Play interactive tourEdit tour
Analysis Report New variant of covid 19.exe
Overview
General Information
Detection
Quasar
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
System process connects to network (likely due to code injection or exploit)
Yara detected Quasar RAT
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
May check the online IP address of the machine
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to delay execution (extensive OutputDebugStringW loop)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Quasar_RAT_1 | Detects Quasar RAT | Florian Roth |
| |
JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | Florian Roth |
| |
xRAT_1 | Detects Patchwork malware | Florian Roth |
| |
Quasar_RAT_1 | Detects Quasar RAT | Florian Roth |
| |
Quasar_RAT_2 | Detects Quasar RAT | Florian Roth |
| |
MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth |
| |
Click to see the 2 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Executables Started in Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Execution in Non-Executable Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Program Location Process Starts | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Svchost Process | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: System File Execution Location Anomaly | Show sources |
Source: | Author: Florian Roth, Patrick Bareiss: |
Sigma detected: Windows Processes Suspicious Parent Directory | Show sources |
Source: | Author: vburov: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Yara detected Quasar RAT | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Networking: |
---|
May check the online IP address of the machine | Show sources |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |