quasar | Loader[.]exe | Triage

Sharing

General

Target

Loader.exe
Size

9.8MB
MD5

bb57e95ad7ac1da6307c62d2e75a7e6d
SHA1

403145af8d0e5260ff0bb9eacac51e9a667214e2
SHA256

e2b6fb77c0c45a1ac911cfabea26c5dceb234bed0eb4b3ffa5c12af22a4cd630
SHA512

12517e3eeb1bef18999807d8a08ce50d743b3dd4ff45d54bd4bfc552620ac6c9ff62fa212e8b1c61d5343d8bbd2dc9da0537f554893799ae23ab3748d14c4bf8
SSDEEP

196608:jNZYch2QFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:Di/Fqyf0gsfNRAK

Score

10^/10

quasar blankgrabber

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

A stealer written in Python and packaged with Pyinstaller 1 IoCs

Processes:

resource yara_rule

static1/unpack001/�8��.pyc blankgrabber
Blankgrabber family
blankgrabber
Quasar family
quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

sample family_quasar
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

Loader.exe

Files

Loader.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\n\Downloads\BitJoiner by @Drcrypt0r\payload\obj\Debug\payload.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 9.8MB - Virtual size: 9.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 512B - Virtual size: 312B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�8��.pyc