quasar | 2116-143-0x0000000000400000-0x0000000000484000-memory[.]dmp | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2116-143-0x0000000000400000-0x0000000000484000-memory.dmp
Size

528KB
MD5

7505a36c4132e3348cd4064ffc6b6406
SHA1

10314df2715d8201b3400bf954fbda09d15b90d7
SHA256

dc1b58acbc66f785f6cf66fe1919c71143290c47e919f9dab791a76dd32eaae0
SHA512

1b57c167fbc51e2f0a0911b5b0b4ff7b01b02a8340e4a4cb849c98f5f677c406f22db287226efc6174e00a1f70e02f79a6e85fc3aa722c25c6fd4bee5b55cbc0
SSDEEP

6144:UTEgdc0Y4XAGbgiIN2RSBUwXt+1ha9VlvKTcEwrb8F9/Iiz9uqcTR3C:UTEgdfYKbgPvsAgRI+uqcdC

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

borat.ddns.net:6606

Mutex

b3631183-1803-4cbf-a2dc-d8ed8618d9a3

Attributes

encryption_key
4E612D352FE600118DD54B22E77961181E0804E9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

2116-143-0x0000000000400000-0x0000000000484000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ