quasar | yeiifsd[.]exe | Triage

Sharing

General

Target

yeiifsd.exe
Size

3.1MB
MD5

b96f34b2886c779fbb6ac0abdb109d31
SHA1

95049b5972383e62d542db1f403ae86197619950
SHA256

c1a0da5554f0b9f6869f7b9f74fd7cdc714c7afb69cc36ac4fbeb64ecb2a6bba
SHA512

0cf92ebeca7675d72cebd554225b778e49f57295ce63bf4b0261540b41249b419473d949015b423257df04be2bda96fc3f716d227879cb252aeccdc7d0516365
SSDEEP

49152:mv+lL26AaNeWgPhlmVqvMQ7XSKBCmymzZYoGd3THHB72eh2NT:mvuL26AaNeWgPhlmVqkQ7XSKBCm6

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

a007-190-104-116-8.ngrok-free.app:4782

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
yeiifsd.exe

Files

yeiifsd.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ