quasar | 3e48f2812def51c73c9d8aa1cd224c32644311b1bd4627738588acc7326f99d0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

3e48f2812def51c73c9d8aa1cd224c32644311b1bd4627738588acc7326f99d0
Size

409KB
MD5

0d954434c154d9302148b3730abfae54
SHA1

47221061768744052030cdd6198bdc565bdeebf1
SHA256

3e48f2812def51c73c9d8aa1cd224c32644311b1bd4627738588acc7326f99d0
SHA512

5742695b04f681b93175fe778601a5e928c608c0b91775e9af7bb4d601edc1aa0d7a1ed8dc87ee62863f773b937233e5bc32087adbc80ad262d39069d598dc6e
SSDEEP

12288:mpsD64e1MDgNUfDfoXHxCsGizwY0S6FsR:isG4kMFDfQ4sGcwQ

Score

10^/10

seroxen | v3.1.5 |quasar

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

general-character.gl.at.ply.gg:3434

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes

encryption_key
YPCs1f0jRF2dTTjFwaeB
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3e48f2812def51c73c9d8aa1cd224c32644311b1bd4627738588acc7326f99d0

Files

3e48f2812def51c73c9d8aa1cd224c32644311b1bd4627738588acc7326f99d0
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 405KB - Virtual size: 405KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ