Behavioral task
behavioral1
Sample
Sexy.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Sexy.exe
Resource
win10v2004-20240412-en
General
-
Target
Sexy.exe
-
Size
409KB
-
MD5
4c5faec89139e079202a5208d49ed5a0
-
SHA1
f26bf551e191af0dd01b5d39ae0c8489d94a877e
-
SHA256
bbecd1e502693965f493ecb6a611dd86dc71b4bcb8471cf4c459d0b44e9f6378
-
SHA512
5d31a95a76a2d17967f685b47823682f8301164ee9386f267f2ce28b866429dfb48aa7ef7cb21a7ab8b732286fb99eee989d10e5040ea69a361ba83b0b22ec64
-
SSDEEP
12288:iBwz9kOUJIOSQoxdKIT00N2f3DPcCYDVouW5:i+JLOsVRi3YCYg
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-zpFqsQjJJh3miBvVnu
-
encryption_key
LxGS9iJRjIMm1rV0MEzT
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule sample family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource Sexy.exe
Files
-
Sexy.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 405KB - Virtual size: 405KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ