Loading ...

Play interactive tourEdit tour

Analysis Report FacebookSecurityUpdate.exe

Overview

General Information

Sample Name:FacebookSecurityUpdate.exe
Analysis ID:397328
MD5:ac46ae63e68b470fc8fc80f6a74e7964
SHA1:373a2d73c34c905b2a52257ed5d432f82e412fd7
SHA256:1b12a22d5d562b59030df4697c4157a23766d0b34f9bd17a0ca7374e5a53e28c
Infos:

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Creates autorun.inf (USB autostart)
Deletes shadow drive data (may be related to ransomware)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • FacebookSecurityUpdate.exe (PID: 5640 cmdline: 'C:\Users\user\Desktop\FacebookSecurityUpdate.exe' MD5: AC46AE63E68B470FC8FC80F6A74E7964)
    • FacebookSecurityUpdate.exe (PID: 5648 cmdline: 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' MD5: 269E261FDBD4A955CB4591A39F3E08F4)
      • schtasks.exe (PID: 2644 cmdline: 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • FacebookSecurityUpdate.exe (PID: 6124 cmdline: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe MD5: 269E261FDBD4A955CB4591A39F3E08F4)
        • schtasks.exe (PID: 580 cmdline: 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • FacebookSecurityUpdate.exe (PID: 3348 cmdline: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe MD5: 269E261FDBD4A955CB4591A39F3E08F4)
  • cleanup

Malware Configuration

Threatname: Quasar

{"Version": "1.4.0.0", "Host:Port": "84.38.133.101:14782;", "SubDirectory": "FacebookSecurityUpdate", "InstallName": "#za6H\"om,", "MutexName": "EhJ5YrFqRiwpbh4NdP", "StartupKey": "FacebookSecurityUpdate", "Tag": "SecurityHealthServices-WinRar", "LogDirectoryName": "Logs"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
  • 0x3697a:$x3: GetKeyloggerLogsResponse
  • 0x35c51:$x4: GetKeyloggerLogs
  • 0x35eea:$s1: <RunHidden>k__BackingField
  • 0x36b42:$s2: set_SystemInfos
  • 0x35f13:$s3: set_RunHidden
  • 0x35aa6:$s4: set_RemotePath
  • 0x30971:$s7: xClient.Core.ReverseProxy.Packets
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exexRAT_1Detects Patchwork malwareFlorian Roth
  • 0x2f783:$x4: xClient.Properties.Resources.resources
  • 0x2f621:$s4: Client.exe
  • 0x35f13:$s7: set_RunHidden
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x35ed7:$s1: DoUploadAndExecute
  • 0x360e5:$s2: DoDownloadAndExecute
  • 0x35cdb:$s3: DoShellExecute
  • 0x360aa:$s4: set_Processname
  • 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x7552:$op3: 00 04 03 69 91 1B 40
  • 0x7da2:$op3: 00 04 03 69 91 1B 40
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
  • 0x3697a:$x1: GetKeyloggerLogsResponse
  • 0x36bba:$s1: DoShellExecuteResponse
  • 0x36533:$s2: GetPasswordsResponse
  • 0x36a8d:$s3: GetStartupItemsResponse
  • 0x35eeb:$s5: RunHidden
  • 0x35f09:$s5: RunHidden
  • 0x35f17:$s5: RunHidden
  • 0x35f2b:$s5: RunHidden
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
  • 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
  • 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
Click to see the 9 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x35cd7:$s1: DoUploadAndExecute
  • 0x35ee5:$s2: DoDownloadAndExecute
  • 0x35adb:$s3: DoShellExecute
  • 0x35eaa:$s4: set_Processname
  • 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x7352:$op3: 00 04 03 69 91 1B 40
  • 0x7ba2:$op3: 00 04 03 69 91 1B 40
00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x35cd7:$s1: DoUploadAndExecute
    • 0x35ee5:$s2: DoDownloadAndExecute
    • 0x35adb:$s3: DoShellExecute
    • 0x35eaa:$s4: set_Processname
    • 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x7352:$op3: 00 04 03 69 91 1B 40
    • 0x7ba2:$op3: 00 04 03 69 91 1B 40
    00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3624f:$s1: DoUploadAndExecute
      • 0x8f097:$s1: DoUploadAndExecute
      • 0xe7ecf:$s1: DoUploadAndExecute
      • 0x3645d:$s2: DoDownloadAndExecute
      • 0x8f2a5:$s2: DoDownloadAndExecute
      • 0xe80dd:$s2: DoDownloadAndExecute
      • 0x36053:$s3: DoShellExecute
      • 0x8ee9b:$s3: DoShellExecute
      • 0xe7cd3:$s3: DoShellExecute
      • 0x36422:$s4: set_Processname
      • 0x8f26a:$s4: set_Processname
      • 0xe80a2:$s4: set_Processname
      • 0x6f40:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5fd88:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0xb8bc0:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x6e64:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x5fcac:$op2: 00 17 03 1F 20 17 19 15 28
      • 0xb8ae4:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x78ca:$op3: 00 04 03 69 91 1B 40
      • 0x811a:$op3: 00 04 03 69 91 1B 40
      • 0x60712:$op3: 00 04 03 69 91 1B 40
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3697a:$x3: GetKeyloggerLogsResponse
      • 0x35c51:$x4: GetKeyloggerLogs
      • 0x35eea:$s1: <RunHidden>k__BackingField
      • 0x36b42:$s2: set_SystemInfos
      • 0x35f13:$s3: set_RunHidden
      • 0x35aa6:$s4: set_RemotePath
      • 0x30971:$s7: xClient.Core.ReverseProxy.Packets
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x2f783:$x4: xClient.Properties.Resources.resources
      • 0x2f621:$s4: Client.exe
      • 0x35f13:$s7: set_RunHidden
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x35ed7:$s1: DoUploadAndExecute
      • 0x360e5:$s2: DoDownloadAndExecute
      • 0x35cdb:$s3: DoShellExecute
      • 0x360aa:$s4: set_Processname
      • 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x7552:$op3: 00 04 03 69 91 1B 40
      • 0x7da2:$op3: 00 04 03 69 91 1B 40
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3697a:$x1: GetKeyloggerLogsResponse
      • 0x36bba:$s1: DoShellExecuteResponse
      • 0x36533:$s2: GetPasswordsResponse
      • 0x36a8d:$s3: GetStartupItemsResponse
      • 0x35eeb:$s5: RunHidden
      • 0x35f09:$s5: RunHidden
      • 0x35f17:$s5: RunHidden
      • 0x35f2b:$s5: RunHidden
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 76 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: FacebookSecurityUpdate.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1135947
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1135947
      Found malware configurationShow sources
      Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpMalware Configuration Extractor: Quasar {"Version": "1.4.0.0", "Host:Port": "84.38.133.101:14782;", "SubDirectory": "FacebookSecurityUpdate", "InstallName": "#za6H\"om,", "MutexName": "EhJ5YrFqRiwpbh4NdP", "StartupKey": "FacebookSecurityUpdate", "Tag": "SecurityHealthServices-WinRar", "LogDirectoryName": "Logs"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: FacebookSecurityUpdate.exeVirustotal: Detection: 57%Perma Link
      Source: FacebookSecurityUpdate.exeReversingLabs: Detection: 50%
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 6124, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 3348, type: MEMORY
      Source: Yara matchFile source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: FacebookSecurityUpdate.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeUnpacked PE file: 0.2.FacebookSecurityUpdate.exe.b00000.0.unpack
      Source: FacebookSecurityUpdate.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: FacebookSecurityUpdate.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Spreading:

      barindex
      Creates autorun.inf (USB autostart)Show sources
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeFile created: C:\autorun.infJump to behavior
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpBinary or memory string: autorun.inf.exe
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exeBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exeBinary or memory string: autorun.inf
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpBinary or memory string: autorun.inf.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exeBinary or memory string: autorun.inf
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpBinary or memory string: l[AutoRun]
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmpBinary or memory string: autorun.inf.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: autorun.inf
      Source: FacebookSecurityUpdate.exeBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpBinary or memory string: autorun.inf.exe
      Source: autorun.inf.5.drBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: autorun.inf.exe
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 84.38.133.101
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 84.38.133.101 ports 14782,1,2,4,7,8
      May check the online IP address of the machineShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeDNS query: name: ip-api.com
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.3:49709 -> 84.38.133.101:14782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewASN Name: DATACLUB-NL DATACLUB-NL
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drString found in binary or memory: http://api.ipify.org/
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drString found in binary or memory: http://freegeoip.net/xml/
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459447063.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drString found in binary or memory: http://ip-api.com/json/
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/xClient.Core.Data
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459447063.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to behavior

      E-Banking Fraud:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 6124, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 3348, type: MEMORY
      Source: Yara matchFile source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPE

      Spam, unwanted Advertisements and Ransom Demands:

      barindex
      Deletes shadow drive data (may be related to ransomware)Show sources
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exeBinary or memory string: /C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exeBinary or memory string: /C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exeBinary or memory string: /C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects ma<