quasar | 1264-58-0x0000000000400000-0x0000000000484000-memory[.]dmp | Triage

Sharing

General

Target

1264-58-0x0000000000400000-0x0000000000484000-memory.dmp
Size

528KB
MD5

c3f96732b38cc7743551b2a48d6e0905
SHA1

df613e8141bc4a8ea1787cbc304546012831137f
SHA256

6a451e666a6954fe837bacd4d1e66cd45bf4c60a0ac61fa1a8e358c4f64d4edb
SHA512

1a5f1e6aff1ff02c0ddd631aa6cd014cabad6604bd6c7872c7ca3940e93b580ca5f8e9a6658702a116dbd9ab83dd620f1122fce6a3cc489933e3df435097071a
SSDEEP

12288:/TEgdfYJA6hqH3qVXNTqJO1TGO5ogzYLecd:oUwLq+68TGOegGecd

Score

10^/10

fast quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Fast

C2

atomic.opdailyallowance.top:6980

Mutex

8794060f-ab80-483d-99e5-cd9b7c5047b7

Attributes

encryption_key
77D64A9E7D6F983A450481EF78D99F3A6B8A5925
install_name
svc_host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SvcHostFramework
subdirectory
ChromeUpdate

Signatures

Quasar family
quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

sample family_quasar

Files

1264-58-0x0000000000400000-0x0000000000484000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 498KB - Virtual size: 498KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ