quasar | MSSafetyScanner[.]exe | Triage

Sharing

General

Target

MSSafetyScanner.exe
Size

3.1MB
MD5

1ae8b0e8c75365c47271340258db93e0
SHA1

a6ad36735a30ba6684045f40fa370a3b6bceb6ba
SHA256

df9104032c91e415db6acc7e364edd70cd1a2b436beb738af5286770c374a683
SHA512

22e4b973836f4dc8252e67797c61218b1812c675f4d8301aa6c3f78428b2fd3adf8ec3eb5b3943d88ae197a59e1a6328a3f5c7c38cacddf82a64de367ea9aa9b
SSDEEP

49152:uv7I22SsaNYfdPBldt698dBcjHYlvfQSLbGdkMTHHB72eh2NT:uvE22SsaNYfdPBldt6+dBcjHYlx

Score

10^/10

mssafetyscanner quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

MSSafetyScanner

C2

103.168.19.82:4782

Mutex

36273c21-280f-473d-aa8f-af6b17aef827

Attributes

encryption_key
89CEED02B51D5D5F5FEB3295A8627B7FC06903D0
install_name
MSSafetyScanner.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MSSafetyStartup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
MSSafetyScanner.exe

Files

MSSafetyScanner.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ