quasar | 26012024_1816_Coachella[.]txt | Triage

Sharing

Copy URL Twitter E-mail

General

Target

26012024_1816_Coachella.txt
Size

3.1MB
MD5

66bfbd56aef35fd5c8a9ac98922c712c
SHA1

de83a9aa97e44b3c8aeb7e5b23297497c21e4cc4
SHA256

c5758433ef16949fe40b872e9456eed40aa65c0d9c11d78b3a71046781485aee
SHA512

c3b0d7f2e739de7eeb1408147411cdcb9c07f6acc00862a184c78f10afcaca74375f94e0d2ce657588f80b50a33abfd6e79d231c138f35132128a84a678cc2c5
SSDEEP

49152:bvyI22SsaNYfdPBldt698dBcjHERy3ECs1k/GfFoGdnTHHB72eh2NT:bvf22SsaNYfdPBldt6+dBcjHERyit

Score

10^/10

office57 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office57

C2

crazydns.bumbleshrimp.com:7000

Mutex

7b833142-f2ed-4fbc-a330-70f5d6de2627

Attributes

encryption_key
D02C67CE14FE7C9292004BAB3E9AF4D677EEF268
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
26012024_1816_Coachella.txt

Files

26012024_1816_Coachella.txt
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ