quasar | HEUR-Trojan[.]MSIL[.]Quasar[.]gen-0b49f8f284f55c374b25a25e80007e9ca70321a0f7dba7f3f26cadab070bbf0e[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

HEUR-Trojan.MSIL.Quasar.gen-0b49f8f284f55c374b25a25e80007e9ca70321a0f7dba7f3f26cadab070bbf0e.exe
Size

502KB
MD5

0295dedb1a0529dd212fe6258df36bb0
SHA1

14f8121735784971083f2731cb3459acb3232a11
SHA256

0b49f8f284f55c374b25a25e80007e9ca70321a0f7dba7f3f26cadab070bbf0e
SHA512

120dc530e1e7767a6ca3579a445b9f5d9887ec7382c9419dde5c14b35ddd7c6acf3b13825a6353870e3becd3f9653edf7353efdac095e47377bffa2f98ac6af7
SSDEEP

6144:FTEgdc0YPXAGbgiIN2RSBEHGBK0McYpHNfcEIZb8F//iNvOtsLcTR3f:FTEgdfYHbgQHG2NfYmyNoIcdf

Score

10^/10

zbambou quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Zbambou

C2

crossfire17.ddns.net:4782

Mutex

b217efd5-dc0f-4d59-9252-5c538c480477

Attributes

encryption_key
4C73E1B847B93527D25B93415C4218A65D5160BB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

HEUR-Trojan.MSIL.Quasar.gen-0b49f8f284f55c374b25a25e80007e9ca70321a0f7dba7f3f26cadab070bbf0e.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ