Windows Analysis Report
xtnhsVjQTxvH.exe

Overview

General Information

Sample name: xtnhsVjQTxvH.exe
Analysis ID: 1431858
MD5: 10fb9b71859bfc7ae5aff462a88ade70
SHA1: 3e6c00c0d6d443741216b79e7f500d927b4cb60a
SHA256: 451f300d14014ed0d89f00dde44295272d1672507a449a6106dc450493baa52e
Tags: exeVoidRAT
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Quasar RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Quasar RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses dynamic DNS services
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Quasar RAT, QuasarRAT Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: xtnhsVjQTxvH.exe Avira: detected
Found malware configuration
Source: xtnhsVjQTxvH.exe Malware Configuration Extractor: Quasar {"Host:Port": "2%b@)=Y3[YWrz<S", "InstallName": "1Q+p)", "MutexName": "553);kPgd", "StartupKey": "rJvR[fk", "Tag": "%9:+Ppo3>B$nd", "ServerSignature": "d.SVPe\\F*", "ServerCertificate": "-&^]$Q"}
Multi AV Scanner detection for submitted file
Source: xtnhsVjQTxvH.exe ReversingLabs: Detection: 78%
Yara detected Quasar RAT
Source: Yara match File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR
Machine Learning detection for sample
Source: xtnhsVjQTxvH.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: xtnhsVjQTxvH.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: xtnhsVjQTxvH.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036383 ET TROJAN Common RAT Connectivity Check Observed 192.168.2.4:49730 -> 208.95.112.1:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 2%b@)=Y3[YWrz<S
Uses dynamic DNS services
Source: unknown DNS query: name: proxybreve.duckdns.org
Yara detected Generic Downloader
Source: Yara match File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 94.156.79.26:4001
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: proxybreve.duckdns.org
Source: xtnhsVjQTxvH.exe String found in binary or memory: http://api.ipify.org/
Source: xtnhsVjQTxvH.exe String found in binary or memory: http://freegeoip.net/xml/
Source: xtnhsVjQTxvH.exe String found in binary or memory: http://ip-api.com/json/
Source: xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.0000000002929000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects Patchwork malware Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_0285A550 0_2_0285A550
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_02859C80 0_2_02859C80
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_02859938 0_2_02859938
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064DABB3 0_2_064DABB3
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064D0BD8 0_2_064D0BD8
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064D7831 0_2_064D7831
Sample file is different than original file name gathered from version info
Source: xtnhsVjQTxvH.exe, 00000000.00000002.4074752971.0000000000958000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs xtnhsVjQTxvH.exe
Source: xtnhsVjQTxvH.exe, 00000000.00000000.1621205128.00000000005CA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe" vs xtnhsVjQTxvH.exe
Source: xtnhsVjQTxvH.exe Binary or memory string: OriginalFilenameClient.exe" vs xtnhsVjQTxvH.exe
Uses 32bit PE files
Source: xtnhsVjQTxvH.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: xtnhsVjQTxvH.exe, type: SAMPLE Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: xtnhsVjQTxvH.exe, --.cs Base64 encoded string: 'Q7NH5BcZ1+Ayk/EYsVJcBx3gBA7En82GOvB/rurWCNMCuIlMnBZEJPSNn4h1pL/HPk9fiJB6/gwZOMjxTMaolA==', 'jQkZ4waYL7bveeEIeMw5lNeDSLrKjeNjLVe4moZqDRCV7GqHFMFJeVIGbp21u6UwYV/x/aHx6ZuFRMTpkdcyamMLXsY+vN6cKN54YmACGU0=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'WNFJ0DWtj9BIROVd2dpqF3FBGJKOfPKPl4HYVyVxR7Eb+BOvPK21eZs/WJhyqn8IatU8SySaJJciqAaNxqtAdg==', 'JfVhvNdTPiNJekT+CzW7InRaSKcyyDvK80ha/KeJ3f/jhH2cq85zVwwhg6l0C3/zs+c9bl9XFjIOeIj1t+WupQ==', 'wnvEVzKSdg5ShWnsXpTZBZE6mphAkSyJsqsfl5ZB1h+FewWAaDKsFtVxwaBLakcOOtZYhX66XbDdVgK44OCzFQ==', 'u63zGu36T58B+RYfNkLwOvz0rqgUN/NYuHgzHQmxmgnZastzSkby7OUASJKZKAF409m5NTHwV4xK47rEzSWijg=='
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@2/2
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Mutant created: NULL
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_l1M93VuqIyiH8hEQ4I
Source: xtnhsVjQTxvH.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xtnhsVjQTxvH.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xtnhsVjQTxvH.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: xtnhsVjQTxvH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: xtnhsVjQTxvH.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064D6C42 pushfd ; retf 0_2_064D6C49
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064D4D41 push es; ret 0_2_064D4D44
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064D5570 push es; ret 0_2_064D5580
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064D4D3D push es; ret 0_2_064D4D40
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064F2201 push es; retf 0_2_064F2214
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064F228D push eax; iretd 0_2_064F2299
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064F4297 push es; iretd 0_2_064F42D0
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Code function: 0_2_064F21C5 push es; retf 0_2_064F21C8

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe File opened: C:\Users\user\Desktop\xtnhsVjQTxvH.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Memory allocated: 2700000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Memory allocated: 28F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Memory allocated: 48F0000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Window / User API: threadDelayed 472 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Window / User API: threadDelayed 449 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Window / User API: threadDelayed 651 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Window / User API: threadDelayed 8368 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856 Thread sleep count: 472 > 30 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856 Thread sleep time: -1180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 2484 Thread sleep count: 449 > 30 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 5308 Thread sleep count: 651 > 30 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856 Thread sleep count: 8368 > 30 Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856 Thread sleep time: -20920000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: xtnhsVjQTxvH.exe, 00000000.00000002.4074809410.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ
Enables debug privileges
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Queries volume information: C:\Users\user\Desktop\xtnhsVjQTxvH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Quasar RAT
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_l1M93VuqIyiH8hEQ4I Jump to behavior
Yara detected Quasar RAT
Source: Yara match File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431858 Sample: xtnhsVjQTxvH.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 10 proxybreve.duckdns.org 2->10 12 ip-api.com 2->12 18 Snort IDS alert for network traffic 2->18 20 Found malware configuration 2->20 22 Malicious sample detected (through community Yara rule) 2->22 26 6 other signatures 2->26 6 xtnhsVjQTxvH.exe 15 2 2->6         started        signatures3 24 Uses dynamic DNS services 10->24 process4 dnsIp5 14 proxybreve.duckdns.org 94.156.79.26, 4001, 49731 NET1-ASBG Bulgaria 6->14 16 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 6->16 28 Detected Quasar RAT 6->28 30 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->30 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
94.156.79.26
 proxybreve.duckdns.org Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
proxybreve.duckdns.org 94.156.79.26 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/json/ false
    		high
    2%b@)=Y3[YWrz<S true
    • Avira URL Cloud: safe
    		 low