quasar | 4304-147-0x0000000000400000-0x000000000045E000-memory[.]dmp | Triage

Sharing

Copy URL Twitter E-mail

General

Target

4304-147-0x0000000000400000-0x000000000045E000-memory.dmp
Size

376KB
MD5

b6bf8b6806b5bb6c12ecc8b1858fc46c
SHA1

15098e5ac00f94a4285585ceca0de63b5d167cee
SHA256

c804220b6a91721a2c66b2eafd1fe1e23ca0b1f9ce8a9f8e0e3b0800613e06ae
SHA512

24976dc4350b18732b15d50bbc250d739e5d27ef2d69aa750e8c152941dc8e623e77b43e982328cdbe1a5e904be8fc64bf46b64d2991f912f8559d355d4b6cf3
SSDEEP

6144:5ANHXf500MbfH7NMubc340rCu0GNJPkKZh6:Wd50Nqto0fNJ8K76

Score

10^/10

hop quasar

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

hop

C2

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_gKkre5ge46OKHHYV4m

Attributes

encryption_key
MWS1P9A8h60dOGbuRmwt
install_name
hvc.exe
log_directory
Logs
reconnect_delay
4000
startup_key
hrr
subdirectory
hik

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

4304-147-0x0000000000400000-0x000000000045E000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 344KB - Virtual size: 344KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ