quasar | 1a9fc6d523ce020286a56241c37badcf[.]bin

General

Target

1a9fc6d523ce020286a56241c37badcf.bin
Size

1.2MB
MD5

4e1a0e1df39670cd89801947255b9bf4
SHA1

d58be6e00aa72abfaed28e4fcace613ecb2df535
SHA256

22d49f7329fb60fee6b0e67e0ca48934d0edc9a2e87bf30bf6af8b9fe232b878
SHA512

07a4ab38d4942b0871dece06d0e55ae9a6c0839108471d72b5655c8acca8000d11759d11929365ce3d64f23b7e2ca313c46eed27b4b6aa578f0e8a7d4ece6efe
SSDEEP

24576:rvYAetFQ/bHxeK/9TuE65StZi+R2+muHRVdMJXmGJJ78u22b:rgHFQ/boA0StZi6JbxHMJXmGJN320

Score

10^/10

yadu desktop quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Yadu Desktop

C2

192.168.0.117:5952

Mutex

7c1aa5fc-2493-4922-84eb-b0c9e594a178

Attributes

encryption_key
288DD8FDFEEFAB4F6D1AF0DB22F3D719A454FE7C
install_name
Realtek.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Realtek Audio Manager
subdirectory
Realtek Audio Manager

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
static1/unpack001/2f511d2b5082a059bbc56ddd78b3a2dbe221941f70b42d1e7740dbdcd4a5be12.exe	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/2f511d2b5082a059bbc56ddd78b3a2dbe221941f70b42d1e7740dbdcd4a5be12.exe

Files

1a9fc6d523ce020286a56241c37badcf.bin
.zip

Password: infected
2f511d2b5082a059bbc56ddd78b3a2dbe221941f70b42d1e7740dbdcd4a5be12.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 3.1MB - Virtual size: 3.1MB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 3.1MB - Virtual size: 3.1MB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 12B