Behavioral task
behavioral1
Sample
3a9e31e398e0f96a8c0e7a8d99a2dc36da74056be0882d97ba2cad813190b09d.exe
Resource
win7-20231023-en
General
-
Target
3a9e31e398e0f96a8c0e7a8d99a2dc36da74056be0882d97ba2cad813190b09d
-
Size
3.1MB
-
MD5
7c286bfc44121880fd6f519cef8dbb76
-
SHA1
f63c551d27e7dcaa8391efb6efc8e3edbb5405de
-
SHA256
3a9e31e398e0f96a8c0e7a8d99a2dc36da74056be0882d97ba2cad813190b09d
-
SHA512
9c7ff4e205b75d6e342a26e1d35db0fcc5e1dd86ad61726606a4f8f3fceb749a175d4c93f12157182e26c798dc9faacb3787c79b61d90698d3589b049d2a8b55
-
SSDEEP
49152:GvXI22SsaNYfdPBldt698dBcjHU6DkE2Hsk/+FgoGdn+fTHHB72eh2NT:GvY22SsaNYfdPBldt6+dBcjHU6DJeu
Malware Config
Extracted
quasar
1.4.1
Sys32
180.195.205.155:4782
cb2c21d0-caea-4e5b-aec0-8169b705d768
-
encryption_key
9A4F139DB2DACE4C19ACED3CE2C37A9E9F5329AA
-
install_name
Sys32.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule sample family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 3a9e31e398e0f96a8c0e7a8d99a2dc36da74056be0882d97ba2cad813190b09d
Files
-
3a9e31e398e0f96a8c0e7a8d99a2dc36da74056be0882d97ba2cad813190b09d.exe windows:4 windows x86
Password: infected
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 3.1MB - Virtual size: 3.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ