General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
434dd78c4efdd2eac85e58abf797b60e
-
SHA1
eecde7762b4dfc9049686839575c46df64264376
-
SHA256
a97d6308c91b4ec41734d56b67d2bc824c6dd3d606cfcf101b1213ad6e587e6e
-
SHA512
38f9229385a4e0c7c6129d01d4673a2b8f2fb8d17763a43e1907829d7b484c3b5e703dec759ed90aeea6ffe5e316d1c50c285502557d13f78c971f763623140d
-
SSDEEP
49152:CvWG42pda6D+/PjlLOlg6yQipV74+/qBxldoGdOTHHB72eh2NT:Cvx42pda6D+/PjlLOlZyQipVp/W
Malware Config
Extracted
quasar
1.4.1
Hacked
192.168.1.54:443
192.168.1.54:80
uk2.localto.net:44609
9f27fb8e-74e3-43bc-b8c4-e627e6d449ba
-
encryption_key
AB00D97B59C82CEB739903A9CE7ABECD6D2D982B
-
install_name
GorillaTag.exe
-
log_directory
Steam Error Logs
-
reconnect_delay
3000
-
startup_key
Steam WebHelper
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule sample family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource Client-built.exe
Files
-
Client-built.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 3.1MB - Virtual size: 3.1MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ