quasar | fuckfxscanner[.]exe | Triage

Sharing

General

Target

fuckfxscanner.exe
Size

3.5MB
MD5

1e0a2e8cc5ce58715fc43c44004f637c
SHA1

f85ba3c4bd766e12ac11840939f5773ecc2f90f3
SHA256

4fb412dc8e1f77e2b47b1a677ca0475e5d25361d68e9e486c8aaf5148d635dfd
SHA512

75852941b8033d7f58e3819d5c7117f0f0cad5bb9b95aefef2e24eee63d2237c98072e823905e0d084659324bb54f020e163fd3310f3ee344a245051ac214859
SSDEEP

49152:Pv4t62XlaSFNWPjljiFa2RoUYIdZRJ65bR3LoGd6THHB72eh2NTH:PvU62XlaSFNWPjljiFXRoUYIdZRJ677

Score

10^/10

nmw quasar

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NMW

C2

nm111-20223.portmap.host:20223

Mutex

0cf74134-5c38-42d6-bb49-4c83c1e37344

Attributes

encryption_key
F7F619EE7207F0CE79B19EAEA54D81315C5AE97B
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Exm Tweaks
subdirectory
SubDir

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fuckfxscanner.exe

Files

fuckfxscanner.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 425KB - Virtual size: 425KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ