quasar | Undetected-Lafof[.]zip | Triage

Sharing

General

Target

Undetected-Lafof.zip
Size

1.2MB
MD5

4a36899d0d7cf8027feaa80941f02df6
SHA1

1ceff167030cc4033d5e465507b35a171d7c4521
SHA256

e4d9649035fca11b0766b1029de6566a201c0a4fe21aa78d47c6898aba84080e
SHA512

21f3ee4befa9625d3b2b11a161087a47ac92a45b314084b7b5cd9316af664d1f916c6f0b59018ea01109b8f236939fdbfc5000d7060a53c978f4a330f31829f6
SSDEEP

24576:AoKbu+H1Da3BsWDsb+x0Ri7KzwMrDK9Ah5o+lNCK1WG771R:AoKbLHglpM3eAh51PZsGf1R

Score

10^/10

office04 quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.178.56:4782

Mutex

034bc834-00a3-43a2-914f-e7e2e3cca885

Attributes

encryption_key
A1FC9406EA7EC68BA96F23A68CD076A4EDC6270C
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
static1/unpack001/Undetected-Lafof/Undetected.exe	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Undetected-Lafof/Undetected.exe

Files

Undetected-Lafof.zip
.zip
Undetected-Lafof/Undetected.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ