Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HDPh51eN5s

Overview

General Information

Sample Name:HDPh51eN5s (renamed file extension from none to exe)
Analysis ID:679249
MD5:1fb5d967f92174e0bbb15262f8cd209f
SHA1:76fbd5b88154976887b5099c21666ca3be2cd76e
SHA256:740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024
Tags:exe
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: Schedule system process
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Quasar RAT
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SGDT)

Classification

  • System is w10x64
  • HDPh51eN5s.exe (PID: 4684 cmdline: "C:\Users\user\Desktop\HDPh51eN5s.exe" MD5: 1FB5D967F92174E0BBB15262F8CD209F)
    • schtasks.exe (PID: 2916 cmdline: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Users\user\Desktop\HDPh51eN5s.exe" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • MpCmdRun.exe (PID: 4276 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
          • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RuntimeBroker.exe (PID: 5824 cmdline: C:\Windows\system32\Windows\RuntimeBroker.exe MD5: 1FB5D967F92174E0BBB15262F8CD209F)
      • schtasks.exe (PID: 6276 cmdline: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
        • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • HDPh51eN5s.exe (PID: 6020 cmdline: C:\Users\user\Desktop\HDPh51eN5s.exe MD5: 1FB5D967F92174E0BBB15262F8CD209F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmpMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x41b939:$x1: Quasar.Common.Messages
          • 0x41d00b:$x1: Quasar.Common.Messages
          Click to see the 4 entries
          SourceRuleDescriptionAuthorStrings
          0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x41b939:$x1: Quasar.Common.Messages
          • 0x41d00b:$x1: Quasar.Common.Messages
          0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
            0.2.HDPh51eN5s.exe.1c3e0000.3.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
            • 0x419d39:$x1: Quasar.Common.Messages
            • 0x41b40b:$x1: Quasar.Common.Messages
            0.2.HDPh51eN5s.exe.1c3e0000.3.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security

              Persistence and Installation Behavior

              barindex
              Source: Process startedAuthor: Joe Security: Data: Command: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\system32\Windows\RuntimeBroker.exe, ParentImage: C:\Windows\System32\Windows\RuntimeBroker.exe, ParentProcessId: 5824, ParentProcessName: RuntimeBroker.exe, ProcessCommandLine: "schtasks" /create /tn "Google Update" /sc ONLOGON /tr "C:\Windows\system32\Windows\RuntimeBroker.exe" /rl HIGHEST /f, ProcessId: 6276, ProcessName: schtasks.exe
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: HDPh51eN5s.exeVirustotal: Detection: 35%Perma Link
              Source: HDPh51eN5s.exeMetadefender: Detection: 31%Perma Link
              Source: HDPh51eN5s.exeReversingLabs: Detection: 76%
              Source: C:\Windows\System32\Windows\RuntimeBroker.exeVirustotal: Detection: 35%Perma Link
              Source: C:\Windows\System32\Windows\RuntimeBroker.exeMetadefender: Detection: 31%Perma Link
              Source: C:\Windows\System32\Windows\RuntimeBroker.exeReversingLabs: Detection: 76%
              Source: Yara matchFile source: 0.2.HDPh51eN5s.exe.1c3e0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.HDPh51eN5s.exe.1c3e0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.401638486.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.277374012.00000000134FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.251870111.000000001584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.289424719.0000000015501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.303504388.000000001C3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HDPh51eN5s.exe PID: 4684, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5824, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: HDPh51eN5s.exe PID: 6020, type: MEMORYSTR
              Source: HDPh51eN5s.exeJoe Sandbox ML: detected
              Source: C:\Windows\System32\Windows\RuntimeBroker.exeJoe Sandbox ML: detected

              Compliance

              barindex