quasar | stub[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

stub.exe
Size

53.7MB
MD5

07a4b031976c6e9ad80027863bc7741a
SHA1

c52738c7e0f3ea1bf10d47f73cce0ba491a8542b
SHA256

53cb412427a28483442e1c1c52b7339cea49682d000d51aedc98c0fb7a13b5f8
SHA512

beec22adc773620167e52c3e8b1c0ec0bf6f0ab808652759261e61c3ccbe97e16caf294ef68ed20e65372d9bbaebc8a8b3fab868ac812f390edf4a77e1076c11
SSDEEP

1572864:y5q2Edpp1DAdFV+rkBg7DcO3ZOzsUsVHiphQMl+9MlxE0mhxAW:6gppGgP1IzsfVyQA+E3

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

147.185.221.20:9835

147.185.221.20:18563

Mutex

da84adab-a321-4164-9473-73ad56cb4ed3

Attributes

encryption_key
99DD896C463A5DEFC60E5185D43A6893ACB75CFB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
stub.exe

Files

stub.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 53.7MB - Virtual size: 53.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ