quasar | d118789a1d9462d193ddee6a0d798c61[.]bin

General

Target

d118789a1d9462d193ddee6a0d798c61.bin
Size

350KB
MD5

d082fb8d938e27b2b1eb1f2f43e0563a
SHA1

0834f67ad9a12b375f6694a5220d4fb664e678d5
SHA256

aa57b1352e7bcd72a940e02acd2d8fef8fc1798c97ff00fe0a1ddcfa42be38a2
SHA512

3808bcbd61b577e022fbc64a2935f9564d683c1fd56608fee69dc6603d06f5406e72be45eb7df9e2dbab9c5b1379728e8cba1fdd9409aa4ccabc086cc30df07d
SSDEEP

6144:OzJ+ml8CoCNiOCK0PzzMRxqO6TyMAKI/LzT1RJYpNG//jn/uMR0l:0JN8CoMyK0LzW16TyDFz1HjzR0l

Score

10^/10

hotels quasar

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Hotels

C2

23.227.193.34:4449

Mutex

5jEbhOzAJJ3VS1IFbs

Attributes

encryption_key
xnJQsQUB6iQCPz2Qqr4i
install_name
cloud.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
static1/unpack001/d4e3e9ccf34249744cc8bbeba02fb11626604b8093edc8d85326b467e6aeb7b1.exe	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/d4e3e9ccf34249744cc8bbeba02fb11626604b8093edc8d85326b467e6aeb7b1.exe

Files

d118789a1d9462d193ddee6a0d798c61.bin
.zip

Password: infected
d4e3e9ccf34249744cc8bbeba02fb11626604b8093edc8d85326b467e6aeb7b1.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 912KB - Virtual size: 912KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 912KB - Virtual size: 912KB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 912KB - Virtual size: 912KB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 12B