quasar | Client[.]exe | Triage

Sharing

General

Target

Client.exe
Size

3.1MB
MD5

1b9d131113ba317f61c680608d1f5044
SHA1

3a6740e37ca55933bd2977f4a4e0223b4abe02ae
SHA256

2c2352205f2ce5df483aadd89af9ed9750bb1df13b246906e92cf31101572537
SHA512

6b7127d5e28e1a6661e5c84d473375ff4475d87225b331fbf2fd9252f57c7b611fd0accda7520812833fe996bf0001ed68c0d7c89946c31b06041a4c7f7b3193
SSDEEP

49152:uviI22SsaNYfdPBldt698dBcjH3vRJ6sbR3LoGd9sTHHB72eh2NT:uvv22SsaNYfdPBldt6+dBcjH3vRJ62

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

tr2.localto.net:46564

Mutex

c47e2046-1058-430b-9398-803360379972

Attributes

encryption_key
76663067AA8B43723242B084D486BDDB88B05879
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Client.exe

Files

Client.exe
.exe windows:4 windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ