quasar | qua1copy[.]exe | Triage

Sharing

General

Target

qua1copy.exe
Size

3.1MB
MD5

93c01f8db5d2ed29f0517e5127cc8e20
SHA1

6dd1ec4bb3a44d49069c520147d3a2f770712f9d
SHA256

1802c12195920564b376da69515b15bd80800b4f5e4c78fd7eb7ddc16eb4c16f
SHA512

e88f5a48f13d6b398442cf4ed2486f2eafa9305869df1b9b8b8321207227fe1dbbc60f81f05f36e68a08f205f7a0a1db1b5196b309a57418e99b2e3ea0245858
SSDEEP

24576:ay0l0qdGhU/yVzs01yI0ovMdtm0CFnlzTrKP:a3yayVt0okdt

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.66.231.154:4782

Mutex

4304b988-116c-4522-ab83-7f9ad875f60f

Attributes

encryption_key
A6B8B9B9B02FC86103A59CE003D7B3B45DAF8550
install_name
svchost.exe
log_directory
svchost
reconnect_delay
3000
startup_key
svchost
subdirectory
svchost

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
qua1copy.exe

Files

qua1copy.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ