{"Version": " v3.0.7563.31381", "FtpEnable": "false", "FtpHost": "null", "FtpUser": "null", "FtpPass": "null", "FtpPort": "21", "EmailEnable": "true", "EmailAddress": "jrepublic@keithwilliamgroup.com", "EmailSendTo": "jrepublic@keithwilliamgroup.com", "EmailPass": "[5K%E!Tp3[UZC", "EmailPort": "587", "EmailSsl": "True", "EmailClient": "mail.privateemail.com", "PanelEnable": "false", "PanelHost": "null", "ExitAfterDelivery": "false", "SelfDestruct": "false", "Mutex": "Rwbbvff", "EnableMutex": "false", "EnableAntiSandboxie": "false", "EnableAntiVMware": "false", "EnableAntiDebugger": "false", "EnableWDExclusion": "false", "EnableSearchAndUpload": "false", "EnableKeylogger": "true", "EnableBrowserRecovery": "true", "EnableScreenshot": "false", "EnableForceUac": "false", "EnableBotKiller": "false", "EnableDeleteZoneIdentifier": "false", "EnableMemoryScan": "false", "EnableAntiHoneypot": "false", "EnableOnlySendWhenPassword": "true", "ExectionDelay": "1", "SendingInterval": "1", "EnableDownloader": "false", "DownloaderUrl": "Crizp", "DownloaderFilename": "Thuocfx", "DownloaderOnce": "false", "EnableBinder": "false", "BinderBytes": "AAAAAAAA", "BinderName": "Nhwsufe_Nraotd", "BinderOnce": "false", "EnableInstall": "false", "InstallFolder": "%AppData%", "InstallSecondFolder": "Fafhhdkyp", "InstallFile": "Ldstwm"}
Source: 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp | Malware Configuration Extractor: MassLogger {"Version": " v3.0.7563.31381", "FtpEnable": "false", "FtpHost": "null", "FtpUser": "null", "FtpPass": "null", "FtpPort": "21", "EmailEnable": "true", "EmailAddress": "jrepublic@keithwilliamgroup.com", "EmailSendTo": "jrepublic@keithwilliamgroup.com", "EmailPass": "[5K%E!Tp3[UZC", "EmailPort": "587", "EmailSsl": "True", "EmailClient": "mail.privateemail.com", "PanelEnable": "false", "PanelHost": "null", "ExitAfterDelivery": "false", "SelfDestruct": "false", "Mutex": "Rwbbvff", "EnableMutex": "false", "EnableAntiSandboxie": "false", "EnableAntiVMware": "false", "EnableAntiDebugger": "false", "EnableWDExclusion": "false", "EnableSearchAndUpload": "false", "EnableKeylogger": "true", "EnableBrowserRecovery": "true", "EnableScreenshot": "false", "EnableForceUac": "false", "EnableBotKiller": "false", "EnableDeleteZoneIdentifier": "false", "EnableMemoryScan": "false", "EnableAntiHoneypot": "false", "EnableOnlySendWhenPassword": "true", "ExectionDelay": "1", "SendingInterval": "1", "EnableDownloader": "false", "DownloaderUrl": "Crizp", "DownloaderFilename": "Thuocfx", "DownloaderOnce": "false", "EnableBinder": "false", "BinderBytes": "AAAAAAAA", "BinderName": "Nhwsufe_Nraotd", "BinderOnce": "false", "EnableInstall": "false", "InstallFolder": "%AppData%", "InstallSecondFolder": "Fafhhdkyp", "InstallFile": "Ldstwm"} |
Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp | String found in binary or memory: http://api.ipify.org |
Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp | String found in binary or memory: http://api.ipify.org/ |
Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp | String found in binary or memory: http://api.ipify.orgD |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: Quot_466378-09.exe, 00000000.00000003.250068812.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: Quot_466378-09.exe, 00000000.00000003.239283146.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/ |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000000.00000003.239744218.00000000080B5000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: Quot_466378-09.exe, 00000000.00000003.239661339.00000000080AE000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000000.00000003.239283146.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comF |
Source: Quot_466378-09.exe, 00000000.00000003.240123865.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comOlk |
Source: Quot_466378-09.exe, 00000000.00000003.250068812.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.coma |
Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comcom |
Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comcomF |
Source: Quot_466378-09.exe, 00000000.00000003.239661339.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comd |
Source: Quot_466378-09.exe, 00000000.00000003.239499557.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comd#lO |
Source: Quot_466378-09.exe, 00000000.00000003.239641105.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comdlm |
Source: Quot_466378-09.exe, 00000000.00000003.240370227.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comed |
Source: Quot_466378-09.exe, 00000000.00000003.239661339.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comessed |
Source: Quot_466378-09.exe, 00000000.00000003.250068812.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comgreta |
Source: Quot_466378-09.exe, 00000000.00000003.239283146.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comgrita |
Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comituo |
Source: Quot_466378-09.exe, 00000000.00000003.239187124.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comsiefOlk |
Source: Quot_466378-09.exe, 00000000.00000003.240415845.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comuj |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: Quot_466378-09.exe, 00000000.00000003.235916125.000000000807A000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cnG |
Source: Quot_466378-09.exe, 00000000.00000003.241217841.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/ |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmp, Quot_466378-09.exe, 00000000.00000003.237708764.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: Quot_466378-09.exe, 00000000.00000003.239045901.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/#lO |
Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/1l= |
Source: Quot_466378-09.exe, 00000000.00000003.238084992.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/8lD |
Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/Olk |
Source: Quot_466378-09.exe, 00000000.00000003.238084992.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0 |
Source: Quot_466378-09.exe, 00000000.00000003.238084992.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ |
Source: Quot_466378-09.exe, 00000000.00000003.236641430.00000000080AC000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/l |
Source: Quot_466378-09.exe, 00000000.00000003.237364020.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/lm |
Source: Quot_466378-09.exe, 00000000.00000003.236641430.00000000080AC000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u |
Source: Quot_466378-09.exe, 00000000.00000003.240903567.00000000080AE000.00000004.00000001.sdmp | String found in binary or memory: http://www.monotype. |
Source: Quot_466378-09.exe, 00000000.00000003.241061599.0000000008093000.00000004.00000001.sdmp | String found in binary or memory: http://www.monotype.R |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: Quot_466378-09.exe, 00000000.00000003.236032290.0000000008079000.00000004.00000001.sdmp | String found in binary or memory: http://www.tiro. |
Source: Quot_466378-09.exe, 00000000.00000003.236032290.0000000008079000.00000004.00000001.sdmp | String found in binary or memory: http://www.tiro.# |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: Quot_466378-09.exe, 00000000.00000002.282310763.0000000009282000.00000004.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: Quot_466378-09.exe, 00000006.00000002.501099806.00000000034A1000.00000004.00000001.sdmp | String found in binary or memory: https://www.youtube.com/watch?v=Qxk6cu21JSg |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01202208 | 0_2_01202208 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01200470 | 0_2_01200470 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01200FB0 | 0_2_01200FB0 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01203150 | 0_2_01203150 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_012017F1 | 0_2_012017F1 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01209B60 | 0_2_01209B60 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01202041 | 0_2_01202041 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01204088 | 0_2_01204088 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01204098 | 0_2_01204098 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01200F1B | 0_2_01200F1B |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01204ED9 | 0_2_01204ED9 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_012030C3 | 0_2_012030C3 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_012052C8 | 0_2_012052C8 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_012052D8 | 0_2_012052D8 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01205469 | 0_2_01205469 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01205478 | 0_2_01205478 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_01209B50 | 0_2_01209B50 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B155A4 | 0_2_04B155A4 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B1C160 | 0_2_04B1C160 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B1C150 | 0_2_04B1C150 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_017F0820 | 6_2_017F0820 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_017F5C47 | 6_2_017F5C47 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_017F04D8 | 6_2_017F04D8 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_017F04C9 | 6_2_017F04C9 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_017F0813 | 6_2_017F0813 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_03482288 | 6_2_03482288 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_034819B8 | 6_2_034819B8 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_0348AB8B | 6_2_0348AB8B |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_0348AB98 | 6_2_0348AB98 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_03485778 | 6_2_03485778 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_03481670 | 6_2_03481670 |
Source: Quot_466378-09.exe, 00000000.00000002.278461604.0000000005E20000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameMajorRevision.exe< vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.282564626.0000000009660000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.267789126.0000000000884000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameDH/f7.exeF vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmp | Binary or memory string: OriginalFilename vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameMetroFramework.dll> vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.268570380.0000000002B11000.00000004.00000001.sdmp | Binary or memory string: OriginalFilename" vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.278985246.0000000006190000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.278432380.0000000005B30000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.278432380.0000000005B30000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000000.00000002.268134442.0000000000EE9000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000006.00000000.262780503.0000000000FD4000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameDH/f7.exeF vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000006.00000002.506492542.0000000006DA9000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Quot_466378-09.exe |
Source: Quot_466378-09.exe, 00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmp | Binary or memory string: OriginalFilename" vs Quot_466378-09.exe |
Source: Quot_466378-09.exe | Binary or memory string: OriginalFilenameDH/f7.exeF vs Quot_466378-09.exe |
Source: 00000006.00000002.496667665.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.272699387.0000000003B11000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 6.2.Quot_466378-09.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.Quot_466378-09.exe.3d67468.3.raw.unpack, type: UNPACKEDPE | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.Quot_466378-09.exe.3ce6e48.2.raw.unpack, type: UNPACKEDPE | Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_00704351 push eax; ret | 0_2_0070439C |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_007024D6 push ecx; iretd | 0_2_007024D7 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_007027D7 push 86DF6B68h; retf | 0_2_007027E7 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_00702B83 push ebx; iretd | 0_2_00702C24 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_0070558A pushfd ; retf | 0_2_00705592 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B12404 push E802005Eh; ret | 0_2_04B12409 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B13452 pushfd ; ret | 0_2_04B13459 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B140A0 push esp; retf | 0_2_04B140A1 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 0_2_04B111B9 push eax; mov dword ptr [esp], edx | 0_2_04B111CC |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_00E527D7 push 86DF6B68h; retf | 6_2_00E527E7 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_00E524D6 push ecx; iretd | 6_2_00E524D7 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_00E52B83 push ebx; iretd | 6_2_00E52C24 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_00E5558A pushfd ; retf | 6_2_00E55592 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_00E54351 push eax; ret | 6_2_00E5439C |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_0348DA8C push FFFFFF8Bh; retf | 6_2_0348DA8F |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Code function: 6_2_0348FF2E push es; ret | 6_2_0348FF30 |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3600000 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3599844 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3599656 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3599500 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3599360 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3599156 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598985 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598860 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598750 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598641 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598485 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598360 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598203 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3598078 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597953 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597797 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597656 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597547 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597360 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597188 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3597047 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596906 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596750 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596610 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596469 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596360 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596203 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3596094 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3595985 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3595860 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3595735 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3595610 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3595453 | Jump to behavior |
Source: C:\Users\user\Desktop\Quot_466378-09.exe | Thread delayed: delay time: 3595344 | Jump to behavior |
Source: |