quasar | 1e44cb58c487dbdecdeb626d40d52706[.]bin | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1e44cb58c487dbdecdeb626d40d52706.bin
Size

229KB
MD5

8aff540f46996d638a8dae2a59f6fb5c
SHA1

45c24572956e1e6f9a55734b891cca1e0c356920
SHA256

e3502a6a621e5a8f4d4e4ddee61323e1ec154db632a252881a70f0267f1cd8f5
SHA512

b3b3d58f1e8b81cd9fe83b81dcc1840b2a8766cae435cf9b43a551bf8629b6fbfd9792257e11340956bc41449d9cbadb521d10ef89240cad12c5d65a14f607a0
SSDEEP

6144:wNeom46qJrWstjrCfxW09xIGhVfIZKkTRlf9p06f:JolJqGGxh9xIGvIskTH/06f

Score

10^/10

xh_ty quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

xh_ty

C2

121.62.17.105:8848

Mutex

c91a46f5-5d83-4235-84fb-ae765b7a7cda

Attributes

encryption_key
CC2A8E3F3FCF0D5262F5FB0EF2477329C6382733
install_name
xh_ty.exe
log_directory
Logs
reconnect_delay
0
startup_key
win updata
subdirectory
setup

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
static1/unpack001/54250aeb90c867a9e4ed7dae2b26ecf2bd90e83172bdf4f722b99cd7f19b37f4.exe	family_quasar

Files

1e44cb58c487dbdecdeb626d40d52706.bin
.zip

Password: infected
54250aeb90c867a9e4ed7dae2b26ecf2bd90e83172bdf4f722b99cd7f19b37f4.exe
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ