General
-
Target
Burpsuitev23.exe
-
Size
208.5MB
-
Sample
240704-z5k3pszapq
-
MD5
a05b8b56d87dfb99ecafb0c1333ac1eb
-
SHA1
aafb8d362c707bd0ce1be227ccb363483bf02be0
-
SHA256
c9760acd2100fd43be73c79804218d9630162c7725f4260241ef9e6747fc7961
-
SHA512
448ad6737e614eaf355c1a0b36bbeac246bd44d0a09e92ee551ff4314adc340c67bc8cad1edd3fb0642366a98169b52ce9fc580a13bb68dc966ed2e38813e62d
-
SSDEEP
3145728:n5DmVlLT2gXTsEk1GvySp7+DCU31lOpvCgSwdyL+F1ATkQMeYNHqLyk7RRjjcNqj:k2QPvlM31szXdlJDe6F4XIq0j26rm
Static task
static1
Malware Config
Extracted
quasar
1.3.0.0
gimp1
193.42.33.210:4444
gimpdns.ddns.net:4444
QSR_MUTEX_XwuUSTCgYhmnf6vJ1L
-
encryption_key
lRzFKjYQKUKzh6RyUYYQ
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Targets
-
-
Target
Burpsuitev23.exe
-
Size
208.5MB
-
MD5
a05b8b56d87dfb99ecafb0c1333ac1eb
-
SHA1
aafb8d362c707bd0ce1be227ccb363483bf02be0
-
SHA256
c9760acd2100fd43be73c79804218d9630162c7725f4260241ef9e6747fc7961
-
SHA512
448ad6737e614eaf355c1a0b36bbeac246bd44d0a09e92ee551ff4314adc340c67bc8cad1edd3fb0642366a98169b52ce9fc580a13bb68dc966ed2e38813e62d
-
SSDEEP
3145728:n5DmVlLT2gXTsEk1GvySp7+DCU31lOpvCgSwdyL+F1ATkQMeYNHqLyk7RRjjcNqj:k2QPvlM31szXdlJDe6F4XIq0j26rm
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1