quasar | BICOSLEFDSDFuilt[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

BICOSLEFDSDFuilt.exe
Size

502KB
MD5

92c6ee466c4b854fd7eca141c9b06f5c
SHA1

171b308e7366c45b3b525d570cf73f1f46b8e569
SHA256

e6d89ab26e52d2a29050721414698fb6881de827edb5d55dcd1100a096c5320f
SHA512

40a7570ab45be8c06ae41762bf74cf6b555d031d0b3d731a6a034ce016243e5306d2e005da21377a39ffdf3d7660a60bb8bcb93ec573f0b8ad402d09236c438f
SSDEEP

6144:oTEgdc0Y4XbZvdo6EsRwdyc5s/pr6NIwIiS2cELOb8F9OWAeDgV2R3cTR3u:oTEgdfYkdo6FQs8s2bpqg3cdu

Score

10^/10

hadaw quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

hadaw

C2

glare.hadaw.ml:20872

Mutex

d69d2d7a-7cc7-4274-a588-93f606184524

Attributes

encryption_key
2C0C62BDD42E42BC77F98F8E1EE713B43F791267
install_name
WindowsServe.exe
log_directory
MicrosoftEnlightenment
reconnect_delay
101
startup_key
Microsoft Helper
subdirectory
WindowsSDTR

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

BICOSLEFDSDFuilt.exe
.exe windows x86

Password: 56uytgik

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ