quasar | FF2660A00926901EAC4025097786A61D7F72816663C6F[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

FF2660A00926901EAC4025097786A61D7F72816663C6F.exe
Size

2.8MB
MD5

4bbbb6049518ce9d84fc37800a5eb289
SHA1

90767e6ca1ecae446e6283b3126008f28c7ec8bc
SHA256

ff2660a00926901eac4025097786a61d7f72816663c6f79089bdd2be49309afa
SHA512

b93afde496c30047607499f5537c99c6f890c2745d4f2fc44eb54f4364907ec970fdacbd7fb75b3adfa4ed6d4852ba2aa68e3926eabaf3eb9eda2f4a45f2d7d7
SSDEEP

49152:N5nzfQXMgwdwpXA2dcMr+mWwx6re1guuayUfcaza32ehyfTBm:N5n7QXMgwdwNddcMr+mWwx6613ud

Score

10^/10

965 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

965

C2

zayprostofyrim.zapto.org:8080

Mutex

4d22ea2c-7165-4e19-b5fe-0850e5b37080

Attributes

encryption_key
97F480AFD18B078BDCDBAF4CB14583954161150A
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
DriversUpdate

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

FF2660A00926901EAC4025097786A61D7F72816663C6F.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ