quasar | evidence[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

evidence.zip
Size

180KB
MD5

590f97c97b054e7897bfbdf707901096
SHA1

519591f65d940f858444f33498325b75ef7b431b
SHA256

de0443eaf9bb64f285b658bba95678089545cea6ab2930580ba68345bbe80014
SHA512

e9eedbe5caf02ecdc5fca1877c2a954cc3240bf54c3981cff3b625b93e8fbb8ec20eb682bc1a596b108271b94531f1abc76aa1b5656800928fc684d3223a3138
SSDEEP

3072:mLVfQpAZm9BdXQJ/o/pDxr/fzchKCOimyNds3Z699EJttMB7/nE80f/tv38MjJYa:4qpAZmVXiid0IByjY403MB7/nE80HtvV

Score

10^/10

frog quasar

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Frog

C2

192.168.0.15:8282

Mutex

Froggi

Attributes

encryption_key
TtCNbZ6r2jZKvoNxinWx
install_name
Frog.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Frogs
subdirectory
Frogs

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
static1/unpack001/pid.1896.0x2b0000_Frog2.dmp	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/pid.1896.0x2b0000_Frog2.dmp

Files

evidence.zip
.zip
pid.1896.0x2b0000_Frog2.dmp
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 352KB - Virtual size: 352KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ