quasar | 745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002

Sharing

Copy URL

Twitter E-mail

General

Target

745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002
Size

3.1MB
MD5

ed8542b4688d70d42d77fad98e5969b0
SHA1

808666505eeca15e9a7a15b95ff439497a9f1dcf
SHA256

745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002
SHA512

72fc0930a4e51eb7a7b76bac97c64c9bb8e8fe30a406b294a824ecc721677c212d409368a6bca595b0ee82449d80cf7c09f4a063bbe7ee47ebcba30c5c3b6a45
SSDEEP

49152:KvyI22SsaNYfdPBldt698dBcjH672lSt3oGdITHHB72eh2NT:Kvf22SsaNYfdPBldt6+dBcjH62lS9

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

10.127.0.54:4782

Mutex

76898c6c-aad7-493e-ad05-6bb072bc1ab9

Attributes

encryption_key
E0AA33A7353AC58B6995079C718A83EE5609573D
install_name
Twrek.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing common artifacts observed in infostealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_GENInfoStealer

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002

Files

745a69ac20dbb2482e7512bbc14950fa41bf78dbd0a5afda0396c8d897b50002
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 3.1MB - Virtual size: 3.1MB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 3.1MB - Virtual size: 3.1MB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 12B