Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp
-
Size
3.1MB
-
MD5
9015c3d7db0f4918632bd515f5187148
-
SHA1
78f1ac578a3ad08c5da5eaab6b7423d772a9e159
-
SHA256
dc90c4dea9a7c84847fa536ac75123e39f077437cbafcc132c2537f8757f7578
-
SHA512
855ce4d97ddf6b50f3ca49d846d643c45ad668b3238280e9cee1a14dbdba754b37b27ba874aa8039695f263eaa5e4a785ca6047d65aad666f384557ecff6981d
-
SSDEEP
49152:zvDlL26AaNeWgPhlmVqvMQ7XSKvrRJ6kbR3LoGdogTHHB72eh2NT:zv5L26AaNeWgPhlmVqkQ7XSKvrRJ6u
Malware Config
Extracted
quasar
1.4.1
Hacked
66.135.0.161:5890
127.0.0.1:5890
298708ab-b798-45b3-8858-08891ded7c8a
-
encryption_key
D0F0754E67B4CBC38801AC41F731FCB62478B8FF
-
install_name
Windowsdem64.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
scfhost
-
subdirectory
Windows64
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule sample family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource tmp
Files
-
tmp.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 3.1MB - Virtual size: 3.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ