quasar | RedEngine[.]exe | Triage

Sharing

General

Target

RedEngine.exe
Size

502KB
MD5

7178d81c9afdabb202f31315f7eed7e2
SHA1

527a063588b3e4d3acc04cf211d9b0df33f5ade2
SHA256

67e35ca53e1ee18113207c2edf4b165ae9158cfed151e08bac627327f9c60f21
SHA512

80b770bd2d3541400386c4aa446da8840823864a62d73554dd62ea08d5e9596f2b737fa8046eb6fb892690d115eb928022cdb1d24f4f8d9cf2e449adfd0809a5
SSDEEP

6144:9TEgdc0Y5XAGbgiIN2RSBTuYNzBlh/gKeFwQHocEhyb8F9ODx2cTR30:9TEgdfYVbg/uOiFwR12x2cd0

Score

10^/10

training quasar

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

TRAINING

C2

185.241.208.185:16145

Mutex

22073971-8d9a-4364-9916-abbb09ac9d8b

Attributes

encryption_key
7A9A8376440E3257DB2B54403642F366A5FBE14A
install_name
Starter Module.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Starter Module
subdirectory
Modules

Signatures

Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
sample	family_quasar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
RedEngine.exe

Files

RedEngine.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 498KB - Virtual size: 497KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ