General
-
Target
PROGRAM MINGGU PERTAMA 2024 (2).pdf
-
Size
373KB
-
Sample
240313-pd8dtaed65
-
MD5
54f9dc141146f21578188aaabe5d8fdc
-
SHA1
f286d3cd5933442476d0ea06312f3541d89e9acf
-
SHA256
71c9f85fcf4f29ac129c692f75061eff3150b2327cbaa475373b04ae8fde85d0
-
SHA512
17f1ec838d451b9bd6df9d4cd9da7a2b9df7e31deca9218b7bf74d597a4b241653395dd5e75d2a7b4fc037ef0d633a1735ec67f7b92b5456dc6ea8fe9e15a41e
-
SSDEEP
6144:3pvbcWBaI9Z8IfI0BE1NxZ5itCT+a+y91SiltAfEOmUvoDbLI6:3pvbHBaIG/D1LKNRy91SOpzUvoDbLI6
Static task
static1
Behavioral task
behavioral1
Sample
PROGRAM MINGGU PERTAMA 2024 (2).pdf
Resource
win10v2004-20240226-en
Malware Config
Extracted
quasar
1.3.0.0
gimp1
193.42.33.210:4444
gimpdns.ddns.net:4444
QSR_MUTEX_XwuUSTCgYhmnf6vJ1L
-
encryption_key
lRzFKjYQKUKzh6RyUYYQ
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
PROGRAM MINGGU PERTAMA 2024 (2).pdf
-
Size
373KB
-
MD5
54f9dc141146f21578188aaabe5d8fdc
-
SHA1
f286d3cd5933442476d0ea06312f3541d89e9acf
-
SHA256
71c9f85fcf4f29ac129c692f75061eff3150b2327cbaa475373b04ae8fde85d0
-
SHA512
17f1ec838d451b9bd6df9d4cd9da7a2b9df7e31deca9218b7bf74d597a4b241653395dd5e75d2a7b4fc037ef0d633a1735ec67f7b92b5456dc6ea8fe9e15a41e
-
SSDEEP
6144:3pvbcWBaI9Z8IfI0BE1NxZ5itCT+a+y91SiltAfEOmUvoDbLI6:3pvbHBaIG/D1LKNRy91SOpzUvoDbLI6
Score10/10-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1