quasar | 7a837441ef73435830b9f5e7bf858f67[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

7a837441ef73435830b9f5e7bf858f67.exe
Size

3.1MB
MD5

7a837441ef73435830b9f5e7bf858f67
SHA1

423a46a4497c406ab925b9d442c9ac3d680c48cd
SHA256

7f3ce13c39b8aa0202357579138c56a684a5c0aad61b8b5c1f3fd20f12afa916
SHA512

fff3e8ce9335b4d3fbcbde75964e57e76b587a9edb6a89dc07695bb0e71b53b02364b1aa746ed919f0212a898a9b998fe0099b28a34e6fe4185eeb8c63363f29
SSDEEP

49152:Q+EVUWCmlNuqBfHFRrOr+kR4CPcr9cdWoG9AfTHHB72eh2NT:Q+MYRqBfHFRrOpR4CPcZc0k

Score

10^/10

muahaha quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Muahaha

C2

37.139.129.145:5512

Mutex

9ea0edc2-299b-4ba4-bb26-0c01d3ce5e5f

Attributes

encryption_key
D21B49539C3EA494897D43CF75CBF5F989F0792A
install_name
ntoskrnl.exe
log_directory
SystemLogs
reconnect_delay
3000
startup_key
Microsoft Windows Operating System
subdirectory
Microsoft Windows Operating System

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
7a837441ef73435830b9f5e7bf858f67.exe

Files

7a837441ef73435830b9f5e7bf858f67.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ