quasar | CHECKER V2[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

CHECKER V2.exe
Size

502KB
MD5

aa0bd907cede03c370d7863103f7e153
SHA1

4aa0cbbad02417e166d33acb30ed52d385a35c7d
SHA256

d262b02a774635bf5baef0fd67b74dc49ca7cdb3cc96ddad41f36feb727acf89
SHA512

af82eb199092ac3b1ab0463af4774d68df7d329567aeef36ac93610381bbe25de7782156a29824e6627bf7c4f3bf403b4e31027feb8c941ed19c0e5c040ee9aa
SSDEEP

6144:RTEgdc0YJX7IxUpGREWyOdYB8oeRKLEV5guKwJ+KcEBOb8F9GRHClZSscTR3Y:RTEgdfYaxUudYOJv9KwvRp4tClZhcdY

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

pool-bernard.at.ply.gg:60078

Mutex

88167cc1-6ab0-428b-b881-12fe80690052

Attributes

encryption_key
F8AC1C0C6971A4F35403EFD8C57476151C7CE9C7
install_name
Protect.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MS protect
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

CHECKER V2.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ