quasar | e[.]exe | Triage

Sharing

General

Target

e.exe
Size

10.4MB
MD5

621c28cd39d9d6f9a3377b8da8a8849b
SHA1

5a025ed5f5baae77496e27fb2996fcb22d67ed40
SHA256

54c1dc44cd458da7ec96343973fa7f350df27517715f41483f9cab748d3a9203
SHA512

b5600b871ac950ec10d7bd0c38bb242a9921b1bccd2dacaa709471475a4c410eb2b43b693e2c18db40349f5c8e15b2c0ee93dde4eb3cbce2f47db880fe48033f
SSDEEP

196608:4nIMYy23CPc/V0VjfJcPE8Yw6QodKh7Ls85JxhVgE+uBd1ub:4nIRyEN08s8Yw6Qg1IgEzE

Score

10^/10

quasar redline

Malware Config

Extracted

Family

quasar

Mutex

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

sample disable_win_def
Quasar Payload 1 IoCs

Processes:

resource yara_rule

sample family_quasar
Quasar family
quasar
RedLine Payload 1 IoCs

Processes:

resource yara_rule

sample family_redline
Redline family
redline

Files

e.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 10.4MB - Virtual size: 10.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ