484-27-0x000001D04B2D0000-0x000001D04B2D8000-memory.dmp

Filesize
32KB

Download
memory/2484-3-0x000001D04B180000-0x000001D04B1A2000-memory.dmp

Filesize
136KB

Download
memory/2484-13-0x000001D04B300000-0x000001D04B344000-memory.dmp

Filesize
272KB

Download