quasar | Celestial[.]exe | Triage

Sharing

General

Target

Celestial.exe
Size

3.1MB
MD5

12bdd4b4c107fc3ffec7f9b29d7d6a93
SHA1

04bb395848578e22cef0c90215463e4efe4965c3
SHA256

af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440
SHA512

ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251
SSDEEP

49152:nv6lL26AaNeWgPhlmVqvMQ7XSKZkxNESElk/iULoGdldTHHB72eh2NT:nviL26AaNeWgPhlmVqkQ7XSKGxsa

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

147.185.221.19:33365

Mutex

ba5220e2-c4e8-4381-aad8-a85115ef955e

Attributes

encryption_key
67C139F3E9A16FF8132A3DCF42197B8BA3C38609
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Miicrosoft Securiity
subdirectory
Miicrosoft Securiity

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Celestial.exe

Files

Celestial.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ