quasar | 1[.]exe | Triage

Sharing

General

Target

1.exe
Size

9.9MB
MD5

96d23c2d4dcee40729b28f949ca2d003
SHA1

8ab47f812f842cf093c0289daab045fb534ea7a1
SHA256

13d446a0227f75aa7cf81637029ecc0dd2238639a4c1cdef89748b360be7c626
SHA512

0b3b780f7ec58137bad0c97d8974ed6c4e8ecb5d1e2dab2e2c424cf172f24bb87dbd7f1d36249fae346bcb3e98d2877863b66ac41b0b09afe1d2e97907d6d34d
SSDEEP

196608:3iHTKMoeQFbfeN/FJMIDJf0gsAGK5SEQRWuAKt+L:M//Fqyf0gsfNRAK

Score

10^/10

quasar blankgrabber

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

A stealer written in Python and packaged with Pyinstaller 1 IoCs

Processes:

resource yara_rule

static1/unpack001/�8��.pyc blankgrabber
Blankgrabber family
blankgrabber
Quasar family
quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

sample family_quasar
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

1.exe

Files

1.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\n\Downloads\BitJoiner by @Drcrypt0r\payload\obj\Debug\payload.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 9.8MB - Virtual size: 9.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 512B - Virtual size: 312B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�8��.pyc