General

  • Target

    95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28

  • Size

    43.0MB

  • MD5

    bf0186af3227da62aeb3db92c1e5182d

  • SHA1

    3ca8b3b9e80bf08fffd1e9ccece85b4467af2889

  • SHA256

    95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28

  • SHA512

    7592395ad64bc9e8ff2eea9127d99a3eeb8bb408d62ab105670ee5f5473bd9fa4027268bc0fc55a9920dd702e6692777851d42d6d807a6d85cbc59a34a295eb1

  • SSDEEP

    786432:7Zz9QTeRXpXlJRRct8dl+ugoX0e+yPwGZGU30LTbQTeRXpXlJRRct8dlSFOiHW:7J9QqRZXXcol+3k0wpZtk/bQqRZXXcoH

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

128.199.64.220:4782

Mutex

a6aa1ddd-3810-492e-8728-facd9d5ede65

Attributes
  • encryption_key

    CB9F9A0F270F5BD4211B4E21054ED956F7A81814

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Detect Neshta payload 3 IoCs
  • Neshta family
  • Quasar family
  • Quasar payload 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Detects Pyinstaller 2 IoCs
  • Unsigned PE 23 IoCs

    Checks for missing Authenticode signature.

  • NSIS installer 2 IoCs

Files

  • 95991984767349d93e902eba0487e74688ea5678a92d75a8b50a0852bd215b28
    .zip
  • Hit Sender/AxInterop.MSTSCLib.dll
    .dll windows:4 windows x86 arch:x86

    dae02f32a21e03ce65412f6e56942daa


    Headers

    Imports

    Sections

  • Hit Sender/Interop.MSTSCLib.dll
    .dll windows:4 windows x86 arch:x86

    dae02f32a21e03ce65412f6e56942daa


    Headers

    Imports

    Sections

  • Hit Sender/NLBrute Hit Sender-Checker.exe
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections

  • Hit Sender/RestSharp.dll
    .dll windows:4 windows x86 arch:x86

    dae02f32a21e03ce65412f6e56942daa


    Headers

    Imports

    Sections

  • Hit Sender/SkinSoft.VisualStyler.dll
    .dll windows:4 windows x86 arch:x86

    dae02f32a21e03ce65412f6e56942daa


    Headers

    Imports

    Sections

  • IP Scanner (Thay thế cho MassScan chạy trên Guest hoặc không có quyền Administrator)/IP Scanner.exe
    .exe windows:5 windows x64 arch:x64

    0b5552dccd9d0a834cea55c0c8fc05be


    Headers

    Imports

    Sections

  • ScanIP.pyc
  • KPort Scaner/KPortScan V3.exe
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections

  • KPort Scaner/QtCore4.dll
    .dll windows:5 windows x86 arch:x86

    e42fa5512b1ca9696bf0c91e7c10e9bf


    Headers

    Imports

    Exports

    Sections

  • KPort Scaner/QtGui4.dll
    .dll windows:5 windows x86 arch:x86

    99890ca7fdc04ad490a89af49cef5a43


    Headers

    Imports

    Exports

    Sections

  • KPort Scaner/QtNetwork4.dll
    .dll windows:5 windows x86 arch:x86

    46ff00918867dd3fd2afdd7a931edd0f


    Headers

    Imports

    Exports

    Sections

  • MassScan/Input.txt
  • MassScan/Massscan_GUI.exe
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections

  • MassScan/Packet.dll
    .dll windows:4 windows x86 arch:x86

    125f6213a1434f84285a3dc24077bb0e


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • MassScan/_config.ini
  • MassScan/masscan.exe
    .exe windows:5 windows x86 arch:x86

    9b0b559e373d62a1c93e615f003f8af8


    Headers

    Imports

    Sections

  • MassScan/msvcr100.dll
    .dll windows:5 windows x86 arch:x86

    5271d5ce8b44dd47bc92563e27585466


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • MassScan/winpcap-4.3.exe
    .exe windows:4 windows x86 arch:x86

    7a8b0b921c3470f5a30cf8b5703d979a


    Headers

    Imports

    Sections

  • $PLUGINSDIR/InstallOptions.dll
    .dll windows:4 windows x86 arch:x86

    738dc9bb91549f627cf1953c2000e1d6


    Headers

    Imports

    Exports

    Sections

  • $PLUGINSDIR/System.dll
    .dll windows:4 windows x86 arch:x86

    f2ac1ab587d5531d5f1bf76c094aef4c


    Headers

    Imports

    Exports

    Sections

  • $PLUGINSDIR/final.ini
  • $PLUGINSDIR/nsExec.dll
    .dll windows:4 windows x86 arch:x86

    8abe046ef411de4d3e6e831b6b1ee264


    Headers

    Imports

    Exports

    Sections

  • $PLUGINSDIR/options.ini
  • $SYSDIR/Packet.dll
    .dll windows:4 windows x86 arch:x86

    19fa7010cacd16ef346ea8bbc2e8b999


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • $SYSDIR/pthreadVC.dll
    .dll windows:4 windows x86 arch:x86

    90ee61357770484e2d085958b94141a3


    Headers

    Imports

    Exports

    Sections

  • $SYSDIR/wpcap.dll
    .dll windows:4 windows x86 arch:x86

    10dce091d63eed72dc0010ebc8838f6a


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • MassScan/wpcap.dll
    .dll windows:4 windows x86 arch:x86

    9ed75897f81952de2bff7162c3dff044


    Headers

    Imports

    Exports

    Sections

  • NL Brute 2/NLBrute.exe
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections

  • NL Brute 2/settings.ini
  • NL Brute 2/tối uu VPS ram cpu.exe
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections

  • ScanIP.exe
    .exe windows:5 windows x64 arch:x64

    0b5552dccd9d0a834cea55c0c8fc05be


    Headers

    Imports

    Sections

  • ScanIP.pyc
  • UsefulRDPScript.exe
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections

  • nVNC/bin/config.conf
  • nVNC/input/passwords.txt
  • nVNC/nvnc.exe
    .exe windows:5 windows x86 arch:x86

    b8d12c04de39a167757fe4a34efa01e6


    Headers

    Imports

    Sections

  • password.txt