quasar | test[.]exe | Triage

Sharing

General

Target

test.exe
Size

3.2MB
MD5

27c355c14c674536587b643679ee4f95
SHA1

856eab4787c35c5ff8a6fcc924203f51c7eb437f
SHA256

f657297cd0e35a5937e8d3fe3318e34f3810f13de9ad94452ef79376ed85217c
SHA512

e982891853a97891218bc122ed490060b0c89d59ca747cff3bc7d0fbfed952d9caaea98f50818ec39a4ed84d0d03bea7662d8136513c77bf9ea9c7f7f51e489e
SSDEEP

49152:OvGlL26AaNeWgPhlmVqvMQ7XSK3xDEDw7k/JxKoGd0FjV/THHB72eh2NT:OvGL26AaNeWgPhlmVqkQ7XSK3xYgk

Score

10^/10

safety frame work quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Safety Frame Work

C2

212.154.101.132:3000

Mutex

1b3adac2-334a-4914-b42a-429f32ec011f

Attributes

encryption_key
8738101E98DC472C5F4C9FE5E109DEF1CA883172
install_name
test.exe
log_directory
Logs
reconnect_delay
2
startup_key
Quasar Client Startup
subdirectory
SubSecurity

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
test.exe

Files

test.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 118KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ