quasar | xZ3Qraz3mopj[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

xZ3Qraz3mopj.exe
Size

1.0MB
MD5

9f7fb2e4d23a162b9a47b291f1eb7763
SHA1

a829bba9362aa433432e40fc4f48849a2f80a460
SHA256

eaffa2b674b3afc1110ddd54a2835ebe59ed686a564f256dccb40b3bac1010ca
SHA512

d4b854c62e8bcd72fd8078ed3dbea6a44b04c01fa80d0a307303eb4a8ddbd506f3115812082a84b7978aafaef247711e03a37d19f0a4400faf5c808ab17fcb9d
SSDEEP

24576:5aynkc1ZzBvtrZHFjMKY2zNolelHmkn+nF:Iynkc1ZzBvtrZHFjMKY2ClelDn+

Score

10^/10

r2 datacenter quasar

Malware Config

Extracted

Family

quasar

Version

2.7.0.0

Botnet

R2 Datacenter

C2

rick63.publicvm.com:6750

Mutex

Upe2L54wRGWWLe9wgP

Attributes

encryption_key
0gXyBPPAvXHK4k58eHz8
install_name
Venom.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
xZ3Qraz3mopj.exe

Files

xZ3Qraz3mopj.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ