General
-
Target
3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
-
Size
348KB
-
MD5
3227a70d123b9da999bf150fdf605036
-
SHA1
1b959876c589dc17b0d7084a8f3017123e8568af
-
SHA256
3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
-
SHA512
1c75060b544047c0a6d39822014c85bb5bba8e14b4432b2a291bc9e2b8e55c156f9736d1483f8f8f226961aa663a9fc20919e6d2812faf38ceb2f262e31ae8ae
-
SSDEEP
6144:8uwb/c2L0tBYYOtUEbtZTl8MNtX2MwE+:bH2Ll5tVZeMNtX2M7+
Malware Config
Extracted
quasar
1.3.0.0
Office04
188.119.45.143:9896
microsoftstolewindows.duckdns.org:9896
192.168.1.52:9896
QSR_MUTEX_ZhL1p5SiHTlBKUYEsI
-
encryption_key
sBg2G8lxZ2VaMwfKc6V3
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule sample family_quasar
Files
-
3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 345KB - Virtual size: 344KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ