quasar | Yoworld[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Yoworld.exe
Size

2.8MB
MD5

8df0a6df45fc592b75ac6b99b2093c88
SHA1

63b0688d48a9fb81a87d81d4a523854428a526af
SHA256

82c6a9a76749761515dc8bc59f127a6b5f3155f8cb4c79dd378478483623c587
SHA512

f5360f6aaccdf31362327707bf6f337611ac22fb0a7f4fe279f8ec023fb5939dca8fabacd2fd9354197e9d99e5d9fe1f90025302e6f08301fb5df2cbfc81a9db
SSDEEP

49152:iVj+rD0c0QU/TcSntWUGIYh3T57ub6o3jWSpA7qQlv4wDAkD2lNe08uk3lP0gOg2:iVCrD0c0QUbJntWUqLBa

Score

10^/10

yoworld quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Yoworld

C2

anubisgod.duckdns.org:1338

Mutex

ec434dcc-84b6-4a93-9358-be83ce93fef5

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
Dlscord.exe
log_directory
DlscordLogs
reconnect_delay
3000
startup_key
Dlscord
subdirectory
Dlscord

Signatures

Detects Quasar infostealer 1 IoCs

resource	yara_rule
sample	MALWARE_Win_QuasarStealer

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

Yoworld.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ