quasar | tmp | Triage

Sharing

Copy URL Twitter E-mail

General

Target

tmp
Size

502KB
MD5

c63359e3101ad763236651055395ffd4
SHA1

f7234979f3956b7a73d1c4119715085031559042
SHA256

3eb4ce46bad64e1db6528589388087ffc73e5267e72b62fa29ee9f67825b68e8
SHA512

8e6673adc61f29b7e7651c8313d3fcca38be5e586636ee231026b3a114ae22857f6e54de0787b3826cf61d3071e741824a502528c8aeaa6d4e9822a02c39e261
SSDEEP

6144:UTEgdc0YEXAGbgiIN2RSBMt3hQ3gRsHbSscErOb8F9EWl0t4lkG5p0q3cTR3C:UTEgdfYObgQZTs7peaRL0q3cdC

Score

10^/10

monkey quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Monkey

C2

mictobozo.duckdns.org:55489

Mutex

49857eb6-b35c-4a0a-8b4c-b0fc018f2ae5

Attributes

encryption_key
893C33826D840F9D0EBA0D923C423154D5D27AD9
install_name
Lomo.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Console WIndow host
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

tmp
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ