General

  • Target

    PROGRAM MINGGU PERTAMA 2024 (2).pdf

  • Size

    373KB

  • Sample

    240313-pd8dtaed65

  • MD5

    54f9dc141146f21578188aaabe5d8fdc

  • SHA1

    f286d3cd5933442476d0ea06312f3541d89e9acf

  • SHA256

    71c9f85fcf4f29ac129c692f75061eff3150b2327cbaa475373b04ae8fde85d0

  • SHA512

    17f1ec838d451b9bd6df9d4cd9da7a2b9df7e31deca9218b7bf74d597a4b241653395dd5e75d2a7b4fc037ef0d633a1735ec67f7b92b5456dc6ea8fe9e15a41e

  • SSDEEP

    6144:3pvbcWBaI9Z8IfI0BE1NxZ5itCT+a+y91SiltAfEOmUvoDbLI6:3pvbHBaIG/D1LKNRy91SOpzUvoDbLI6

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

gimp1

C2

193.42.33.210:4444

gimpdns.ddns.net:4444

Mutex

QSR_MUTEX_XwuUSTCgYhmnf6vJ1L

Attributes
  • encryption_key

    lRzFKjYQKUKzh6RyUYYQ

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Targets

    • Target

      PROGRAM MINGGU PERTAMA 2024 (2).pdf

    • Size

      373KB

    • MD5

      54f9dc141146f21578188aaabe5d8fdc

    • SHA1

      f286d3cd5933442476d0ea06312f3541d89e9acf

    • SHA256

      71c9f85fcf4f29ac129c692f75061eff3150b2327cbaa475373b04ae8fde85d0

    • SHA512

      17f1ec838d451b9bd6df9d4cd9da7a2b9df7e31deca9218b7bf74d597a4b241653395dd5e75d2a7b4fc037ef0d633a1735ec67f7b92b5456dc6ea8fe9e15a41e

    • SSDEEP

      6144:3pvbcWBaI9Z8IfI0BE1NxZ5itCT+a+y91SiltAfEOmUvoDbLI6:3pvbHBaIG/D1LKNRy91SOpzUvoDbLI6

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks