quasar | b8f6e00e0b83ae7620ba2104c644f485 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

b8f6e00e0b83ae7620ba2104c644f485
Size

510KB
MD5

b8f6e00e0b83ae7620ba2104c644f485
SHA1

9f1288d7ef5309a95f723ac3067db8f920093c00
SHA256

e8ca0270e68c2f29f8e9f6a77fe630a93b08c04573bde4956690f8943e6d10e8
SHA512

84549e4e749fc3e3ffc7f0e8d910a9ad2cec7a70713cb3ce34fcd298ba0d8b3fa016f301def95c873e3eef2ceeb8ac8dfca2cf2af69eafdf719a1f8145199738
SSDEEP

12288:YTEgdfYIbg7Y3nHrX4XywpopqYpsjcdX:NUwHE8ywpopRMcdX

Score

10^/10

$ => wp system quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

$ => WP SYSTEM

C2

13.233.24.14:812

65.1.228.201:812

Mutex

da26c746-e2b5-44f8-a213-93f8d07230b5

Attributes

encryption_key
2DF15225F8A9265CDE224164CB1E854581732C34
install_name
explorer.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Explorer
subdirectory
Microsoft

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b8f6e00e0b83ae7620ba2104c644f485

Files

b8f6e00e0b83ae7620ba2104c644f485
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ