Loading ...

Play interactive tourEdit tour

Analysis Report COVID-19 CDC Secon Outbreak Warning release.scr

Overview

General Information

Sample Name:COVID-19 CDC Secon Outbreak Warning release.scr (renamed file extension from scr to exe)
Analysis ID:319976
MD5:db0d632b83738dfc64013b9b5b7c339e
SHA1:2f9269bfc05473a6dce71c56d25b37d8b5490bcd
SHA256:6fb60c80bdc9cd558a384b468dc8b8467fb2e02764728e6a0ebc28ca865f31f6
Tags:QuasarRATscr

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • winrar.exe (PID: 6972 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe' MD5: DB0D632B83738DFC64013B9B5B7C339E)
    • winrar.exe (PID: 5256 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: DB0D632B83738DFC64013B9B5B7C339E)
  • winrar.exe (PID: 4576 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe' MD5: DB0D632B83738DFC64013B9B5B7C339E)
    • winrar.exe (PID: 5572 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: DB0D632B83738DFC64013B9B5B7C339E)
    • winrar.exe (PID: 5576 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe MD5: DB0D632B83738DFC64013B9B5B7C339E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x3df27:$s1: DoUploadAndExecute
  • 0x3e16b:$s2: DoDownloadAndExecute
  • 0x3dcec:$s3: DoShellExecute
  • 0x3e123:$s4: set_Processname
  • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x61ae:$op3: 00 04 03 69 91 1B 40
  • 0x69fe:$op3: 00 04 03 69 91 1B 40
0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x42657:$s1: DoUploadAndExecute
    • 0x99477:$s1: DoUploadAndExecute
    • 0x4289b:$s2: DoDownloadAndExecute
    • 0x996bb:$s2: DoDownloadAndExecute
    • 0x4241c:$s3: DoShellExecute
    • 0x9923c:$s3: DoShellExecute
    • 0x42853:$s4: set_Processname
    • 0x99673:$s4: set_Processname
    • 0x9f54:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x60d74:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x9e78:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x60c98:$op2: 00 17 03 1F 20 17 19 15 28
    • 0xa8de:$op3: 00 04 03 69 91 1B 40
    • 0xb12e:$op3: 00 04 03 69 91 1B 40
    • 0x616fe:$op3: 00 04 03 69 91 1B 40
    • 0x61f4e:$op3: 00 04 03 69 91 1B 40
    00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3df27:$s1: DoUploadAndExecute
      • 0x3e16b:$s2: DoDownloadAndExecute
      • 0x3dcec:$s3: DoShellExecute
      • 0x3e123:$s4: set_Processname
      • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x61ae:$op3: 00 04 03 69 91 1B 40
      • 0x69fe:$op3: 00 04 03 69 91 1B 40
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.winrar.exe.400000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3ec0a:$x3: GetKeyloggerLogsResponse
      • 0x3de62:$x4: GetKeyloggerLogs
      • 0x3e13a:$s1: <RunHidden>k__BackingField
      • 0x3edd2:$s2: set_SystemInfos
      • 0x3e163:$s3: set_RunHidden
      • 0x3dc96:$s4: set_RemotePath
      • 0x56628:$s6: Client.exe
      • 0x566bc:$s6: Client.exe
      • 0x32029:$s7: xClient.Core.ReverseProxy.Packets
      15.2.winrar.exe.400000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x305c0:$x4: xClient.Properties.Resources.resources
      • 0x30481:$s4: Client.exe
      • 0x3e163:$s7: set_RunHidden
      15.2.winrar.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3e127:$s1: DoUploadAndExecute
      • 0x3e36b:$s2: DoDownloadAndExecute
      • 0x3deec:$s3: DoShellExecute
      • 0x3e323:$s4: set_Processname
      • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x63ae:$op3: 00 04 03 69 91 1B 40
      • 0x6bfe:$op3: 00 04 03 69 91 1B 40
      15.2.winrar.exe.400000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3ec0a:$x1: GetKeyloggerLogsResponse
      • 0x3ee4a:$s1: DoShellExecuteResponse
      • 0x3e7b9:$s2: GetPasswordsResponse
      • 0x3ed1d:$s3: GetStartupItemsResponse
      • 0x3e13b:$s5: RunHidden
      • 0x3e159:$s5: RunHidden
      • 0x3e167:$s5: RunHidden
      • 0x3e17b:$s5: RunHidden
      15.2.winrar.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4f649:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x4f87f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 16 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeVirustotal: Detection: 52%Perma Link
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeReversingLabs: Detection: 58%
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeVirustotal: Detection: 52%Perma Link
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeReversingLabs: Detection: 58%
      Multi AV Scanner detection for submitted fileShow sources
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%Perma Link
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%Perma Link
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
      Source: Yara matchFile source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: COVID-19 CDC Secon Outbreak Warning release.exeJoe Sandbox ML: detected
      Source: COVID-19 CDC Secon Outbreak Warning release.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ip-api.com
      Source: unknownDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782
      Source: global trafficTCP traffic: 192.168.2.4:49748 -> 185.244.26.221:4782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4Ck
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://api.ipify.org/
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://freegeoip.net/xml/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmp, COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, winrar.exe, 00000005.00000002.807724606.0000000003528000.00000004.00000001.sdmp, winrar.exe, 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, winrar.exe, 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, winrar.exe, 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4Ck
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp.thawte.com0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://s.symcd.com06
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925473782.00000000032E3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.925435864.000000000329C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/cps0%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://d.symcb.com/rpa0.
      Source: COVID-19 CDC Secon Outbreak Warning release.exeString found in binary or memory: https://www.globalsign.com/repository/0

      E-Banking Fraud:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 4576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 5856, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 5576, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: COVID-19 CDC Secon Outbreak Warning release.exe PID: 7040, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: winrar.exe PID: 6972, type: MEMORY
      Source: Yara matchFile source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B11BE00_2_02B11BE0
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B145980_2_02B14598
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B105480_2_02B10548
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058334500_2_05833450
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058385800_2_05838580
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DC80_2_05832DC8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DD80_2_05832DD8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058385700_2_05838570
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058374230_2_05837423
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058374300_2_05837430
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B11BE00_2_02B11BE0
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B145980_2_02B14598
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_02B105480_2_02B10548
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058334500_2_05833450
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058385800_2_05838580
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DC80_2_05832DC8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_05832DD80_2_05832DD8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058385700_2_05838570
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058374230_2_05837423
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 0_2_058374300_2_05837430
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_030FF0903_2_030FF090
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_030FF9603_2_030FF960
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_030FED483_2_030FED48
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_058610B83_2_058610B8
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CA43683_2_06CA4368
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CA71403_2_06CA7140
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_06CA8C083_2_06CA8C08
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_07340FC33_2_07340FC3
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeCode function: 3_2_073400403_2_07340040
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_0149FB505_2_0149FB50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_0149F8085_2_0149F808
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E05485_2_057E0548
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E1BE05_2_057E1BE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E4A505_2_057E4A50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E9F715_2_057E9F71
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E47D85_2_057E47D8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E47CB5_2_057E47CB
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 5_2_057E9F805_2_057E9F80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_0150FB509_2_0150FB50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_015081E59_2_015081E5
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_0150F8089_2_0150F808
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A1BE09_2_016A1BE0
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A4A509_2_016A4A50
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A05489_2_016A0548
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A4A409_2_016A4A40
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A9F739_2_016A9F73
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A47C89_2_016A47C8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A47D89_2_016A47D8
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 9_2_016A9F809_2_016A9F80
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_02D1F09013_2_02D1F090
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_02D1F96013_2_02D1F960
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 13_2_02D1ED4813_2_02D1ED48
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 15_2_00F4F09015_2_00F4F090
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 15_2_00F4F96015_2_00F4F960
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeCode function: 15_2_00F4ED4815_2_00F4ED48
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: invalid certificate
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: invalid certificate
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winrar.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.733655475.0000000004F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEszbxlm.dll4 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000000.658274471.0000000000778000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924756957.00000000011A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000000.722478373.0000000001008000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924643263.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exeBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.733655475.0000000004F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730445830.0000000003B51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEszbxlm.dll4 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000000.658274471.0000000000778000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000000.00000002.730193991.0000000002E97000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924756957.00000000011A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000000.722478373.0000000001008000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.927941569.0000000006640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, 00000003.00000002.924643263.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameClient.exe" vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: COVID-19 CDC Secon Outbreak Warning release.exeBinary or memory string: OriginalFilenameXjrkkafy5.exe0 vs COVID-19 CDC Secon Outbreak Warning release.exe
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000F.00000002.827897659.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822302365.00000000040E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.924590953.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.808322166.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.808237163.00000000042C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.822958398.00000000041C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.730551537.0000000003C35000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 15.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 13.2.winrar.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: winrar.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: winrar.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: winrar.exe.0.dr, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: COVID-19 CDC Secon Outbreak Warning release.exe, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: winrar.exe.0.dr, u0001/u0008.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 13.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 15.2.winrar.exe.400000.0.unpack, ufffd?u23de?u2b96???ue028??ufd45???ufffd??ue0ca?.csBase64 encoded string: 'PWj6lHXDOxrLfwXNzfnaLMjOfzO9+W+4JxWWiTvfenV8SQApGzJ0Di/b8fuXcZ0M5PrXoL7V9sk8b6uX8xhtZw==', 'm0LUgy1TBJLS/Rv0+i1hOxLPRvKMsf09np12UQ5OrwBPWWSUYbRf+y9WQJ8KY1h7++uGSo0tWuw0x8ypgzipLl1b12b1d2xLp6CNHiFEtAk=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'T5995aiahDmRotzNR+wPzkhM3KlC5s/O43KC/1X3Cxu2swVztTyi14Z01j5qsLhy+ZSCP+lJl3YSu4KaMkTl74E6v3MGTgcDoCAikm98Vzg=', 'jLorJj8inqFdgz/bM7KXpwKX+vdTgIpVKMMjF72veNdt62nzBlqRLeihc0RWxDu4tSOd4DuvQwCqGcdB8QTCyQ=='
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.COVID-19 CDC Secon Outbreak Warning release.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 13.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 15.2.winrar.exe.400000.0.unpack, ???ue4ac??????u2370????ufd45?u2824uf246?.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@2/2
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinrarJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_aEyHRwA2EwWBI7cCGO
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: COVID-19 CDC Secon Outbreak Warning release.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeVirustotal: Detection: 52%
      Source: COVID-19 CDC Secon Outbreak Warning release.exeReversingLabs: Detection: 58%
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile read: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe 'C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeProcess created: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exe C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winrar\winrar.exeJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\COVID-19 CDC Secon Outbreak Warning release.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll