Edit tour

Windows Analysis Report
xtnhsVjQTxvH.exe

Overview

General Information

Sample name:	xtnhsVjQTxvH.exe
Analysis ID:	1431858
MD5:	10fb9b71859bfc7ae5aff462a88ade70
SHA1:	3e6c00c0d6d443741216b79e7f500d927b4cb60a
SHA256:	451f300d14014ed0d89f00dde44295272d1672507a449a6106dc450493baa52e
Tags:	exeVoidRAT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Quasar RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Uses dynamic DNS services

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

xtnhsVjQTxvH.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\xtnhsVjQTxvH.exe" MD5: 10FB9B71859BFC7AE5AFF462A88ADE70)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Host:Port": "2%b@)=Y3[YWrz<S", "InstallName": "1Q+p)", "MutexName": "553);kPgd", "StartupKey": "rJvR[fk", "Tag": "%9:+Ppo3>B$nd", "ServerSignature": "d.SVPe\\F*", "ServerCertificate": "-&^]$Q"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xtnhsVjQTxvH.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
xtnhsVjQTxvH.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
xtnhsVjQTxvH.exe	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ebe7:$a1: GetKeyloggerLogsResponse 0x3e348:$a2: DoDownloadAndExecute 0x507e0:$a3: http://api.ipify.org/ 0x4e2e9:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f637:$a5: " /sc ONLOGON /tr "
xtnhsVjQTxvH.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e104:$s1: DoUploadAndExecute 0x3e348:$s2: DoDownloadAndExecute 0x3dec9:$s3: DoShellExecute 0x3e300:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
xtnhsVjQTxvH.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ebe7:$x1: GetKeyloggerLogsResponse 0x3ee27:$s1: DoShellExecuteResponse 0x3e796:$s2: GetPasswordsResponse 0x3ecfa:$s3: GetStartupItemsResponse 0x3e118:$s5: RunHidden 0x3e136:$s5: RunHidden 0x3e144:$s5: RunHidden 0x3e158:$s5: RunHidden
xtnhsVjQTxvH.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f5fd:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f833:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
xtnhsVjQTxvH.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ebe7:$x3: GetKeyloggerLogsResponse 0x3de3f:$x4: GetKeyloggerLogs 0x3e117:$s1: <RunHidden>k__BackingField 0x3edaf:$s2: set_SystemInfos 0x3e140:$s3: set_RunHidden 0x3dc73:$s4: set_RemotePath 0x56628:$s6: Client.exe 0x566bc:$s6: Client.exe 0x32029:$s7: xClient.Core.ReverseProxy.Packets
xtnhsVjQTxvH.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e140:$s7: set_RunHidden
xtnhsVjQTxvH.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x515e7:$x2: Process already elevated. 0x3a2c9:$x4: get_encryptedPassword 0x3e348:$x5: DoDownloadAndExecute
xtnhsVjQTxvH.exe	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4eff6:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec0a:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fb2:$class: Core.MouseKeyHook.WinApi
xtnhsVjQTxvH.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeba:$f1: FileZilla\recentservers.xml 0x4eefa:$f2: FileZilla\sitemanager.xml 0x4ef2e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4a5:$b1: Chrome\User Data\ 0x4e509:$b1: Chrome\User Data\ 0x4e89c:$b2: Mozilla\Firefox\Profiles 0x4ec70:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x534e0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed00:$b4: Opera Software\Opera Stable\Login Data 0x4edb0:$b5: YandexBrowser\User Data\ 0x4ee22:$b5: YandexBrowser\User Data\ 0x4e650:$s4: logins.json 0x4e69c:$s4: logins.json 0x4e98a:$s4: logins.json 0x4e1ba:$a1: username_value 0x4e1d8:$a2: password_value 0x3a2a1:$a3: encryptedUsername 0x3a2b7:$a3: encryptedUsername 0x3a3ed:$a3: encryptedUsername 0x3a2cd:$a4: encryptedPassword 0x3a2e3:$a4: encryptedPassword
xtnhsVjQTxvH.exe	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ebe7:$s1: GetKeyloggerLogsResponse 0x3de3f:$s2: GetKeyloggerLogs 0x4da8a:$s3: />Log created on 0x4ec0a:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e2e9:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cba:$s6: grabber_ 0x51cd6:$s6: grabber_ 0x3301f:$s7: <virtualKeyCode> 0x3e117:$s8: <RunHidden>k__BackingField 0x33051:$s9: <keyboardHookStruct> 0x36401:$s10: add_OnHotKeysDown 0x36453:$s10: add_OnHotKeysDown 0x50648:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d05:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3e9e7:$a1: GetKeyloggerLogsResponse 0x3e148:$a2: DoDownloadAndExecute 0x505e0:$a3: http://api.ipify.org/ 0x4e0e9:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f437:$a5: " /sc ONLOGON /tr "
00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df04:$s1: DoUploadAndExecute 0x3e148:$s2: DoDownloadAndExecute 0x3dcc9:$s3: DoShellExecute 0x3e100:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4edf6:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ea0a:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33db2:$class: Core.MouseKeyHook.WinApi
00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: xtnhsVjQTxvH.exe PID: 6860	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ebe7:$a1: GetKeyloggerLogsResponse 0x3e348:$a2: DoDownloadAndExecute 0x507e0:$a3: http://api.ipify.org/ 0x4e2e9:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f637:$a5: " /sc ONLOGON /tr "
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e104:$s1: DoUploadAndExecute 0x3e348:$s2: DoDownloadAndExecute 0x3dec9:$s3: DoShellExecute 0x3e300:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ebe7:$x1: GetKeyloggerLogsResponse 0x3ee27:$s1: DoShellExecuteResponse 0x3e796:$s2: GetPasswordsResponse 0x3ecfa:$s3: GetStartupItemsResponse 0x3e118:$s5: RunHidden 0x3e136:$s5: RunHidden 0x3e144:$s5: RunHidden 0x3e158:$s5: RunHidden
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f5fd:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f833:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ebe7:$x3: GetKeyloggerLogsResponse 0x3de3f:$x4: GetKeyloggerLogs 0x3e117:$s1: <RunHidden>k__BackingField 0x3edaf:$s2: set_SystemInfos 0x3e140:$s3: set_RunHidden 0x3dc73:$s4: set_RemotePath 0x56628:$s6: Client.exe 0x566bc:$s6: Client.exe 0x32029:$s7: xClient.Core.ReverseProxy.Packets
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e140:$s7: set_RunHidden
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x515e7:$x2: Process already elevated. 0x3a2c9:$x4: get_encryptedPassword 0x3e348:$x5: DoDownloadAndExecute
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4eff6:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec0a:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fb2:$class: Core.MouseKeyHook.WinApi
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeba:$f1: FileZilla\recentservers.xml 0x4eefa:$f2: FileZilla\sitemanager.xml 0x4ef2e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4a5:$b1: Chrome\User Data\ 0x4e509:$b1: Chrome\User Data\ 0x4e89c:$b2: Mozilla\Firefox\Profiles 0x4ec70:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x534e0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed00:$b4: Opera Software\Opera Stable\Login Data 0x4edb0:$b5: YandexBrowser\User Data\ 0x4ee22:$b5: YandexBrowser\User Data\ 0x4e650:$s4: logins.json 0x4e69c:$s4: logins.json 0x4e98a:$s4: logins.json 0x4e1ba:$a1: username_value 0x4e1d8:$a2: password_value 0x3a2a1:$a3: encryptedUsername 0x3a2b7:$a3: encryptedUsername 0x3a3ed:$a3: encryptedUsername 0x3a2cd:$a4: encryptedPassword 0x3a2e3:$a4: encryptedPassword
0.0.xtnhsVjQTxvH.exe.570000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ebe7:$s1: GetKeyloggerLogsResponse 0x3de3f:$s2: GetKeyloggerLogs 0x4da8a:$s3: />Log created on 0x4ec0a:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e2e9:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cba:$s6: grabber_ 0x51cd6:$s6: grabber_ 0x3301f:$s7: <virtualKeyCode> 0x3e117:$s8: <RunHidden>k__BackingField 0x33051:$s9: <keyboardHookStruct> 0x36401:$s10: add_OnHotKeysDown 0x36453:$s10: add_OnHotKeysDown 0x50648:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d05:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 7 entries

Snort Signatures

ET TROJAN Common RAT Connectivity Check Observed - Source IP: 192.168.2.4 - Destination IP: 208.95.112.1

Timestamp:	04/25/24-21:50:54.911688
SID:	2036383
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xtnhsVjQTxvH.exe

Avira: detected

Found malware configuration

Source: xtnhsVjQTxvH.exe

Malware Configuration Extractor: Quasar {"Host:Port": "2%b@)=Y3[YWrz<S", "InstallName": "1Q+p)", "MutexName": "553);kPgd", "StartupKey": "rJvR[fk", "Tag": "%9:+Ppo3>B$nd", "ServerSignature": "d.SVPe\\F*", "ServerCertificate": "-&^]$Q"}

Multi AV Scanner detection for submitted file

Source: xtnhsVjQTxvH.exe

ReversingLabs: Detection: 78%

Yara detected Quasar RAT

Source: Yara match	File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR

Machine Learning detection for sample

Source: xtnhsVjQTxvH.exe

Joe Sandbox ML: detected

Source: xtnhsVjQTxvH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xtnhsVjQTxvH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036383 ET TROJAN Common RAT Connectivity Check Observed 192.168.2.4:49730 -> 208.95.112.1:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 2%b@)=Y3[YWrz<S

Uses dynamic DNS services

Source: unknown

DNS query: name: proxybreve.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 94.156.79.26:4001

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: proxybreve.duckdns.org

Source: xtnhsVjQTxvH.exe	String found in binary or memory: http://api.ipify.org/
Source: xtnhsVjQTxvH.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: xtnhsVjQTxvH.exe	String found in binary or memory: http://ip-api.com/json/
Source: xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.0000000002929000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_0285A550	0_2_0285A550
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_02859C80	0_2_02859C80
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_02859938	0_2_02859938
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064DABB3	0_2_064DABB3
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064D0BD8	0_2_064D0BD8
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064D7831	0_2_064D7831

Source: xtnhsVjQTxvH.exe, 00000000.00000002.4074752971.0000000000958000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs xtnhsVjQTxvH.exe
Source: xtnhsVjQTxvH.exe, 00000000.00000000.1621205128.00000000005CA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs xtnhsVjQTxvH.exe
Source: xtnhsVjQTxvH.exe	Binary or memory string: OriginalFilenameClient.exe" vs xtnhsVjQTxvH.exe

Source: xtnhsVjQTxvH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: xtnhsVjQTxvH.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: xtnhsVjQTxvH.exe, --.cs

Base64 encoded string: 'Q7NH5BcZ1+Ayk/EYsVJcBx3gBA7En82GOvB/rurWCNMCuIlMnBZEJPSNn4h1pL/HPk9fiJB6/gwZOMjxTMaolA==', 'jQkZ4waYL7bveeEIeMw5lNeDSLrKjeNjLVe4moZqDRCV7GqHFMFJeVIGbp21u6UwYV/x/aHx6ZuFRMTpkdcyamMLXsY+vN6cKN54YmACGU0=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'WNFJ0DWtj9BIROVd2dpqF3FBGJKOfPKPl4HYVyVxR7Eb+BOvPK21eZs/WJhyqn8IatU8SySaJJciqAaNxqtAdg==', 'JfVhvNdTPiNJekT+CzW7InRaSKcyyDvK80ha/KeJ3f/jhH2cq85zVwwhg6l0C3/zs+c9bl9XFjIOeIj1t+WupQ==', 'wnvEVzKSdg5ShWnsXpTZBZE6mphAkSyJsqsfl5ZB1h+FewWAaDKsFtVxwaBLakcOOtZYhX66XbDdVgK44OCzFQ==', 'u63zGu36T58B+RYfNkLwOvz0rqgUN/NYuHgzHQmxmgnZastzSkby7OUASJKZKAF409m5NTHwV4xK47rEzSWijg=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_l1M93VuqIyiH8hEQ4I

Source: xtnhsVjQTxvH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xtnhsVjQTxvH.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xtnhsVjQTxvH.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: xtnhsVjQTxvH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xtnhsVjQTxvH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064D6C42 pushfd ; retf	0_2_064D6C49
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064D4D41 push es; ret	0_2_064D4D44
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064D5570 push es; ret	0_2_064D5580
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064D4D3D push es; ret	0_2_064D4D40
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064F2201 push es; retf	0_2_064F2214
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064F228D push eax; iretd	0_2_064F2299
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064F4297 push es; iretd	0_2_064F42D0
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Code function: 0_2_064F21C5 push es; retf	0_2_064F21C8

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

File opened: C:\Users\user\Desktop\xtnhsVjQTxvH.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Memory allocated: 28F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Memory allocated: 48F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Window / User API: threadDelayed 472	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Window / User API: threadDelayed 449	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Window / User API: threadDelayed 651	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Window / User API: threadDelayed 8368	Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856	Thread sleep count: 472 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856	Thread sleep time: -1180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 2484	Thread sleep count: 449 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 5308	Thread sleep count: 651 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856	Thread sleep count: 8368 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe TID: 6856	Thread sleep time: -20920000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: xtnhsVjQTxvH.exe, 00000000.00000002.4074809410.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Queries volume information: C:\Users\user\Desktop\xtnhsVjQTxvH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_l1M93VuqIyiH8hEQ4I

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: xtnhsVjQTxvH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xtnhsVjQTxvH.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xtnhsVjQTxvH.exe PID: 6860, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	3 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	23 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	212 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
xtnhsVjQTxvH.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Quasar
xtnhsVjQTxvH.exe	100%	Avira	HEUR/AGEN.1307418
xtnhsVjQTxvH.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
2%b@)=Y3[YWrz<S	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
proxybreve.duckdns.org	94.156.79.26	true	true		unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false		high
2%b@)=Y3[YWrz<S	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	xtnhsVjQTxvH.exe	false		high
http://freegeoip.net/xml/	xtnhsVjQTxvH.exe	false		high
http://schemas.datacontract.org/2004/07/	xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.0000000002929000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	xtnhsVjQTxvH.exe, 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
94.156.79.26	proxybreve.duckdns.org	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431858
Start date and time:	2024-04-25 21:50:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xtnhsVjQTxvH.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: xtnhsVjQTxvH.exe

Simulations

Behavior and APIs

Time	Type	Description
21:51:33	API Interceptor	3920561x Sleep call for process: xtnhsVjQTxvH.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	ip-api.com/json
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	ip-api.com/json
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
94.156.79.26	xnNcI6OenKJs.exe	Get hash	malicious	Quasar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	208.95.112.1
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	208.95.112.1
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	208.95.112.1
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	o3KyzpE7F4.ps1	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	208.95.112.1
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	208.95.112.1
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	208.95.112.1
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
NET1-ASBG	o4883TEQGB.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	Id2uxwyyf8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	Y4pblBbDQc.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	C5fMgX1ZyY.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	6fV4tfoJp2.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	fqEpqMWF6r.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	D0dhEeGfv4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	IrnO5ZI3En.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.8.9
	PO_La-Tanerie04180240124.vbs	Get hash	malicious	GuLoader, Remcos	Browse	94.156.79.69
	FTG_PD_04024024001.vbs	Get hash	malicious	FormBook, GuLoader	Browse	87.121.105.163

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.431379219054936
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xtnhsVjQTxvH.exe
File size:	356'352 bytes
MD5:	10fb9b71859bfc7ae5aff462a88ade70
SHA1:	3e6c00c0d6d443741216b79e7f500d927b4cb60a
SHA256:	451f300d14014ed0d89f00dde44295272d1672507a449a6106dc450493baa52e
SHA512:	7666023e2c63c8eff11fb02588636fc932c0f616323bfa2c4faf4a65ba0355ea18f70a0b12246ffeacd1d0b137dd2aa6085058c5503fff0187f377758add3491
SSDEEP:	6144:uvNHXf500M8wU2Kd6ab76s9BeSCck4kZ25t0CNO:0d50XKYK6cCcL5txO
TLSH:	DA749D13B3A4EA3BD1FE1B3BE13206155BB0D487B616E38F9A5855B86D133868D413B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\*f.................b............... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45818e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x662A5C93 [Thu Apr 25 13:37:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58140	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0xa00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x56194	0x56200	c1e9b55f3b75128369da1d75c54c1a06	False	0.5127874410377359	data	6.4482173846419615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0xa00	0xa00	76cc3230218ab47d3ced751a87f28c1b	False	0.340234375	data	4.23596538978674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5c000	0xc	0x200	3db1bdcf6a5c4d24d227c24f9c02147c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5a090	0x2d4	data			0.43646408839779005
RT_MANIFEST	0x5a374	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-21:50:54.911688	TCP	2036383	ET TROJAN Common RAT Connectivity Check Observed	49730	80	192.168.2.4	208.95.112.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 21:50:54.789324999 CEST	49730	80	192.168.2.4	208.95.112.1
Apr 25, 2024 21:50:54.911175013 CEST	80	49730	208.95.112.1	192.168.2.4
Apr 25, 2024 21:50:54.911303997 CEST	49730	80	192.168.2.4	208.95.112.1
Apr 25, 2024 21:50:54.911688089 CEST	49730	80	192.168.2.4	208.95.112.1
Apr 25, 2024 21:50:55.035156965 CEST	80	49730	208.95.112.1	192.168.2.4
Apr 25, 2024 21:50:55.083978891 CEST	49730	80	192.168.2.4	208.95.112.1
Apr 25, 2024 21:50:56.319941044 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:50:56.550082922 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:50:56.550250053 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:50:56.814774036 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:50:56.865247011 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:50:56.947310925 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:50:57.177313089 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:50:57.224601984 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:51:22.177793980 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:51:22.413657904 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:51:22.467844009 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:51:22.468013048 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:51:28.269726038 CEST	80	49730	208.95.112.1	192.168.2.4
Apr 25, 2024 21:51:28.269846916 CEST	49730	80	192.168.2.4	208.95.112.1
Apr 25, 2024 21:51:47.427897930 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:51:47.673818111 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:51:47.719238997 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:51:47.719341040 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:51:52.712192059 CEST	80	49730	208.95.112.1	192.168.2.4
Apr 25, 2024 21:52:12.740299940 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:52:12.957190037 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:52:12.957273960 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:52:12.975920916 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:52:37.990351915 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:52:38.204217911 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:52:38.205061913 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:52:38.229790926 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:53:03.302861929 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:53:03.441005945 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:53:03.441581011 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:53:03.532679081 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:53:28.537395954 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:53:28.684837103 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:53:28.685060024 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:53:28.767010927 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:53:53.771744013 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:53:53.917705059 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:53:53.919260979 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:53:54.008135080 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:54:19.021750927 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:54:19.158839941 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:54:19.160612106 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:54:19.261028051 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:54:44.271753073 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:54:44.396393061 CEST	4001	49731	94.156.79.26	192.168.2.4
Apr 25, 2024 21:54:44.397116899 CEST	49731	4001	192.168.2.4	94.156.79.26
Apr 25, 2024 21:54:44.510632992 CEST	4001	49731	94.156.79.26	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 21:50:54.671932936 CEST	55560	53	192.168.2.4	1.1.1.1
Apr 25, 2024 21:50:54.782048941 CEST	53	55560	1.1.1.1	192.168.2.4
Apr 25, 2024 21:50:55.532409906 CEST	64289	53	192.168.2.4	1.1.1.1
Apr 25, 2024 21:50:56.316083908 CEST	53	64289	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 21:50:54.671932936 CEST	192.168.2.4	1.1.1.1	0x70ff	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 21:50:55.532409906 CEST	192.168.2.4	1.1.1.1	0x479a	Standard query (0)	proxybreve.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 21:50:54.782048941 CEST	1.1.1.1	192.168.2.4	0x70ff	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 25, 2024 21:50:56.316083908 CEST	1.1.1.1	192.168.2.4	0x479a	No error (0)	proxybreve.duckdns.org		94.156.79.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	6860	C:\Users\user\Desktop\xtnhsVjQTxvH.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 21:50:54.911688089 CEST	144	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Apr 25, 2024 21:50:55.035156965 CEST	466	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 19:50:54 GMT Content-Type: application/json; charset=utf-8 Content-Length: 289 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 47 41 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 47 65 6f 72 67 69 61 22 2c 22 63 69 74 79 22 3a 22 41 74 6c 61 6e 74 61 22 2c 22 7a 69 70 22 3a 22 33 30 33 30 31 22 2c 22 6c 61 74 22 3a 33 33 2e 37 34 38 35 2c 22 6c 6f 6e 22 3a 2d 38 34 2e 33 38 37 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 41 54 4c 20 49 49 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"GA","regionName":"Georgia","city":"Atlanta","zip":"30301","lat":33.7485,"lon":-84.3871,"timezone":"America/New_York","isp":"Datacamp Limited","org":"ATL II","as":"AS60068 Datacamp Limited","query":"185.152.66.230"}

Target ID:	0
Start time:	21:50:51
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\xtnhsVjQTxvH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xtnhsVjQTxvH.exe"
Imagebase:	0x570000
File size:	356'352 bytes
MD5 hash:	10FB9B71859BFC7AE5AFF462A88ADE70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000000.1621167033.0000000000572000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4075764369.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	97.8%
Signature Coverage:	0%
Total number of Nodes:	139
Total number of Limit Nodes:	11

Executed Functions

Function 064DABB3 Relevance: 7.3, Strings: 5, Instructions: 1054COMMON

Download Yara Rule

Strings

Hbq, xrefs: 064DB9E5
?, xrefs: 064DB490
!, xrefs: 064DB548
Hbq, xrefs: 064DB6D0
Te^q, xrefs: 064DB77E

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID: !$?$Hbq$Hbq$Te^q
API String ID: 0-2214972705
Opcode ID: 66ee8ea9f6ec249d228a7f8d28c451c96f8ac5fbc6be3be1cb93d21b20378582
Instruction ID: ec5657aef6fd9611ea05641dc8a020090c0f439000478369b9f9a94933816118
Opcode Fuzzy Hash: 66ee8ea9f6ec249d228a7f8d28c451c96f8ac5fbc6be3be1cb93d21b20378582
Instruction Fuzzy Hash: BC929070E006598FCB56CF68C9D4AADFBB2FF85304F29859AD056AB256C730ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02859C80 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954059c726050ab96d41f5a52d8face24a0ea4f3d3b5c9c8298108dd1c4e1de8
Instruction ID: dcdbc9c2073ce3a09025502f7b487887341b801db028846b6591c74b7041db82
Opcode Fuzzy Hash: 954059c726050ab96d41f5a52d8face24a0ea4f3d3b5c9c8298108dd1c4e1de8
Instruction Fuzzy Hash: B0B15078E00219DFDF10CFA9D98579DBBF2AF88318F148529E819E7294EB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0285A550 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe709d695360775cd0b152a75ebf5b34f509aaab53731ba503ec13d6ffda61c
Instruction ID: dd1d0bda13243e03829642ed59059452aacf58062a33a8281b47225457113c61
Opcode Fuzzy Hash: cbe709d695360775cd0b152a75ebf5b34f509aaab53731ba503ec13d6ffda61c
Instruction Fuzzy Hash: 97B16E78E00219CFDB18CFA9D8D179DBBF2AF48714F148229D819E7394EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 064F0048 Relevance: 26.7, Strings: 21, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 064F0193
$^q, xrefs: 064F016D
$^q, xrefs: 064F051B
$^q, xrefs: 064F03C2
?, xrefs: 064F00AF
$^q, xrefs: 064F0527
$^q, xrefs: 064F0331
$^q, xrefs: 064F0363
$^q, xrefs: 064F011C
$^q, xrefs: 064F04A4
$^q, xrefs: 064F0439
$^q, xrefs: 064F024F
$^q, xrefs: 064F0445
$^q, xrefs: 064F019F
$^q, xrefs: 064F02E0
$^q, xrefs: 064F0413
$^q, xrefs: 064F0275
$^q, xrefs: 064F0357
$^q, xrefs: 064F0281
$^q, xrefs: 064F01FE
$^q, xrefs: 064F04F5

Memory Dump Source

Source File: 00000000.00000002.4078784352.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID: ?$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2982888449
Opcode ID: 080d0bc7a92860c3dea2e76d0dbf5f738ff6b20881533bd43d19861235f2feeb
Instruction ID: a23d2d6aa14d466cc20056b489a377fb36ea3b078abe5dc1be0dc76061c5a402
Opcode Fuzzy Hash: 080d0bc7a92860c3dea2e76d0dbf5f738ff6b20881533bd43d19861235f2feeb
Instruction Fuzzy Hash: F6F1A030F102098FDB59DFA5C954A6EBBB2FF84B00F14841AE5069B3A6CB75EC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 064F0000 Relevance: 7.8, Strings: 6, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 064F02E0
$^q, xrefs: 064F03C2
?, xrefs: 064F00AF
$^q, xrefs: 064F011C
$^q, xrefs: 064F01FE
$^q, xrefs: 064F04A4

Memory Dump Source

Source File: 00000000.00000002.4078784352.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID: ?$$^q$$^q$$^q$$^q$$^q
API String ID: 0-4250046088
Opcode ID: 798960d9108eeec035e135e13814df773ae80d522162de50c3504e167ff0ad9e
Instruction ID: 6af379ed8d4a545cb032ee215329ecdcaac7268d294621d9f4414badef7e633b
Opcode Fuzzy Hash: 798960d9108eeec035e135e13814df773ae80d522162de50c3504e167ff0ad9e
Instruction Fuzzy Hash: AC912130B147458FE7169B69CC60B6EBBB2AF86700F14855BD201DF3A3DAB5EC068791

Uniqueness

Uniqueness Score: -1.00%

Function 064D04F2 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064D0756

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1ee0b32191edc6b2e1f3c7992412b6c7253e863c14b530879e41544f24b7ae31
Instruction ID: fbead6bddfc78e133d5b8d563a3a6f60e4ef6fc218d93795414fca0387285512
Opcode Fuzzy Hash: 1ee0b32191edc6b2e1f3c7992412b6c7253e863c14b530879e41544f24b7ae31
Instruction Fuzzy Hash: B6813670A00B058FDBA5DF2AD45079BBBF1FB88704F10892AD48AD7B50D774E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02853334 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028533F1

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9326bbd84abe49bfba5112e0c7126fd9a75fe22be8eccb21d6e79e17bd6bd053
Instruction ID: 8f9532a6d67d3b5afea2d891ae67c028948fc0ec65cc4c8fad620d50e4ca7d46
Opcode Fuzzy Hash: 9326bbd84abe49bfba5112e0c7126fd9a75fe22be8eccb21d6e79e17bd6bd053
Instruction Fuzzy Hash: A75103B8C00619CFDB24CFA9C8447DEBBF5BF48304F2480AAD418AB251D775A989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064D26C4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064D27E2

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f497db44311a4b926e70fea271ecf483cf38931e804464462241946ad82918e8
Instruction ID: 90d0108f2201521806be013ae5bdcbe18f04756a0928f7e57035020b410c0959
Opcode Fuzzy Hash: f497db44311a4b926e70fea271ecf483cf38931e804464462241946ad82918e8
Instruction Fuzzy Hash: F251C1B1D003499FDB15CFA9C894ADEFBB1BF48310F24822AE818AB250D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 064D26D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064D27E2

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dbc80478ed5b7a453298bd1a253aa073dc8514bdef66576d8db91d8950271b54
Instruction ID: 0c6193fcf92951acf1e0af038aa09b1431260a6e0aadc359241325063a3a052b
Opcode Fuzzy Hash: dbc80478ed5b7a453298bd1a253aa073dc8514bdef66576d8db91d8950271b54
Instruction Fuzzy Hash: 9941C0B1D00349EFDB14CF99C894ADEFBB5BF48310F24812AE918AB250D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02851978 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028533F1

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 168abb6e3cb385e7f8e2dc5d6ba9fb87f5f99bfd7c829dc0c2e928c5b3ce6781
Instruction ID: 89ad4edea401637b163c2ba533a900689bf844ef7a7a1404471107bd51e4e26b
Opcode Fuzzy Hash: 168abb6e3cb385e7f8e2dc5d6ba9fb87f5f99bfd7c829dc0c2e928c5b3ce6781
Instruction Fuzzy Hash: D641D1B8C0061DCFDB24CFA9C844B9EFBB5BF48304F2480AAD409AB255DB756949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064D4E10 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 064D4ED1

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8f42cd062e10b29426ac12283234c3789bf94e9cec128a69c772c52a88f71694
Instruction ID: 10e46d26093e94646738ade25460438ab2735d7c04b2daf5a3c5f10ba40ce2dc
Opcode Fuzzy Hash: 8f42cd062e10b29426ac12283234c3789bf94e9cec128a69c772c52a88f71694
Instruction Fuzzy Hash: C44117B9D00209DFCB54CF99C448AABBBF5FB88314F24C499D519AB361D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0285FC50 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0285FC45), ref: 0285FCC8

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2b04cc10a15f0623a110aa6a1165edf5b510c1d1d384de45693bef715f96135d
Instruction ID: 7633e6e968d92c5991298125f3129f70323834644b079b6cb071503e6df589e0
Opcode Fuzzy Hash: 2b04cc10a15f0623a110aa6a1165edf5b510c1d1d384de45693bef715f96135d
Instruction Fuzzy Hash: C42147B9C0066A9FCB10CFAAC5457DEFBB4EB48320F10812AD858A7640D738A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0285F928 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0285FC45), ref: 0285FCC8

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b83e8f8139ae4c105eb88aad6105fc874f4ede6bcae5dec4bcfdd69fe5f363ec
Instruction ID: 29efc62d48deeb111fc884822754bf04a316a9377b07950941074f27fcb6808b
Opcode Fuzzy Hash: b83e8f8139ae4c105eb88aad6105fc874f4ede6bcae5dec4bcfdd69fe5f363ec
Instruction Fuzzy Hash: 602156B9C006699BCB14CF9AC5447AEFBF4EB48320F10816AD918B7740D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D0952 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 064D09C2

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fbc49796827404ddded107a7f24b57c55c60a360059f89c1e84bd1b638f11c52
Instruction ID: 632f1c227010140017f20a82d44fca608fbd54d279274da4c3ef50949dfa29ea
Opcode Fuzzy Hash: fbc49796827404ddded107a7f24b57c55c60a360059f89c1e84bd1b638f11c52
Instruction Fuzzy Hash: 051126B6D00248DFDB20CF9AD844ADFFBF4EB88710F10842AE459A7250C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D0958 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 064D09C2

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88e82002f4eb2aa2b1bb08ded3107a37739ea53ca10db138bfdd033065677509
Instruction ID: 25ceae379b3309e9c4c58abcf808c7593cbc5bc5ac74e5b32ac73a1ff88668b5
Opcode Fuzzy Hash: 88e82002f4eb2aa2b1bb08ded3107a37739ea53ca10db138bfdd033065677509
Instruction Fuzzy Hash: 4E11F0B6D00249CFDB20CF9AD844ADEFBF4EB88720F14846AE459A7250C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D06F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 064D0756

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a6a49bfc3c3e5c138c2f3e991957af1b29f7a63f8075a3fc46321e4016e69686
Instruction ID: c4186c88859968652d6a2931e2d63a240cf6f3e0f0b47b4b3cf2094a329cdc9a
Opcode Fuzzy Hash: a6a49bfc3c3e5c138c2f3e991957af1b29f7a63f8075a3fc46321e4016e69686
Instruction Fuzzy Hash: D61113B5C003498FCB50DF9AC444ADEFBF4EB88714F10842AD469B7210C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 064D755A Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 064D75B5

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 95a8cc9833bcc1938a689e5fc051898cdb48ec53e4ef6fd07a30d0ba71cc89b0
Instruction ID: 1df71a0d1355f685a71eb5a0c2657c252df8dbd19525bf867fc5277e2d82c32e
Opcode Fuzzy Hash: 95a8cc9833bcc1938a689e5fc051898cdb48ec53e4ef6fd07a30d0ba71cc89b0
Instruction Fuzzy Hash: B61103B58002498FCB20DF9AD544BDEFBF4EB48324F10841AD559A7750C378A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 064D6618 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 064D75B5

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d1be61047bd2ce9fbf76ce77d4dcb85236c3fd1d885555a68a87109779ceac32
Instruction ID: 26a48026d3cb821f16ef4c28ca3fdce415f6d2c68b9af34f8511637c7b930a63
Opcode Fuzzy Hash: d1be61047bd2ce9fbf76ce77d4dcb85236c3fd1d885555a68a87109779ceac32
Instruction Fuzzy Hash: 2F1100B5D002488FCB60DF9AD548BDEBBF8EB48324F20845AE558A7750D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DAD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075102246.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b532ef21bd4398bb33eff8e7f73bf2d838c30a3d46b312b8cb24aa1061055c5d
Instruction ID: c238434fb1b2abb256dd2334fef3ddfcb056c2fd5560b10b8cd107b77074bf08
Opcode Fuzzy Hash: b532ef21bd4398bb33eff8e7f73bf2d838c30a3d46b312b8cb24aa1061055c5d
Instruction Fuzzy Hash: EE216A71900200DFCB04DF04C9C4B17BFA6FB9A318F24C569D80A0B656C336D846C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD128 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075134450.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d474b6d32ef7a5592ba7dea66e5c894df10649c876a7755715263e94d16331a1
Instruction ID: bd3c4d194f225baa1ab0463e5021d568d511bc8bf4a15851bc35e6cd891b07ce
Opcode Fuzzy Hash: d474b6d32ef7a5592ba7dea66e5c894df10649c876a7755715263e94d16331a1
Instruction Fuzzy Hash: E02134B1500340DFDB05DF18C9C0B66BBA6FB84314F24C56DD84A4B256D33AD846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 064F4461 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4078784352.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad6d4eb73b15dfebb34713080a3c721cff5863a69a261ceef58f53edcecea23
Instruction ID: 6326cf324569c3791d8977abe271938ba77bd8c6a9a1a9b1c220ab874b7e4d85
Opcode Fuzzy Hash: 6ad6d4eb73b15dfebb34713080a3c721cff5863a69a261ceef58f53edcecea23
Instruction Fuzzy Hash: 97216738306B509FC7069B24D42889EBF73BBC96213048346D98287786CB34E993CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 064F444D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4078784352.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a871898af2f873e2410888b10d4e857b07a7989ae93db7a24967a361a622aa4
Instruction ID: 3c80c333092c0a37908c42b8d2e0fdb72dad02493426e635a194cd02b68a167d
Opcode Fuzzy Hash: 6a871898af2f873e2410888b10d4e857b07a7989ae93db7a24967a361a622aa4
Instruction Fuzzy Hash: F111AC38303B159B87059F25D45889EBB63FBCC6213509306E94687B45CB34F9D3CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 00DAD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075102246.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 59eaaf3ecb3e4298f0edb19fe39919f5fea0b2cc5af9e8097c5b3f4ec5073c9f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0911E676904240CFCB16CF14D5C4B16BF72FB95318F28C6A9DD0A0B656C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD123 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075134450.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e806af7b4cb81e7da9352750ad63804d5519c78feab7ece760ee165f9f73960b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3711BE75504280CFDB01CF14D5C4B55BF62FB44314F28C6AADC0A4B656D33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 064F4488 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4078784352.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8d28f97add09e687e4895a0f7f2489d114e053e0b0767e52357643bb2c7cb6
Instruction ID: fce0d9fb6b2327364e02724edfd86c37a6a9dee372e0709a160f07920565c0ea
Opcode Fuzzy Hash: 9f8d28f97add09e687e4895a0f7f2489d114e053e0b0767e52357643bb2c7cb6
Instruction Fuzzy Hash: C4114738302B159B8709AB29D45889EBB67FBCC6213149316ED4683B45CB34FDD38AD5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 064D0BD8 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a96e7be41736d2b222a50e92f9d98edcac3da74d58700671180984a987e8dd
Instruction ID: 73a5d88965f742b4acb7083295ef6eb391bd42e71256cefeaa69a2099431fb37
Opcode Fuzzy Hash: 89a96e7be41736d2b222a50e92f9d98edcac3da74d58700671180984a987e8dd
Instruction Fuzzy Hash: 1752F6B8D80706CFEB10CF18E8881997BB1FB41714FE14A2AD6516B6E0D7B875A6CF44

Uniqueness

Uniqueness Score: -1.00%

Function 064D7831 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4078738408.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5df48b3a2fd751e4d3b82c54188f172cc95c7770a67d627a18901ed907e7507
Instruction ID: 0ef3bccce2b54488dd75df18bcf21ec970b2bc4cde69ae736e29bbb300fd100f
Opcode Fuzzy Hash: f5df48b3a2fd751e4d3b82c54188f172cc95c7770a67d627a18901ed907e7507
Instruction Fuzzy Hash: FBD14930E00209CFEB55DFA9C958BAEBBF1AF44704F15856AE409AF3A5DB70D945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02859938 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075429519.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2850000_xtnhsVjQTxvH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9b46ca87a86dd07de2f48069b37afcaab0152aebd497792fc83eb4e3b55949
Instruction ID: 0fba4230a97ab812b02d342da2812e724f7df8008edb1bc383cfdf538d998b73
Opcode Fuzzy Hash: ad9b46ca87a86dd07de2f48069b37afcaab0152aebd497792fc83eb4e3b55949
Instruction Fuzzy Hash: E6917278E00219CFDF10CFA9D9857DDBBF2AF88318F148129E849E7294EB749845CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xtnhsVjQTxvH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
xtnhsVjQTxvH.exe

Function 064F0048 Relevance: 26.7, Strings: 21, Instructions: 426
COMMON

Function 064F0000 Relevance: 7.8, Strings: 6, Instructions: 259
COMMON

Function 064D04F2 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Function 02853334 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Function 064D26C4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 064D26D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 02851978 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON