quasar | F34F7D8F9488CE6E2438C88F64D262B0529A25519C3EC[.]exe | Triage

Sharing

General

Target

F34F7D8F9488CE6E2438C88F64D262B0529A25519C3EC.exe
Size

502KB
MD5

797722758bc54671176f4ae1894e403a
SHA1

5cac11545515f1452614297a41e18411f083eac6
SHA256

f34f7d8f9488ce6e2438c88f64d262b0529a25519c3ecb947fa28147a81507d8
SHA512

dac39d79388f8d39ebc894f10a33683daead08f658ab3eae9eb969dc21c3b469d05f078a9b36ae12aebb019cbe3f15e203fe6ee24a706ac62183b2b251ab1938
SSDEEP

12288:PTEgdfYvdo6ngiDp4kyw5mpG4W8UecdT:4UwVH/pyw5mpOEcdT

Score

10^/10

ctfmon quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

ctfmon

C2

firewall.trustedvpnservices.com:39583

Mutex

3b144aca-60f9-4bcb-b4a6-716e4a5e2f1c

Attributes

encryption_key
3237D2016D901477C3F2D8FDF94D0482E3E52621
install_name
ctfmon.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
Microsoft\Windows\Start Menu\Programs\Startup

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Files

F34F7D8F9488CE6E2438C88F64D262B0529A25519C3EC.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 498KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ