Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756299
MD5:2816bacd01b0d8c48f1d8714c6aa6f0f
SHA1:474ae88d9cf093dcb9789cb7b79513e0dbd38388
SHA256:637720ba1437fd6dea873e56a6a1d7bb3c663e490abc4e406e3817dd2eb82c4f
Tags:exe
Infos:

Detection

BrowserHistorySpy Tool, Quasar
Score:38
Range:0 - 100
Whitelisted:false
Confidence:20%

Compliance

Score:50
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Quasar RAT
Query firmware table information (likely to detect VMs)
Changes security center settings (notifications, updates, antivirus, firewall)
May drop file containing decryption instructions (likely related to ransomware)
Writes many files with high entropy
Yara detected BrowserHistorySpy Tool by SecurityXploded
Uses 32bit PE files
Creates files inside the driver directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Stores large binary data to the registry
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
OS version to string mapping found (often used in BOTs)
Enables driver privileges
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Contains capabilities to detect virtual machines
Enables security privileges
Registers a DLL
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
  • System is w10x64
  • file.exe (PID: 5244 cmdline: C:\Users\user\Desktop\file.exe MD5: 2816BACD01B0D8C48F1D8714C6AA6F0F)
    • sc.exe (PID: 680 cmdline: C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel" MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5640 cmdline: C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel" MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5744 cmdline: C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor" MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 5852 cmdline: C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor" MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 1788 cmdline: C:\Windows\System32\sc.exe config ShMonitor start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • sc.exe (PID: 6020 cmdline: C:\Windows\System32\sc.exe config EsgShKernel start= auto MD5: D79784553A9410D15E04766AAAB77CD6)
      • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • regsvr32.exe (PID: 2108 cmdline: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • EsgInstallerDelay__0.exe (PID: 64 cmdline: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300 MD5: EDCE372DE488AA221DA7DB7544C09B3E)
      • conhost.exe (PID: 1332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sc.exe (PID: 5312 cmdline: C:\Windows\System32\sc.exe start EsgShKernel -tt_on MD5: D79784553A9410D15E04766AAAB77CD6)
    • EsgInstallerDelay__1.exe (PID: 2348 cmdline: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300 MD5: EDCE372DE488AA221DA7DB7544C09B3E)
      • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • sc.exe (PID: 5100 cmdline: C:\Windows\System32\sc.exe start ShMonitor MD5: D79784553A9410D15E04766AAAB77CD6)
  • svchost.exe (PID: 5288 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)