General
-
Target
LOROOOFWJF.exe
-
Size
348KB
-
MD5
edd4f176eb628517df1c714d8ac582c9
-
SHA1
8bd6620b088d64be4d288bfc0f39bd4c23d21c25
-
SHA256
1dbd18f9eb5dc7b2dd90ecab4176f291bad7a371f18ff8fa7ea18b813a0b120b
-
SHA512
1dbbe4e9ae1784f4d4917c78dfbf0fc013a937abdc9314ded07080ef659b25696f5c506aa315946893b8aee6edda00c6bf6b8d114335e3f07d2f624334eccef1
-
SSDEEP
6144:k2NHXf500MavG4PFqu+bUYLjpF6Te8F2j6:rd50OYumjv6TRF2j6
Malware Config
Extracted
quasar
1.3.0.0
Office04
qpaisa2024.duckdns.org:9999
QSR_MUTEX_FDTiEjjqT30aoGjNjX
-
encryption_key
KS8r4vPkoDVak0Hjqoqg
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule sample family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource LOROOOFWJF.exe
Files
-
LOROOOFWJF.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 344KB - Virtual size: 344KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ