General

  • Target

    d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

  • Size

    3.1MB

  • MD5

    3396e77d0d043554c7f857a1249c75fe

  • SHA1

    d3de2678e85f4ad63e5254782a58a85035aafecc

  • SHA256

    d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

  • SHA512

    3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4

  • SSDEEP

    49152:WvnG42pda6D+/PjlLOlg6yQipV7tjMpETOk/FLoGd7RTHHB72eh2NT:WvG42pda6D+/PjlLOlZyQipVhj9

Score
10/10

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.10.8.36:4782

0.tcp.eu.ngrok.io:19992

tcp://5.tcp.eu.ngrok.io:10477

Mutex

570f8f63-dc8c-471b-b7f5-710ac819d722

Attributes
  • encryption_key

    BB0B2DE4F1126E98797D1ABADF2CCEC47E72B5FD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    150

  • startup_key

    Platonus

  • subdirectory

    SubDir

Signatures

  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Quasar family
  • Quasar payload 1 IoCs
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections