quasar | Client-built[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Client-built.exe
Size

3.1MB
MD5

e56a81260357e38e67e9661b5987f0ab
SHA1

7f6e091f98c83bb57547d2c4cdc353940f7d11d9
SHA256

27e49eb60d08a4eb21cd3cce9fdb929d9abb6976fb994cbdc9322d7742c1c3ac
SHA512

946aa386059334a5a77d9328ba3ea8c2aa6ec7105628c2eaafe5a9c743fa3922815250b9d56db94c7881a4512277d7b4a81f1b065db4e3262602daf3de7ca11d
SSDEEP

49152:2vHI22SsaNYfdPBldt698dBcjHnDxNESEEk/iILoGdZTHHB72eh2NT:2vo22SsaNYfdPBldt6+dBcjHDxHm

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

tetars.serveftp.com:4040

Mutex

05b04543-4b6b-454b-8e43-cdb3e2417697

Attributes

encryption_key
2768FC420BBDB207C1C2BCB0871CA3A838588A4A
install_name
Windows File Explorer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
explorer.exe
subdirectory
Roaming

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Client-built.exe

Files

Client-built.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ