quasar | GWcheatbypass[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GWcheatbypass.exe
Size

3.1MB
MD5

ec96a4363e4cdbe515e295b1a2ecc86a
SHA1

e531ec27d5b1e8fc8fb28d53abbe2f32feca8f25
SHA256

6536e7f196e43cf1b92ebc7f84f99747ffa397c9f749918e5c03b75390e06a79
SHA512

6fd76d39f5509132f729258da8a7fc3a557d82976c583a3e8789342d5382b6a58d793ac3ee7504293c97aa2b6e3776d7403d8a0680e76d980f4d179fcb81213e
SSDEEP

98304:zvp22SsaNYfdPBldt6+dBcjHvgRJ66Z3:7S7jmv

Score

10^/10

apexv1 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

ApexV1

C2

174.175.46.53:1048

Mutex

c8ba5d8f-6f83-4ae3-ae6c-d1a644d2c509

Attributes

encryption_key
B0ABE169C55CFD4C2E8310DB36202EAF0E98D48D
install_name
Client.exe
log_directory
Logs
reconnect_delay
1500
startup_key
Windows Updater Service
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
GWcheatbypass.exe

Files

GWcheatbypass.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ