quasar | 5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa | Triage

Sharing

General

Target

5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa
Size

593KB
MD5

c43fe8c5ca00ddf821a56b2b6ccc8584
SHA1

dc0424cf138ae4cd0d6c52d684fb1df3bd5af6f1
SHA256

5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa
SHA512

e29ebd1b452c1dae15ebb7b30f8955be74dec4d07c5a0f48dcf190f638a9bba79ca8fc02c9ad413c10af6081621576d3ebd1b4ffda2c9afb1b61a00cc064af86

Score

10^/10

quasar mercurialgrabber

Malware Config

Extracted

Family

quasar

Mutex

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
sample	disable_win_def

Mercurialgrabber family
mercurialgrabber

Quasar Payload 1 IoCs

resource	yara_rule
sample	family_quasar

Quasar family
quasar

Files

5b092b9eae4e57fab721a1e5b5a7cb92afe81fd1cc24d371cfa44c9cb0bb88fa
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 591KB - Virtual size: 590KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ