quasar | windows_update_client[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

windows_update_client.exe
Size

3.1MB
MD5

2632513ef381e54f4b7067258c006f9e
SHA1

148bd0ce9229a2f101e845e770d528c23c0e4091
SHA256

c54bb2c2ee3a6b72ad7867b134d3c257ce340c014d8d77fadc55aaa1fe225a72
SHA512

7ca8ce3e53d8ebcdaa2a2badc0c95c1c86ce590fbb5dd3f4475730ef9f0516d4dc965185f7eba1652638504b8adb0b742b998ddd921f52e0793d8cd1f8e720c5
SSDEEP

49152:jvHI22SsaNYfdPBldt698dBcjHhMxNESEck/i8LoGdNOTHHB72eh2NT:jvo22SsaNYfdPBldt6+dBcjHixPC

Score

10^/10

velt quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

VELT

C2

alibabash.ddns.net:4782

Mutex

970cfc24-4c6b-425a-bb15-1d5547d48e1e

Attributes

encryption_key
0CBE240E3C26455C5D759C65917E0458CC2F7BB0
install_name
windows_update.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update
subdirectory
update_subdire

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
windows_update_client.exe

Files

windows_update_client.exe
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ