quasar | decode_a5b87e0f2c2c7af9a3cb1985d40189cbff8570eb422f3c2d57c0c2075dfad868[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

decode_a5b87e0f2c2c7af9a3cb1985d40189cbff8570eb422f3c2d57c0c2075dfad868.exe
Size

348KB
MD5

7a2fe22ac8f1a50198f4c3607edeb157
SHA1

46cd57c658b44aa706fd680f8c7ae4665e3dca8f
SHA256

2fc13e628623ef973517fd08d95904a587c8375effc2251728e230d14537aeff
SHA512

f324bf7ea0905e3917b3deb6c434c5ced3e64c4468c11bf6b7302885e9b0b3ca2ff8c040683035b4ecf540bad21e99d9bfd089e65c029bbd81522a596dc4c2f7
SSDEEP

6144:oXNHXf500MOD/+SWbCm+71PBQPVm2jpm3ZIy:Wd50u9tm+71PBQPg2dm3ZIy

Score

10^/10

server quasar

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Server

C2

testert3.duckdns.org:57800

Mutex

QSR_MUTEX_fQ6Cmf4j2CcTSpuIat

Attributes

encryption_key
3oDiXt3Q1VNqjxnMOfvt
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

decode_a5b87e0f2c2c7af9a3cb1985d40189cbff8570eb422f3c2d57c0c2075dfad868.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 344KB - Virtual size: 344KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ