quasar | 02962ce42a6b3910c33e9f9ace964bba | Triage

Sharing

General

Target

02962ce42a6b3910c33e9f9ace964bba
Size

666KB
MD5

02962ce42a6b3910c33e9f9ace964bba
SHA1

565d1a5cc063503879c5bd0dffa2cfe4e5a2e627
SHA256

2cb24e62607d1f4eef2ee22dca37a4eda7b97ea9b3d96443102548fe90c3edc3
SHA512

96fd7e1a6cd7e2f87274af902c7c327d7f09b1c15861983691a6ddf6a44961175876f97cbf0e31e383a36037ebaac9350c0e96ac49b4940a5ef3cd24ce1a5969
SSDEEP

12288:AkxfIayFMuojENeI7nbmv1xBowIaMsDtWYTA:AwPyFMu1bmbewIiDxTA

Score

10^/10

dcnitro01 quasar

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

DCNITRO01

C2

0.tcp.eu.ngrok.io:10352

Mutex

VNM_MUTEX_v9VGaskk4AIKeNY3U6

Attributes

encryption_key
UZHpvfEZMUzQVIJjvgWB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
dc nitro(venom)
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

sample disable_win_def
Quasar family
quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

sample family_quasar

Files

02962ce42a6b3910c33e9f9ace964bba
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 531KB - Virtual size: 531KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 133KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ