quasar | Spoofer Update[.]exe | Triage

Sharing

General

Target

Spoofer Update.exe
Size

3.1MB
MD5

a5e9a238ee312ea3045cb27d5c0a01a5
SHA1

0c5bd99329fec3af617b71ed9eb6ab1edab57abe
SHA256

2e4aad8257ebb0fc09ad728d3ed8558bd2e620d3336332a413e8c254ca21e41b
SHA512

9ac45bd19e990bd54888ce6b90b7c8851eff62be3439d42cb1f9de0d4ad73bb5af7c281f3bd2d0ce0680cf4126898f24051c3a4ffb6cdcdf0a414547928f00c4
SSDEEP

49152:DvDI22SsaNYfdPBldt698dBcjH2zRJ6qbR3LoGdJ8ArTHHB72eh2NT:Dv822SsaNYfdPBldt6+dBcjH2zRJ6Ea

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Bweezys-44502.portmap.host:34107

Mutex

1d720ca2-fc3a-4533-8300-74afceea3a93

Attributes

encryption_key
C0CDED8DDB03E1B037472315F6569B1352DAC01B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
System
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Spoofer Update.exe

Files

Spoofer Update.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ