Edit tour

Windows Analysis Report
PatricksParabox.exe.bin.exe

Overview

General Information

Sample name:	PatricksParabox.exe.bin.exe
Analysis ID:	1634108
MD5:	0a717705a7797e35b6f5af62ffe43abb
SHA1:	4c823754c6cebe13ae0aec7ba874318f20445145
SHA256:	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (STR)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PatricksParabox.exe.bin.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\PatricksParabox.exe.bin.exe" MD5: 0A717705A7797E35B6F5AF62FFE43ABB)

schtasks.exe (PID: 6184 cmdline: "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JavaUpdater.exe (PID: 5416 cmdline: "C:\Windows\system32\Java\JavaUpdater.exe" MD5: 0A717705A7797E35B6F5AF62FFE43ABB)

schtasks.exe (PID: 5680 cmdline: "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JavaUpdater.exe (PID: 3488 cmdline: C:\Windows\system32\Java\JavaUpdater.exe MD5: 0A717705A7797E35B6F5AF62FFE43ABB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": ["prxprodquasar.zapto.org:4782"], "SubDirectory": "Java", "InstallName": "JavaUpdater.exe", "MutexName": "ad6032ec-a1ba-49fe-a6c9-21a847436cda", "StartupKey": "Java Updater", "Tag": "Hugrix", "LogDirectoryName": "JavaInstallLogs", "ServerSignature": "lczVy6M0czaKNulcODkgSjLr44rA2jqzqKhCxmmzlkTc7Biv1X8XCvEyUICr9kIv96Kif4wyKXaerlvBCCLsn1muRO+MfWvRMHSmaBxSxrpNpKqdhoHGcnMdzBdPPpT82phdop5Rha6oYuEjZjzWHOtc9Q+09CggX4bPTkePjzf96U9oVyjno2glYS9N56IeRVNwGYu9cPVI4mONXZGRAuEtqKOZaHzx0nT0O3liCAODvqqj4yKLb4oS/M5qexaDW+JYrNn7osWHHP+1t+Th7eiDtxEJWXZ8J6wb4sAtw4tQdFDwnTOc8zAe1RaF85L6lc+2iS4cdy6XW/0QTowoeZhGVGqfdcgvzuCZckyE4s9kI9x3fmU39dJp5MA/KfvrT5kVgx8oMhkrHURuKSb4ivaztldWsk1XUApvBX/4gedBj55csAxnazz4R9ai6Zsq1fDC4YbHyPlW0/m6qDIYdAG56t4Hk7D+I6kQDisE0HZDQOTVn6QcGZetkLR+5YjyGANWQa+tw9YradZdZwoOkeQX365D704feREJR9v8N2GsI3PR+nWx1kjcQIzJXsX59xnHiaGeRYnamfetXFdd36y7nr55yeWbhWjDWeu9XJfiCvw9OrszyHZpRFGje0QqSphGQjX2/1tTkmbrdCQc7RmWebf626iuKc0tBpJRRCk=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIK0W5Q8Sd5ftd43uJBYUTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDMwODE1MTgzMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArueAZUNZAXVckQ+6o3mc1y5gOvyH7bCg2Emomva8BR4QguAT4mTosmj8dvZLf7fXH0qW3fwqUPDLVjOs+Yc3QHbkZdWD1OQ/98xiFMKxDIKvhImuQ87yFw65WJXr5CAHY4m70vOgQfHQyx2PsdtUVZrEryaM4Hk9IAUirphgwlFZpUTrLhY9kd5lJrehdBt8AXsrlCZ/bNqPVq+ce88wyUBwOPpp5Sw6WDOUXnrgxE3Bget+FRRrjdtZ6wTACqlqL3y3Fb0cfu1NNNVZ8tGOz9cQhFx5x9CBfXPeQOmrcd8hYfnjF31Jz0oJ7PexBRN1qtJYOLL7BLslnoZkBWy1n+g1VVRhNg2cAiRdB0bpNnSV+ICiY+PN+6gBuTMhuPm9FqCERXepJycfttrzChkiFJ3K/Nu/jJKtEYcFqTmceld2tWTMpaKWDqMPIZ5C6Uo5NLQjBmwL6iOIgcsxRWsRwaG+3J7exUZsQTfkQyjd++iLK5wjYzVWkMEfrzd02um6qbfkfEzqQjYpxa9w9mp9vJPDHUxS82g45+oKu+I+WBlH6E6wCULJbkEXUfUI4HOIY4uvNb/vS7CSmydXcXvVuzLNuWgVg9Qf7bagFdFoZgpmijWYwWyaKTDjpw5W6ht7yBg2ItqHknbQU57e0v156F0klGHFz0xFolffIe9+fzcCAwEAAaMyMDAwHQYDVR0OBBYEFCOBE0usdQPpCWuXNB122X09sWEFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAB93eq3teGHs57pMBrrAZI6SsWU5y6fedmIfCG4thbYvW8+oh2ToO63+OyTZSZ0POiVgQhdPUVfC6hfRK45yFx0tiVevlWne6xhvd3DukGlc/1f2Q1UNYRIMT2wvWrLwVsMaCYiX0I0TXaJh+Od1/jZbI2bx6RjJoGrx45sLJ2b0HU2PmpHxwQZWI6RCJIed12Le5Rp41SD4/I+fEryeaQy9vaznco4k5y1vWCgF945Efyv0VYRAYZKFjirN3/km5aU8Syi6D3YsSrvNFqcyz5QsSSaenRkcj274MIXLwT8eXN0oxr2A/ZGvHFBlClfsei6axR1uL1H5ns9hLOMeMtF6KDH8z3OTWa+pSQ4xxoWRSGELzOQQLGVPtJlKf4bcCSJ9IrWx9XoqnHqmWpfhtspLQa1FRDSNuG/V8ubOwQhyK7+ZkGetXBSN85XCqBQebMb/LIu9axHo+ytJF+ERaYVQH/iRH0P/bXl1dziF04YcXEg1WKNajt1+0tUsxsMsf1GUjKTMzcWbQlxmEfTqgtDYrQZyoVCrBx270ib9jA0vZesfKeC9PKodbFwprlo5b36fKiAOUPNDgoG0dJqUJwSr6GlBZqKwKdMkw7COKum++KjFvj+QRJ6S2POn0fyYfGPwqquAN8JjuGVaWqxFmAP0VqfoelSMljzlmgjmta1Z"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
PatricksParabox.exe.bin.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
PatricksParabox.exe.bin.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eff9:$x1: Quasar.Common.Messages 0x29f322:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
PatricksParabox.exe.bin.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
PatricksParabox.exe.bin.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ecf8:$s4: get_PotentiallyVulnerablePasswords 0x278db4:$s5: GetKeyloggerLogsDirectory 0x29ea81:$s5: GetKeyloggerLogsDirectory 0x28ed1b:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\System32\Java\JavaUpdater.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Windows\System32\Java\JavaUpdater.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eff9:$x1: Quasar.Common.Messages 0x29f322:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Windows\System32\Java\JavaUpdater.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
C:\Windows\System32\Java\JavaUpdater.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ecf8:$s4: get_PotentiallyVulnerablePasswords 0x278db4:$s5: GetKeyloggerLogsDirectory 0x29ea81:$s5: GetKeyloggerLogsDirectory 0x28ed1b:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.912148419.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: PatricksParabox.exe.bin.exe PID: 6964	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: JavaUpdater.exe PID: 5416	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eff9:$x1: Quasar.Common.Messages 0x29f322:$x1: Quasar.Common.Messages 0x2ab82e:$x4: Uninstalling... good bye :-( 0x2ad023:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aade0:$f1: FileZilla\recentservers.xml 0x2aae20:$f2: FileZilla\sitemanager.xml 0x2aae62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ae:$b1: Chrome\User Data\ 0x2ab104:$b1: Chrome\User Data\ 0x2ab3dc:$b2: Mozilla\Firefox\Profiles 0x2ab4d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd434:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab630:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ea:$b5: YandexBrowser\User Data\ 0x2ab758:$b5: YandexBrowser\User Data\ 0x2ab42c:$s4: logins.json 0x2ab162:$a1: username_value 0x2ab180:$a2: password_value 0x2ab46c:$a3: encryptedUsername 0x2fd378:$a3: encryptedUsername 0x2ab490:$a4: encryptedPassword 0x2fd396:$a4: encryptedPassword 0x2fd314:$a5: httpRealm
0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab918:$s3: Process already elevated. 0x28ecf8:$s4: get_PotentiallyVulnerablePasswords 0x278db4:$s5: GetKeyloggerLogsDirectory 0x29ea81:$s5: GetKeyloggerLogsDirectory 0x28ed1b:$s6: set_PotentiallyVulnerablePasswords 0x2fea62:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Suricata Signatures

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:51:05.208595+0100	2035595	1	Domain Observed Used for C2 Detected	2.83.126.58	4782	192.168.2.8	49682	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T19:51:05.208595+0100	2027619	1	Domain Observed Used for C2 Detected	2.83.126.58	4782	192.168.2.8	49682	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PatricksParabox.exe.bin.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\System32\Java\JavaUpdater.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: PatricksParabox.exe.bin.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": ["prxprodquasar.zapto.org:4782"], "SubDirectory": "Java", "InstallName": "JavaUpdater.exe", "MutexName": "ad6032ec-a1ba-49fe-a6c9-21a847436cda", "StartupKey": "Java Updater", "Tag": "Hugrix", "LogDirectoryName": "JavaInstallLogs", "ServerSignature": "lczVy6M0czaKNulcODkgSjLr44rA2jqzqKhCxmmzlkTc7Biv1X8XCvEyUICr9kIv96Kif4wyKXaerlvBCCLsn1muRO+MfWvRMHSmaBxSxrpNpKqdhoHGcnMdzBdPPpT82phdop5Rha6oYuEjZjzWHOtc9Q+09CggX4bPTkePjzf96U9oVyjno2glYS9N56IeRVNwGYu9cPVI4mONXZGRAuEtqKOZaHzx0nT0O3liCAODvqqj4yKLb4oS/M5qexaDW+JYrNn7osWHHP+1t+Th7eiDtxEJWXZ8J6wb4sAtw4tQdFDwnTOc8zAe1RaF85L6lc+2iS4cdy6XW/0QTowoeZhGVGqfdcgvzuCZckyE4s9kI9x3fmU39dJp5MA/KfvrT5kVgx8oMhkrHURuKSb4ivaztldWsk1XUApvBX/4gedBj55csAxnazz4R9ai6Zsq1fDC4YbHyPlW0/m6qDIYdAG56t4Hk7D+I6kQDisE0HZDQOTVn6QcGZetkLR+5YjyGANWQa+tw9YradZdZwoOkeQX365D704feREJR9v8N2GsI3PR+nWx1kjcQIzJXsX59xnHiaGeRYnamfetXFdd36y7nr55yeWbhWjDWeu9XJfiCvw9OrszyHZpRFGje0QqSphGQjX2/1tTkmbrdCQc7RmWebf626iuKc0tBpJRRCk=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIK0W5Q8Sd5ftd43uJBYUTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDMwODE1MTgzMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArueAZUNZAXVckQ+6o3mc1y5gOvyH7bCg2Emomva8BR4QguAT4mTosmj8dvZLf7fXH0qW3fwqUPDLVjOs+Yc3QHbkZdWD1OQ/98xiFMKxDIKvhImuQ87yFw65WJXr5CAHY4m70vOgQfHQyx2PsdtUVZrEryaM4Hk9IAUirphgwlFZpUTrLhY9kd5lJrehdBt8AXsrlCZ/bNqPVq+ce88wyUBwOPpp5Sw6WDOUXnrgxE3Bget+FRRrjdtZ6wTACqlqL3y3Fb0cfu1NNNVZ8tGOz9cQhFx5x9CBfXPeQOmrcd8hYfnjF31Jz0oJ7PexBRN1qtJYOLL7BLslnoZkBWy1n+g1VVRhNg2cAiRdB0bpNnSV+ICiY+PN+6gBuTMhuPm9FqCERXepJycfttrzChkiFJ3K/Nu/jJKtEYcFqTmceld2tWTMpaKWDqMPIZ5C6Uo5NLQjBmwL6iOIgcsxRWsRwaG+3J7exUZsQTfkQyjd++iLK5wjYzVWkMEfrzd02um6qbfkfEzqQjYpxa9w9mp9vJPDHUxS82g45+oKu+I+WBlH6E6wCULJbkEXUfUI4HOIY4uvNb/vS7CSmydXcXvVuzLNuWgVg9Qf7bagFdFoZgpmijWYwWyaKTDjpw5W6ht7yBg2ItqHknbQU57e0v156F0klGHFz0xFolffIe9+fzcCAwEAAaMyMDAwHQYDVR0OBBYEFCOBE0usdQPpCWuXNB122X09sWEFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAB93eq3teGHs57pMBrrAZI6SsWU5y6fedmIfCG4thbYvW8+oh2ToO63+OyTZSZ0POiVgQhdPUVfC6hfRK45yFx0tiVevlWne6xhvd3DukGlc/1f2Q1UNYRIMT2wvWrLwVsMaCYiX0I0TXaJh+Od1/jZbI2bx6RjJoGrx45sLJ2b0HU2PmpHxwQZWI6RCJIed12Le5Rp41SD4/I+fEryeaQy9vaznco4k5y1vWCgF945Efyv0VYRAYZKFjirN3/km5aU8Syi6D3YsSrvNFqcyz5QsSSaenRkcj274MIXLwT8eXN0oxr2A/ZGvHFBlClfsei6axR1uL1H5ns9hLOMeMtF6KDH8z3OTWa+pSQ4xxoWRSGELzOQQLGVPtJlKf4bcCSJ9IrWx9XoqnHqmWpfhtspLQa1FRDSNuG/V8ubOwQhyK7+ZkGetXBSN85XCqBQebMb/LIu9axHo+ytJF+ERaYVQH/iRH0P/bXl1dziF04YcXEg1WKNajt1+0tUsxsMsf1GUjKTMzcWbQlxmEfTqgtDYrQZyoVCrBx270ib9jA0vZesfKeC9PKodbFwprlo5b36fKiAOUPNDgoG0dJqUJwSr6GlBZqKwKdMkw7COKum++KjFvj+QRJ6S2POn0fyYfGPwqquAN8JjuGVaWqxFmAP0VqfoelSMljzlmgjmta1Z"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\System32\Java\JavaUpdater.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: PatricksParabox.exe.bin.exe	ReversingLabs: Detection: 73%
Source: PatricksParabox.exe.bin.exe	Virustotal: Detection: 70%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: PatricksParabox.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.912148419.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PatricksParabox.exe.bin.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JavaUpdater.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: PatricksParabox.exe.bin.exe	String decryptor: 1.4.1
Source: PatricksParabox.exe.bin.exe	String decryptor: prxprodquasar.zapto.org:4782;
Source: PatricksParabox.exe.bin.exe	String decryptor: Java
Source: PatricksParabox.exe.bin.exe	String decryptor: JavaUpdater.exe
Source: PatricksParabox.exe.bin.exe	String decryptor: ad6032ec-a1ba-49fe-a6c9-21a847436cda
Source: PatricksParabox.exe.bin.exe	String decryptor: Java Updater
Source: PatricksParabox.exe.bin.exe	String decryptor: Hugrix
Source: PatricksParabox.exe.bin.exe	String decryptor: JavaInstallLogs
Source: PatricksParabox.exe.bin.exe	String decryptor: lczVy6M0czaKNulcODkgSjLr44rA2jqzqKhCxmmzlkTc7Biv1X8XCvEyUICr9kIv96Kif4wyKXaerlvBCCLsn1muRO+MfWvRMHSmaBxSxrpNpKqdhoHGcnMdzBdPPpT82phdop5Rha6oYuEjZjzWHOtc9Q+09CggX4bPTkePjzf96U9oVyjno2glYS9N56IeRVNwGYu9cPVI4mONXZGRAuEtqKOZaHzx0nT0O3liCAODvqqj4yKLb4oS/M5qexaDW+JYrNn7osWHHP+1t+Th7eiDtxEJWXZ8J6wb4sAtw4tQdFDwnTOc8zAe1RaF85L6lc+2iS4cdy6XW/0QTowoeZhGVGqfdcgvzuCZckyE4s9kI9x3fmU39dJp5MA/KfvrT5kVgx8oMhkrHURuKSb4ivaztldWsk1XUApvBX/4gedBj55csAxnazz4R9ai6Zsq1fDC4YbHyPlW0/m6qDIYdAG56t4Hk7D+I6kQDisE0HZDQOTVn6QcGZetkLR+5YjyGANWQa+tw9YradZdZwoOkeQX365D704feREJR9v8N2GsI3PR+nWx1kjcQIzJXsX59xnHiaGeRYnamfetXFdd36y7nr55yeWbhWjDWeu9XJfiCvw9OrszyHZpRFGje0QqSphGQjX2/1tTkmbrdCQc7RmWebf626iuKc0tBpJRRCk=
Source: PatricksParabox.exe.bin.exe	String decryptor: MIIE9DCCAtygAwIBAgIQAIK0W5Q8Sd5ftd43uJBYUTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDMwODE1MTgzMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArueAZUNZAXVckQ+6o3mc1y5gOvyH7bCg2Emomva8BR4QguAT4mTosmj8dvZLf7fXH0qW3fwqUPDLVjOs+Yc3QHbkZdWD1OQ/98xiFMKxDIKvhImuQ87yFw65WJXr5CAHY4m70vOgQfHQyx2PsdtUVZrEryaM4Hk9IAUirphgwlFZpUTrLhY9kd5lJrehdBt8AXsrlCZ/bNqPVq+ce88wyUBwOPpp5Sw6WDOUXnrgxE3Bget+FRRrjdtZ6wTACqlqL3y3Fb0cfu1NNNVZ8tGOz9cQhFx5x9CBfXPeQOmrcd8hYfnjF31Jz0oJ7PexBRN1qtJYOLL7BLslnoZkBWy1n+g1VVRhNg2cAiRdB0bpNnSV+ICiY+PN+6gBuTMhuPm9FqCERXepJycfttrzChkiFJ3K/Nu/jJKtEYcFqTmceld2tWTMpaKWDqMPIZ5C6Uo5NLQjBmwL6iOIgcsxRWsRwaG+3J7exUZsQTfkQyjd++iLK5wjYzVWkMEfrzd02um6qbfkfEzqQjYpxa9w9mp9vJPDHUxS82g45+oKu+I+WBlH6E6wCULJbkEXUfUI4HOIY4uvNb/vS7CSmydXcXvVuzLNuWgVg9Qf7bagFdFoZgpmijWYwWyaKTDjpw5W6ht7yBg2ItqHknbQU57e0v156F0klGHFz0xFolffIe9+fzcCAwEAAaMyMDAwHQYDVR0OBBYEFCOBE0usdQPpCWuXNB122X09sWEFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAB93eq3teGHs57pMBrrAZI6SsWU5y6fedmIfCG4thbYvW8+oh2ToO63+OyTZSZ0POiVgQhdPUVfC6hfRK45yFx0tiVevlWne6xhvd3DukGlc/1f2Q1UNYRIMT2wvWrLwVsMaCYiX0I0TXaJh+Od1/jZbI2bx6RjJoGrx45sLJ2b0HU2PmpHxwQZWI6RCJIed12Le5Rp41SD4/I+fEryeaQy9vaznco4k5y1vWCgF945Efyv0VYRAYZKFjirN3/km5aU8Syi6D3YsSrvNFqcyz5QsSSaenRkcj274MIXLwT8eXN0oxr2A/ZGvHFBlClfsei6axR1uL1H5ns9hLOMeMtF6KDH8z3OTWa+pSQ4xxoWRSGELzOQQLGVPtJlKf4bcCSJ9IrWx9XoqnHqmWpfhtspLQa1FRDSNuG/V8ubOwQhyK7+ZkGetXBSN85XCqBQebMb/LIu9axHo+ytJF+ERaYVQH/iRH0P/bXl1dziF04YcXEg1WKNajt1+0tUsxsMsf1GUjKTMzcWbQlxmEfTqgtDYrQZyoVCrBx270ib9jA0vZesfKeC9PKodbFwprlo5b36fKiAOUPNDgoG0dJqUJwSr6GlBZqKwKdMkw7COKum++KjFvj+QRJ6S2POn0fyYfGPwqquAN8JjuGVaWqxFmAP0VqfoelSMljzlmgjmta1Z

Source: PatricksParabox.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PatricksParabox.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 2.83.126.58:4782 -> 192.168.2.8:49682
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 2.83.126.58:4782 -> 192.168.2.8:49682

Source: global traffic

TCP traffic: 192.168.2.8:49682 -> 2.83.126.58:4782

Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: MEO-RESIDENCIALPT MEO-RESIDENCIALPT

Source: unknown	DNS query: name: ipwho.is
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: prxprodquasar.zapto.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: JavaUpdater.exe, 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: JavaUpdater.exe, 00000004.00000002.2155588042.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: JavaUpdater.exe, 00000004.00000002.2163369849.000000001B9E0000.00000004.00000020.00020000.00000000.sdmp, JavaUpdater.exe, 00000004.00000002.2163369849.000000001BB0C000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: JavaUpdater.exe, 00000004.00000002.2156780665.00000000032E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: PatricksParabox.exe.bin.exe, 00000000.00000002.943648434.0000000003001000.00000004.00000800.00020000.00000000.sdmp, JavaUpdater.exe, 00000004.00000002.2156780665.0000000002F39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JavaUpdater.exe, 00000004.00000002.2156780665.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: JavaUpdater.exe, 00000004.00000002.2156780665.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\Java\JavaUpdater.exe

Windows user hook set: 0 keyboard low level C:\Windows\system32\Java\JavaUpdater.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: PatricksParabox.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.912148419.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PatricksParabox.exe.bin.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JavaUpdater.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: PatricksParabox.exe.bin.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: PatricksParabox.exe.bin.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: PatricksParabox.exe.bin.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	File created: C:\Windows\system32\Java			Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	File created: C:\Windows\system32\Java\JavaUpdater.exe			Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AD9FD0	4_2_00007FF936AD9FD0
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936ADAFDD	4_2_00007FF936ADAFDD
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AD55D6	4_2_00007FF936AD55D6
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AE9611	4_2_00007FF936AE9611
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AE5636	4_2_00007FF936AE5636
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AE6B40	4_2_00007FF936AE6B40
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AE1407	4_2_00007FF936AE1407
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AE63E2	4_2_00007FF936AE63E2
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AD9271	4_2_00007FF936AD9271
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AEC9C1	4_2_00007FF936AEC9C1
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936C01523	4_2_00007FF936C01523

Source: PatricksParabox.exe.bin.exe, 00000000.00000000.912499182.0000000000DB0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamepatricks.exeD vs PatricksParabox.exe.bin.exe
Source: PatricksParabox.exe.bin.exe	Binary or memory string: OriginalFilenamepatricks.exeD vs PatricksParabox.exe.bin.exe

Source: PatricksParabox.exe.bin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PatricksParabox.exe.bin.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: PatricksParabox.exe.bin.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: PatricksParabox.exe.bin.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/5@3/3

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PatricksParabox.exe.bin.exe.log

Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\Java\JavaUpdater.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ad6032ec-a1ba-49fe-a6c9-21a847436cda
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03

Source: PatricksParabox.exe.bin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PatricksParabox.exe.bin.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\System32\Java\JavaUpdater.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PatricksParabox.exe.bin.exe	ReversingLabs: Detection: 73%
Source: PatricksParabox.exe.bin.exe	Virustotal: Detection: 70%

Source: PatricksParabox.exe.bin.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

File read: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe "C:\Users\user\Desktop\PatricksParabox.exe.bin.exe"
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process created: C:\Windows\System32\Java\JavaUpdater.exe "C:\Windows\system32\Java\JavaUpdater.exe"
Source: unknown	Process created: C:\Windows\System32\Java\JavaUpdater.exe C:\Windows\system32\Java\JavaUpdater.exe
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process created: C:\Windows\System32\Java\JavaUpdater.exe "C:\Windows\system32\Java\JavaUpdater.exe"	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PatricksParabox.exe.bin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PatricksParabox.exe.bin.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PatricksParabox.exe.bin.exe

Static file information: File size 3369472 > 1048576

Source: PatricksParabox.exe.bin.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: PatricksParabox.exe.bin.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF93674D2A5 pushad ; iretd	4_2_00007FF93674D2A6
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AF4ED8 push esp; ret	4_2_00007FF936AF4ED9
Source: C:\Windows\System32\Java\JavaUpdater.exe	Code function: 4_2_00007FF936AD33A0 push eax; ret	4_2_00007FF936AD340C

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

Executable created and started: C:\Windows\system32\Java\JavaUpdater.exe

Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

File created: C:\Windows\System32\Java\JavaUpdater.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

File created: C:\Windows\System32\Java\JavaUpdater.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	File opened: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	File opened: C:\Windows\system32\Java\JavaUpdater.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	File opened: C:\Windows\system32\Java\JavaUpdater.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Memory allocated: 1780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Memory allocated: 1B000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Memory allocated: 1AF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Memory allocated: 19D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Memory allocated: 1B440000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe

Code function: 4_2_00007FF93686F1F2 str ax

4_2_00007FF93686F1F2

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe	Window / User API: threadDelayed 8546			Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Window / User API: threadDelayed 1296			Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe TID: 7008	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe TID: 5660	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe TID: 5660	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe TID: 1876	Thread sleep count: 8546 > 30	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe TID: 1876	Thread sleep count: 1296 > 30	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe TID: 6492	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\Java\JavaUpdater.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\Java\JavaUpdater.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\Java\JavaUpdater.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: JavaUpdater.exe, 00000004.00000002.2162838964.000000001B878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: JavaUpdater.exe, 00000004.00000002.2162838964.000000001B878000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: JavaUpdater.exe, 00000004.00000002.2163369849.000000001BB0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW G

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Process created: C:\Windows\System32\Java\JavaUpdater.exe "C:\Windows\system32\Java\JavaUpdater.exe"	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe	Queries volume information: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Queries volume information: C:\Windows\System32\Java\JavaUpdater.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Java\JavaUpdater.exe	Queries volume information: C:\Windows\System32\Java\JavaUpdater.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PatricksParabox.exe.bin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: PatricksParabox.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.912148419.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PatricksParabox.exe.bin.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JavaUpdater.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: PatricksParabox.exe.bin.exe, type: SAMPLE
Source: Yara match	File source: 0.0.PatricksParabox.exe.bin.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.912148419.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PatricksParabox.exe.bin.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JavaUpdater.exe PID: 5416, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Java\JavaUpdater.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	121 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	11 Input Capture	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	51 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PatricksParabox.exe.bin.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
PatricksParabox.exe.bin.exe	71%	Virustotal		Browse
PatricksParabox.exe.bin.exe	100%	Avira	HEUR/AGEN.1305769

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\System32\Java\JavaUpdater.exe	100%	Avira	HEUR/AGEN.1305769
C:\Windows\System32\Java\JavaUpdater.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Name	IP	Active	Malicious	Reputation
prxprodquasar.zapto.org	2.83.126.58	true	true	unknown
ipwho.is	195.201.57.90	true	false	high
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.20	true	false	high
api.ipify.org	172.67.74.152	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	false	high
https://api.ipify.org	JavaUpdater.exe, 00000004.00000002.2156780665.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/14436606/23354	PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	false	high
https://ipwho.is/	PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PatricksParabox.exe.bin.exe, 00000000.00000002.943648434.0000000003001000.00000004.00000800.00020000.00000000.sdmp, JavaUpdater.exe, 00000004.00000002.2156780665.0000000002F39000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	JavaUpdater.exe, 00000004.00000002.2156780665.00000000032E4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	PatricksParabox.exe.bin.exe, JavaUpdater.exe.0.dr	false	high
https://ipwho.is	JavaUpdater.exe, 00000004.00000002.2156780665.00000000032CA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.ipify.org	JavaUpdater.exe, 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
2.83.126.58	prxprodquasar.zapto.org	Portugal	3243	MEO-RESIDENCIALPT	true
195.201.57.90	ipwho.is	Germany	24940	HETZNER-ASDE	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634108
Start date and time:	2025-03-10 19:49:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PatricksParabox.exe.bin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/5@3/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 55 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 88.221.110.121, 88.221.110.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, c.pki.goog, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target JavaUpdater.exe, PID 3488 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:51:03	API Interceptor	3486492x Sleep call for process: JavaUpdater.exe modified
19:50:47	Task Scheduler	Run new task: {4EDFEAE6-A93B-4D56-A545-9519CB45D315} path: .
19:51:00	Task Scheduler	Run new task: Java Updater path: C:\Windows\system32\Java\JavaUpdater.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
195.201.57.90	sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Flash_USDT_Sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Flash_USDT_Sender.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
172.67.74.152	NightFixed 1.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	Editing.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Terms_of_reference_06_01_2025_samsung.scr.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Contract for Partners.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	JV4lf0wkWV.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=xml
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	https://tron2wq18ufc.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	Bv8oZ8dqT5.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	FRoijLOGX5.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	xwM9kaAoeY.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	Loader.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	a3mJZekUZC.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	skf7iF4.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	Roe5bGkYQx.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	8zxVjLqLIw.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	vIJeWd58DS.bat	Get hash	malicious	Unknown	Browse	195.201.57.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	https://tron2wq18ufc.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	221036299-043825-sanlccjavap0004-6531.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	221036299-043825-sanlccjavap0004-6531.xls	Get hash	malicious	Unknown	Browse	5.161.200.29
	External.exe1.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
MEO-RESIDENCIALPT	a.elf	Get hash	malicious	Unknown	Browse	144.67.69.53
	u.elf	Get hash	malicious	Unknown	Browse	85.245.242.188
	5r3fqt67ew531has4231.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	188.81.46.181
	jklarm7.elf	Get hash	malicious	Unknown	Browse	85.245.197.7
	i686.elf	Get hash	malicious	Mirai	Browse	188.82.120.56
	nabarm7.elf	Get hash	malicious	Unknown	Browse	81.193.22.206
	jklarm7.elf	Get hash	malicious	Unknown	Browse	144.72.46.249
	sh4.elf	Get hash	malicious	Unknown	Browse	2.81.219.238
	mpsl.elf	Get hash	malicious	Unknown	Browse	85.243.50.122
	cbr.spc.elf	Get hash	malicious	Mirai	Browse	176.79.251.42
CLOUDFLARENETUS	tsles(x86).exe	Get hash	malicious	LummaC Stealer	Browse	104.21.93.40
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	104.21.18.45
	https://ancollc.mrsnolas.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://bmra.prfortesystems.com/qlnh	Get hash	malicious	Unknown	Browse	172.67.171.180
	freshbodyshop.ps1	Get hash	malicious	LummaC Stealer	Browse	172.67.153.47
	https://ancollc.mrsnolas.com/	Get hash	malicious	Unknown	Browse	1.1.1.1
	phish_alert_iocp_v1.4.48 - 2025-03-10T103931.828.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	bcmkHEAtULXzRyG.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msg	Get hash	malicious	Unknown	Browse	162.159.134.42
	https://159.37.167.72.host.secureserver.net/y3qAxP.z/fZCS.JH.rVzHtO2y4BZnVbFtKvgy/g9wHi5aI6E/u0_110316__;!!MxXmjrCc_Bbh!G4rdY5yTB1smRq0XPJu6HXdxwP4WDp2MhHCMkzl2DxNzYmSyd10kGpYkCXGaH4BtO2HWpAciCDX1xp7-Zjy6iC3P1iFHwR34RbG1GMvmv7sI$	Get hash	malicious	Unknown	Browse	1.1.1.1

Process:	C:\Windows\System32\Java\JavaUpdater.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 73305 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	73305
Entropy (8bit):	7.996028107841645
Encrypted:	true
SSDEEP:	1536:krha8mqJ7v3CeFMz/akys7nSTK7QMuK+C/Oh5:kAOFq+Mba9Ok7C/O/
MD5:	83142242E97B8953C386F988AA694E4A
SHA1:	833ED12FC15B356136DCDD27C61A50F59C5C7D50
SHA-256:	D72761E1A334A754CE8250E3AF7EA4BF25301040929FD88CF9E50B4A9197D755
SHA-512:	BB6DA177BD16D163F377D9B4C63F6D535804137887684C113CC2F643CEAB4F34338C06B5A29213C23D375E95D22EF417EAC928822DFB3688CE9E2DE9D5242D10
Malicious:	false
Preview:	MSCF....Y.......,...................I.................;Za. .authroot.stl.98.?.6..CK..<Tk......4..c... .Ec...U.d.d.E&I.DH..M.KB."..rK.RQ..}f..f...}..1....9...........$.8q..fa...7.o.1.0...bfsM4.........u..l..0..4.a.t....0.....6#....n. :... ....%.,CQ5uU..(.3.<7#.0..JN.$...=j\|w...#.oU..Eq[..P..^..~.V...;..m...I\|...l..@-W..=.QQ.._./.M.nZ..(.........`.$Z.9wW:W.]..8E.......I.D{..n...K:.m..^.(.S.......c..s.y..<...2.%o.o.....H.B.R.....11.\|!.(...........h.SZ........<...^....Z>.Pp?... .pT@p.#.&..........#VEV=.....p........y..."T=l.n..egf.w..X.Y..-G...........KQ.]...pM..[m..-6.wd:........T...:.P5Zs....c.oT`..F1#......EuD.......7....V ..-....!.N..%S...k...S. ...@.J..../..b!B.(=\../.l......`.\...q9..>4!b..8EH.....zdy.....#...X>%0w...i.,>c.z.g"p.S..2W.+mMs.....5Def.....#._D.4....>}...i...\.&`D.......z;..ZY.3.+t.`....z_.q'w.z.)..j3.+.co.s..:.........qK...{...E....uPO...#vs.XxH.B!..(t. 8k+.....G\..?..GF8....'..w.>.ms..\ve.nFN..W)....xi..u..5.f.l....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\Java\JavaUpdater.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.189712167018517
Encrypted:	false
SSDEEP:	6:kK9rmcvSN+SkQlPlEGYRMY9z+4KlDA3RUeqpGVuys1:9mCkPlE99SNxAhUeq8S
MD5:	2F1B52E423628D28B7C9740103C7EDD9
SHA1:	E017EA251E2DFB2F2153A676E823D7AE67519F0B
SHA-256:	2ABD11041658C2D824E32A3746DC03DBF48F8CC3993E66B82C9910696DB603C9
SHA-512:	ABAE77C906E48E04E7E4C8099C3C737E93E3BA32CCC52F08C562484844B6E44DEFC43B01EE7DA5E173318E74E72C762B4E817E8B50C4127648000184ED829B8F
Malicious:	false
Preview:	p...... ...............(....................................................... ..................(...........Y...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".6.4.2.7.f.6.c.2.b.7.8.7.d.b.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdater.exe.log

Download File

Process:	C:\Windows\System32\Java\JavaUpdater.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PatricksParabox.exe.bin.exe.log

Download File

Process:	C:\Users\user\Desktop\PatricksParabox.exe.bin.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\System32\Java\JavaUpdater.exe

Download File

Process:	C:\Users\user\Desktop\PatricksParabox.exe.bin.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3369472
Entropy (8bit):	6.071772409635621
Encrypted:	false
SSDEEP:	98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1
MD5:	0A717705A7797E35B6F5AF62FFE43ABB
SHA1:	4C823754C6CEBE13AE0AEC7BA874318F20445145
SHA-256:	C973B6A179D4477CC0D52CA84E6083A679988D991B53CB29573C75668B154F2E
SHA-512:	75D39A3FBBF3B6289330AAB45471D497DEC51D076DC96BF29B0BC526154BB9502745F08AEE14624BCA8C7B0F2C5822E2F81A8B959CD8348457015B06A2FE9EAD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. ........................3...........@...................................1.O.....2.......................3...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc........3......h3.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.071772409635621
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PatricksParabox.exe.bin.exe
File size:	3'369'472 bytes
MD5:	0a717705a7797e35b6f5af62ffe43abb
SHA1:	4c823754c6cebe13ae0aec7ba874318f20445145
SHA256:	c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA512:	75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
SSDEEP:	98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1
TLSH:	07F55A0037F85E6EE16AD27295B0533253F0E82AE363E70B2243766A5C5FB534C716A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. ........................3...........@................................

File Icon


Icon Hash:	2144293129440000

Static PE Info

General

Entrypoint:	0x71e3ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e39c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0x1a108	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x33c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3f4	0x31c400	b057dffe82ea5743fd5359dc891e6a1c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0x1a108	0x1a200	a3fb235cf2ae37f061341e2379d165fc	False	0.06963965311004784	data	2.983403129928426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x33c000	0xc	0x200	221440a5d95d2d9aec29428c5700ca78	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x320220	0xf42	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8297491039426523
RT_ICON	0x321164	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.019519697148941206
RT_ICON	0x33198c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.03212092583845064
RT_ICON	0x335bb4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.046265560165975106
RT_ICON	0x33815c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.06191369606003752
RT_ICON	0x339204	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.14804964539007093
RT_GROUP_ICON	0x33966c	0x5a	data	0.7666666666666667
RT_VERSION	0x3396c8	0x368	data	0.42545871559633025
RT_MANIFEST	0x339a30	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text	0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName	Steam
FileDescription	Steam Game
FileVersion	8.7.1.3
InternalName	patricks.exe
LegalCopyright	Steam Rights Reserved
LegalTrademarks	Steam Rights Reserved
OriginalFilename	patricks.exe
ProductName	Patrick's Parabox
ProductVersion	8.7.1.3
Assembly Version	8.7.1.3

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-10T19:51:05.208595+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	2.83.126.58	4782	192.168.2.8	49682	TCP
2025-03-10T19:51:05.208595+0100	2035595	ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert	1	2.83.126.58	4782	192.168.2.8	49682	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 19:51:04.347982883 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:04.353166103 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:04.353286982 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:04.444763899 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:04.449984074 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:05.059266090 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:05.059283018 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:05.059365988 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:05.199295998 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:05.203208923 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:05.208595037 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:05.414777994 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:05.463747978 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:06.675029039 CET	49684	443	192.168.2.8	195.201.57.90
Mar 10, 2025 19:51:06.675055981 CET	443	49684	195.201.57.90	192.168.2.8
Mar 10, 2025 19:51:06.675134897 CET	49684	443	192.168.2.8	195.201.57.90
Mar 10, 2025 19:51:06.726196051 CET	49684	443	192.168.2.8	195.201.57.90
Mar 10, 2025 19:51:06.726221085 CET	443	49684	195.201.57.90	192.168.2.8
Mar 10, 2025 19:51:19.695430040 CET	49684	443	192.168.2.8	195.201.57.90
Mar 10, 2025 19:51:19.736358881 CET	443	49684	195.201.57.90	192.168.2.8
Mar 10, 2025 19:51:21.388262033 CET	49686	443	192.168.2.8	172.67.74.152
Mar 10, 2025 19:51:21.388315916 CET	443	49686	172.67.74.152	192.168.2.8
Mar 10, 2025 19:51:21.388386011 CET	49686	443	192.168.2.8	172.67.74.152
Mar 10, 2025 19:51:21.388641119 CET	49686	443	192.168.2.8	172.67.74.152
Mar 10, 2025 19:51:21.388649940 CET	443	49686	172.67.74.152	192.168.2.8
Mar 10, 2025 19:51:26.385518074 CET	49686	443	192.168.2.8	172.67.74.152
Mar 10, 2025 19:51:26.428354979 CET	443	49686	172.67.74.152	192.168.2.8
Mar 10, 2025 19:51:30.415824890 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:30.421379089 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:30.937504053 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:30.943006992 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:30.943084002 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:30.948642969 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:31.302701950 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:31.353435040 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:31.453798056 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:51:31.509593010 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:56.462713957 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:51:56.468077898 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:52:21.485048056 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:52:21.490211964 CET	4782	49682	2.83.126.58	192.168.2.8
Mar 10, 2025 19:52:46.493976116 CET	49682	4782	192.168.2.8	2.83.126.58
Mar 10, 2025 19:52:46.499017954 CET	4782	49682	2.83.126.58	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 19:51:04.266575098 CET	62455	53	192.168.2.8	1.1.1.1
Mar 10, 2025 19:51:04.276406050 CET	53	62455	1.1.1.1	192.168.2.8
Mar 10, 2025 19:51:06.664335966 CET	52992	53	192.168.2.8	1.1.1.1
Mar 10, 2025 19:51:06.671875000 CET	53	52992	1.1.1.1	192.168.2.8
Mar 10, 2025 19:51:21.380501986 CET	55405	53	192.168.2.8	1.1.1.1
Mar 10, 2025 19:51:21.387729883 CET	53	55405	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 19:51:04.266575098 CET	192.168.2.8	1.1.1.1	0xd005	Standard query (0)	prxprodquasar.zapto.org	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:06.664335966 CET	192.168.2.8	1.1.1.1	0x20aa	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:21.380501986 CET	192.168.2.8	1.1.1.1	0xd46a	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 19:51:04.276406050 CET	1.1.1.1	192.168.2.8	0xd005	No error (0)	prxprodquasar.zapto.org	2.83.126.58	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:06.671875000 CET	1.1.1.1	192.168.2.8	0x20aa	No error (0)	ipwho.is	195.201.57.90	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:21.387729883 CET	1.1.1.1	192.168.2.8	0xd46a	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:21.387729883 CET	1.1.1.1	192.168.2.8	0xd46a	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:21.387729883 CET	1.1.1.1	192.168.2.8	0xd46a	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.20	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.23	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.34	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.39	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.18	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.36	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.19	A (IP address)	IN (0x0001)	false
Mar 10, 2025 19:51:38.366313934 CET	1.1.1.1	192.168.2.8	0x91f	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.35	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:50:57
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\PatricksParabox.exe.bin.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PatricksParabox.exe.bin.exe"
Imagebase:	0xa80000
File size:	3'369'472 bytes
MD5 hash:	0A717705A7797E35B6F5AF62FFE43ABB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.912148419.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:51:00
Start date:	10/03/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
Imagebase:	0x7ff648d90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:51:00
Start date:	10/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:51:00
Start date:	10/03/2025
Path:	C:\Windows\System32\Java\JavaUpdater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\Java\JavaUpdater.exe"
Imagebase:	0x9d0000
File size:	3'369'472 bytes
MD5 hash:	0A717705A7797E35B6F5AF62FFE43ABB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.2156780665.00000000033B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\Java\JavaUpdater.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 74%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:51:00
Start date:	10/03/2025
Path:	C:\Windows\System32\Java\JavaUpdater.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Java\JavaUpdater.exe
Imagebase:	0xf60000
File size:	3'369'472 bytes
MD5 hash:	0A717705A7797E35B6F5AF62FFE43ABB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:51:01
Start date:	10/03/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
Imagebase:	0x7ff648d90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:51:01
Start date:	10/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PatricksParabox.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JavaUpdater.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PatricksParabox.exe.bin.exe.log

C:\Windows\System32\Java\JavaUpdater.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
PatricksParabox.exe.bin.exe