General
-
Target
AuroraALPHABUILD.0-6.rar
-
Size
231.8MB
-
MD5
0dfeacbd2a053f8bd8d5b55d58677b61
-
SHA1
3a593d63f016e7fa99966de42f35ffe31d49383e
-
SHA256
426baaa4eb946ad76903d75d221725c1881e21ae07f04514f36fac089c2e1350
-
SHA512
8817ac43aa5787baee7a5e3ab979063a9dc7f48f81457cb49b358a46de9ac84100d0ad6a69e1170031411e98c1d1fd42bcf1e290b6be04c55b4bb76b42d96a31
-
SSDEEP
6291456:zmH/TGZpQrM0IBlyaUH3zAj2036zkV2BT:zmfTGZF0IBlyaU3zAj2036zksF
Malware Config
Extracted
quasar
1.3.0.0
gimp1
193.42.33.210:4444
gimpdns.ddns.net:4444
QSR_MUTEX_XwuUSTCgYhmnf6vJ1L
-
encryption_key
lRzFKjYQKUKzh6RyUYYQ
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule static1/unpack001/AuroraALPHABUILD.0-6/AuroraALPHABUILD.0-6.exe family_quasar -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/AuroraALPHABUILD.0-6/AuroraALPHABUILD.0-6.exe
Files
-
AuroraALPHABUILD.0-6.rar.rar
Password: purplebux123
-
AuroraALPHABUILD.0-6/AuroraALPHABUILD.0-6.exe.exe windows:4 windows x86 arch:x86
Password: purplebux123
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 344KB - Virtual size: 344KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 8KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
AuroraALPHABUILD.0-6/PatchNotes0-6.txt
-
AuroraALPHABUILD.0-6/dat1
-
AuroraALPHABUILD.0-6/dat2