Edit tour

Windows Analysis Report
RtU8kXPnKr.exe

Overview

General Information

Sample name:	RtU8kXPnKr.exe renamed because original name is a hash value
Original sample name:	720eea739bd033b804b98c0190b06d864dd61053aab14cb19d1c56d390686313.exe
Analysis ID:	1582627
MD5:	9ea49e8b67bf4eb173682c84c4a4f472
SHA1:	7e328600053285468f4dd7c302cdc00d3a75ae89
SHA256:	720eea739bd033b804b98c0190b06d864dd61053aab14cb19d1c56d390686313
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Quasar RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

RtU8kXPnKr.exe (PID: 504 cmdline: "C:\Users\user\Desktop\RtU8kXPnKr.exe" MD5: 9EA49E8B67BF4EB173682C84C4A4F472)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.2.0.0", "Host:Port": "180.100.217.219:8092;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "QSR_MUTEX_miqqcB3y3GjXPlDBqC", "StartupKey": "Quasar Client Startup", "Tag": "System", "LogDirectoryName": "Logs"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
RtU8kXPnKr.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
RtU8kXPnKr.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
RtU8kXPnKr.exe	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x32b36:$a1: GetKeyloggerLogsResponse 0x38eb3:$a2: DoDownloadAndExecute 0x3e66c:$a3: http://api.ipify.org/ 0x3d1d3:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
RtU8kXPnKr.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3338a:$s1: DoUploadAndExecute 0x38eb3:$s2: DoDownloadAndExecute 0x33158:$s3: DoShellExecute 0x33582:$s4: set_Processname 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60 0xf580:$op2: 00 17 03 1F 20 17 19 15 28 0xffed:$op3: 00 04 03 69 91 1B 40 0x1084c:$op3: 00 04 03 69 91 1B 40
RtU8kXPnKr.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x32b36:$x1: GetKeyloggerLogsResponse 0x32dc7:$s1: DoShellExecuteResponse 0x2cb00:$s2: GetPasswordsResponse 0x32c9a:$s3: GetStartupItemsResponse 0x28e98:$s4: <GetGenReader>b__7 0x3339e:$s5: RunHidden 0x333bc:$s5: RunHidden 0x333ca:$s5: RunHidden 0x333de:$s5: RunHidden
RtU8kXPnKr.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x32b36:$x3: GetKeyloggerLogsResponse 0x330ce:$x4: GetKeyloggerLogs 0x3339d:$s1: <RunHidden>k__BackingField 0x32d4f:$s2: set_SystemInfos 0x333c6:$s3: set_RunHidden 0x32fcc:$s4: set_RemotePath 0x423f8:$s6: Client.exe 0x42460:$s6: Client.exe 0x38565:$s7: xClient.Core.ReverseProxy.Packets
RtU8kXPnKr.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x251d2:$x4: xClient.Properties.Resources.resources 0x250c1:$s4: Client.exe 0x333c6:$s7: set_RunHidden
RtU8kXPnKr.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x345ea:$x4: get_encryptedPassword 0x38eb3:$x5: DoDownloadAndExecute
RtU8kXPnKr.exe	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3c543:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x3d18e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x3127e:$class: Core.MouseKeyHook.WinApi
RtU8kXPnKr.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3c407:$f1: FileZilla\recentservers.xml 0x3c447:$f2: FileZilla\sitemanager.xml 0x3c47b:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x3ca25:$b1: Chrome\User Data\ 0x3ca89:$b1: Chrome\User Data\ 0x3ce20:$b2: Mozilla\Firefox\Profiles 0x3d4dd:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x418d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3d56d:$b4: Opera Software\Opera Stable\Login Data 0x3d61d:$b5: YandexBrowser\User Data\ 0x3d68f:$b5: YandexBrowser\User Data\ 0x3cbd0:$s4: logins.json 0x3cc1c:$s4: logins.json 0x3cf0e:$s4: logins.json 0x3d2c1:$a1: username_value 0x3d2df:$a2: password_value 0x345c2:$a3: encryptedUsername 0x345d8:$a3: encryptedUsername 0x3470b:$a3: encryptedUsername 0x345ee:$a4: encryptedPassword 0x34604:$a4: encryptedPassword
RtU8kXPnKr.exe	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x32b36:$s1: GetKeyloggerLogsResponse 0x330ce:$s2: GetKeyloggerLogs 0x3e879:$s3: />Log created on 0x3d18e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x3d1d3:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x2ff94:$s7: <virtualKeyCode> 0x30166:$s7: <virtualKeyCode> 0x3339d:$s8: <RunHidden>k__BackingField 0x3014c:$s9: <keyboardHookStruct> 0x3bad1:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x32936:$a1: GetKeyloggerLogsResponse 0x38cb3:$a2: DoDownloadAndExecute 0x3e46c:$a3: http://api.ipify.org/ 0x3cfd3:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3318a:$s1: DoUploadAndExecute 0x38cb3:$s2: DoDownloadAndExecute 0x32f58:$s3: DoShellExecute 0x33382:$s4: set_Processname 0xf45c:$op1: 04 1E FE 02 04 16 FE 01 60 0xf380:$op2: 00 17 03 1F 20 17 19 15 28 0xfded:$op3: 00 04 03 69 91 1B 40 0x1064c:$op3: 00 04 03 69 91 1B 40
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3c343:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x3cf8e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x3107e:$class: Core.MouseKeyHook.WinApi
Process Memory Space: RtU8kXPnKr.exe PID: 504	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x32b36:$a1: GetKeyloggerLogsResponse 0x38eb3:$a2: DoDownloadAndExecute 0x3e66c:$a3: http://api.ipify.org/ 0x3d1d3:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3338a:$s1: DoUploadAndExecute 0x38eb3:$s2: DoDownloadAndExecute 0x33158:$s3: DoShellExecute 0x33582:$s4: set_Processname 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60 0xf580:$op2: 00 17 03 1F 20 17 19 15 28 0xffed:$op3: 00 04 03 69 91 1B 40 0x1084c:$op3: 00 04 03 69 91 1B 40
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x32b36:$x1: GetKeyloggerLogsResponse 0x32dc7:$s1: DoShellExecuteResponse 0x2cb00:$s2: GetPasswordsResponse 0x32c9a:$s3: GetStartupItemsResponse 0x28e98:$s4: <GetGenReader>b__7 0x3339e:$s5: RunHidden 0x333bc:$s5: RunHidden 0x333ca:$s5: RunHidden 0x333de:$s5: RunHidden
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x32b36:$x3: GetKeyloggerLogsResponse 0x330ce:$x4: GetKeyloggerLogs 0x3339d:$s1: <RunHidden>k__BackingField 0x32d4f:$s2: set_SystemInfos 0x333c6:$s3: set_RunHidden 0x32fcc:$s4: set_RemotePath 0x423f8:$s6: Client.exe 0x42460:$s6: Client.exe 0x38565:$s7: xClient.Core.ReverseProxy.Packets
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251d2:$x4: xClient.Properties.Resources.resources 0x250c1:$s4: Client.exe 0x333c6:$s7: set_RunHidden
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x345ea:$x4: get_encryptedPassword 0x38eb3:$x5: DoDownloadAndExecute
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3c543:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x3d18e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x3127e:$class: Core.MouseKeyHook.WinApi
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3c407:$f1: FileZilla\recentservers.xml 0x3c447:$f2: FileZilla\sitemanager.xml 0x3c47b:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x3ca25:$b1: Chrome\User Data\ 0x3ca89:$b1: Chrome\User Data\ 0x3ce20:$b2: Mozilla\Firefox\Profiles 0x3d4dd:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x418d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3d56d:$b4: Opera Software\Opera Stable\Login Data 0x3d61d:$b5: YandexBrowser\User Data\ 0x3d68f:$b5: YandexBrowser\User Data\ 0x3cbd0:$s4: logins.json 0x3cc1c:$s4: logins.json 0x3cf0e:$s4: logins.json 0x3d2c1:$a1: username_value 0x3d2df:$a2: password_value 0x345c2:$a3: encryptedUsername 0x345d8:$a3: encryptedUsername 0x3470b:$a3: encryptedUsername 0x345ee:$a4: encryptedPassword 0x34604:$a4: encryptedPassword
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x32b36:$s1: GetKeyloggerLogsResponse 0x330ce:$s2: GetKeyloggerLogs 0x3e879:$s3: />Log created on 0x3d18e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x3d1d3:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x2ff94:$s7: <virtualKeyCode> 0x30166:$s7: <virtualKeyCode> 0x3339d:$s8: <RunHidden>k__BackingField 0x3014c:$s9: <keyboardHookStruct> 0x3bad1:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 6 entries

Suricata Signatures

ETPRO MALWARE W32/Quasar RAT Connectivity Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T06:13:54.138624+0100	2814031	1	A Network Trojan was detected	192.168.2.6	49708	88.198.193.213	80	TCP

ETPRO MALWARE W32/Quasar RAT Connectivity Check 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T06:13:56.888680+0100	2814030	1	A Network Trojan was detected	192.168.2.6	49712	3.33.130.190	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RtU8kXPnKr.exe

Avira: detected

Found malware configuration

Source: RtU8kXPnKr.exe

Malware Configuration Extractor: Quasar {"Version": "1.2.0.0", "Host:Port": "180.100.217.219:8092;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "QSR_MUTEX_miqqcB3y3GjXPlDBqC", "StartupKey": "Quasar Client Startup", "Tag": "System", "LogDirectoryName": "Logs"}

Multi AV Scanner detection for submitted file

Source: RtU8kXPnKr.exe	ReversingLabs: Detection: 78%
Source: RtU8kXPnKr.exe	Virustotal: Detection: 73%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RtU8kXPnKr.exe

Joe Sandbox ML: detected

Source: RtU8kXPnKr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.6:49710 version: TLS 1.0

Source: RtU8kXPnKr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2814031 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check : 192.168.2.6:49708 -> 88.198.193.213:80
Source: Network traffic	Suricata IDS: 2814030 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check 2 : 192.168.2.6:49712 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 180.100.217.219

Yara detected Generic Downloader

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49714 -> 180.100.217.219:8092

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 88.198.193.213 88.198.193.213

Source: Joe Sandbox View

ASN Name: CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: freegeoip.net
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.6:49710 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: telize.com
Source: global traffic	DNS traffic detected: DNS query: www.telize.com
Source: global traffic	DNS traffic detected: DNS query: freegeoip.net
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: RtU8kXPnKr.exe	String found in binary or memory: http://api.ipify.org/3
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.net
Source: RtU8kXPnKr.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://telize.com
Source: RtU8kXPnKr.exe	String found in binary or memory: http://telize.com/geoip
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.telize.com
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.telize.com
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.telize.com/geoip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RtU8kXPnKr.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_0317A288	0_2_0317A288
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_031799B8	0_2_031799B8
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_03179670	0_2_03179670
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06E4E2D0	0_2_06E4E2D0
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06EF69F8	0_2_06EF69F8
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06EF0040	0_2_06EF0040
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06EF0006	0_2_06EF0006

Source: RtU8kXPnKr.exe, 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs RtU8kXPnKr.exe
Source: RtU8kXPnKr.exe, 00000000.00000002.4559545450.0000000006E19000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RtU8kXPnKr.exe
Source: RtU8kXPnKr.exe	Binary or memory string: OriginalFilenameClient.exe4 vs RtU8kXPnKr.exe

Source: RtU8kXPnKr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: RtU8kXPnKr.exe, ----.cs

Base64 encoded string: 'OQHreK390wg9S1emghPyaWNxW+rNmoL7DPKLQW+ZoPtaD4ifpl8iq1aqdl7w0X4R'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@4/4

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

File created: C:\Users\user\AppData\Roaming\Logs

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_miqqcB3y3GjXPlDBqC

Source: RtU8kXPnKr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RtU8kXPnKr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RtU8kXPnKr.exe	ReversingLabs: Detection: 78%
Source: RtU8kXPnKr.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: RtU8kXPnKr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RtU8kXPnKr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_0317A7BD pushfd ; iretd	0_2_0317A7D2
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_03177068 pushad ; ret	0_2_03177069
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_0317709B pushad ; ret	0_2_03177069

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

File opened: C:\Users\user\Desktop\RtU8kXPnKr.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Window / User API: threadDelayed 7840			Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Window / User API: threadDelayed 1977			Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2264	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2264	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2100	Thread sleep count: 7840 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2100	Thread sleep count: 1977 > 30	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RtU8kXPnKr.exe, 00000000.00000002.4557322515.000000000168E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Code function: 0_2_0317DF18 LdrInitializeThunk,

0_2_0317DF18

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Users\user\Desktop\RtU8kXPnKr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_miqqcB3y3GjXPlDBqC

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RtU8kXPnKr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
RtU8kXPnKr.exe