quasar | 1aaf91f4a94f5cb96e94eb98c46c028c4994484ab06956d8cb0d37bcb9fdc106[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1aaf91f4a94f5cb96e94eb98c46c028c4994484ab06956d8cb0d37bcb9fdc106.exe
Size

502KB
MD5

4560f14a33be8d42f2353cbe04a767df
SHA1

9cf76bef38e97eecd168990bf7c993af95b1e31c
SHA256

1aaf91f4a94f5cb96e94eb98c46c028c4994484ab06956d8cb0d37bcb9fdc106
SHA512

692661e407b80f7dc6325b23e304a0c5be8ae8e62fd9364b478c882d282541b0d2d4612927770aab03b1f0d643a8716bc7f80bb1176793a2b71f9682be44f8e1
SSDEEP

6144:pTEgdc0Y5XAGbgiIN2RSBbuS87XGCsWOkeSsoLmJcE6Nb8F9Q5OglOHocTR31:pTEgdfYVbgyaCoaBCqyK5iIcd1

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

91.192.100.36:8084

Mutex

9ce44fed-2881-4998-80a9-a8059346d6d7

Attributes

encryption_key
F2F10A25F4D0D0543F5520C8C8BAC500DA1B1AC1
install_name
ServiceUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Mirsoft Update
subdirectory
Mirsoft

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

1aaf91f4a94f5cb96e94eb98c46c028c4994484ab06956d8cb0d37bcb9fdc106.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ