quasar | ClientVia[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ClientVia.exe
Size

502KB
MD5

be3c44fc58d14526f1f88ad0e6835290
SHA1

072e7ab36bfa2773361320d32a442172437357e8
SHA256

2a530c0ce9e28ccef15ab536554c6e1174f33564d823e1cfcdb720c9771bb1cd
SHA512

9c0f3509ff24ade815541098476a336e784944feab12f199a3bf3ed48aeccb9503fae22278958fc71bdf35a213d0e02fd4b1368902c0bcb77b7c3ae38ac0cc50
SSDEEP

6144:wTEgdc0YOXO0l6HeR9icuoucwtoflOwcEgZvb8F9MQ8ppBQChcTR3/:wTEgdfYol62OwUs+Q8LBQChcd/

Score

10^/10

officed62a68d quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

OfficeD62A68D

C2

70.70.19.220:4782

70.70.19.220:4753

70.70.19.220:4770

Mutex

d694e5f1-e750-4cdf-be77-8081e5942cc5

Attributes

encryption_key
45C5892F7FC83E096480FE9D090E9A8D064D660F
install_name
JavaAMD.exe
log_directory
JavaLogs
reconnect_delay
3000
startup_key
JavaAMD
subdirectory
JavaAMD

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

ClientVia.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ