Edit tour

Windows Analysis Report
fontdrvhost.exe

Overview

General Information

Sample Name:	fontdrvhost.exe
Analysis ID:	1320266
MD5:	3aaaf4be968f7846cc3697959a6ba5ec
SHA1:	66c6de49521762033bc0f08d2fc2a18c2c678197
SHA256:	29f9003753e24d20e597b7c71661dadd221b011c9f14531e25e0bf1c55145123
Tags:	exeQuasarRAT
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Yara detected Quasar RAT

Yara detected Generic Downloader

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Program does not show much activity (idle)

Enables debug privileges

Classification

Process Tree

System is w10x64

fontdrvhost.exe (PID: 6360 cmdline: C:\Users\user\Desktop\fontdrvhost.exe MD5: 3AAAF4BE968F7846CC3697959A6BA5EC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/ https://blog.ensilo.com/uncovering-new-activity-by-apt10	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{
  "Version": "1.4.1",
  "Host:Port": "server1.trustedvpnservices.com:13832;higradevpn.xyz:13832;",
  "SubDirectory": "C:\\Windows\\System32",
  "InstallName": "fontdrvhost.exe",
  "MutexName": "071e2576-e94a-492e-8303-baae1cb4641c",
  "StartupKey": "Usermode Font Driver Host",
  "Tag": "My VM",
  "LogDirectoryName": "CrashLogs",
  "ServerSignature": "FLZ1Lpw8XlsgQI40R2GVSAOj2JZ4VqMdRJB7rrJNTweyv8dOaC0LCPpTHe1i6RnXZ92Dq6zgY9VQWx3Cfdsc6k50ObD9IHKZhlhfs3XT/7W5mA9P6YltSoLsExkQaDdpFUPp3/apFnQXMPJ7tu2kC3y3njQKQLFJlOdSjudbSiPqwQg1i1s9pzrL3NT875VcwjNzPVUA+wJ2MsRfS5T17hanRjajym7tXCfohU79P1bM/87vCZWt331Z/JZs6IEXtpMplDj1RWjW9r2g06v0yEXbBdFmraRmVhsCRcG+thLjWMLq9qGY6yoQwnhwAvpi5hBMbCzWMj7ylWpNfARaLSzAIoKxTPwBGaXVN++l/4REVONcl70+S88kWDhXdRAKzDEROKQWN1zLdxRL4HZugBnerlOv8fzJVeph4I90TdpBabdfRoohcsdda0G1evDpMzvBi1y0SQk8y7WFzJ5yr+z8CyquNbaEGTO4DYnDl0zvwnZwLSp6OBlWjGPDsAdoweaWLms36bCj6uJzKqo5y55q1/m1NSZGdHhwYtsYBaqB8K7NiIPbgK3WiWCCRs+PaXOyMemmTKTws0blfcTgipeSyk/zg+9clEiNiAxmM3qsprWwv81jQ/z0yW5+UTApyQclQQan97XFNVyo7bhzwgT3jJCKL+r+cFKYFt85K68=",
  "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMV9gYCPPYjxUFLceUJE+zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDYyMDE3MDkyMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAppjaHGMcmiDo1t2eFgPJAv0mFvMkABnRzIo7er+Zfo8DoQ4Y2c9rMrXXyRi2IDVJpvwnQ9RirC8xf6oRoPfmkw8OJRWXVs4zjPMJZ8SCYv3xZZbxNvtYWp5GSCPVwibqmFT/loTfPihaGx3mW8yN7DYypcr/qkm58y77X6nfBA5R9u6rCWTAyfranf2/6HApCnGGD6qBa9uX5xwTZwHCVvlWrfI5bXJ7xrDCh0sZJW4IW82BY514in4OhMwhZ3SDx/adc7r0lCzcMhF0+SPvRwBQxle7lgzpL7GZ0KebzHezNN8hbA+Wjj7etXXd6AstFpWTe77Py1hVyQC5EYjIFRlw9UBT385Matp+m6HjcuNjTdKV+Z8R5/E0yXREVOypqAhVyYQ1O0lA+WYWj24NPIVBr9j+NoMMtTZXvA4/63VM/lUE6+Ae8NKySoet1k+EbNNtVypi7fLBDHMJajccaHjgzLg5G8KEuFfS2XBr1AdfI1cCoZjrQYcWimPfkVBzBa5dg+y2PXLWxm/fflVwlJOo9V6Wo5gnJuGiNWVRKHU6vudeNMVcIm2aBbVKnUQQT/9LqRSNkQG/D5iDzmZsOKnfqQs+9oAx5bIe/gYxp3U7SE/87OWjjDQywbVF1Bb86yEZisJD5oY+JGY/uZw6OEEtudfeyuJuVUwP2Np0kU8CAwEAAaMyMDAwHQYDVR0OBBYEFMTM+FnJCi2yR9MeYRze1hq1DLMBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACPy6ZoXPTcAsKdlyUVTsj1ocnMjMx3Q9WsNUc66COy4d9xWd3TPMc782YPDPw4s9OVFPEwbTYmUdND2WtJtg97JBQUOye1Adc9IDPfHpdRoSE6bxJHWT7HVYhxCH0VKoUvDjA+/oZTKi21No65XSmaUq8PHkuiTrcwAwe0VitWm/EcCJrLkuZxOFmpva1xZmcZ9vKeBFVBQRWOpWOe4nAsPnLCA1PsAyIoocBuOjcf7iILF8fcp8Lz+oe/JuvHzMUbO+wnhv7WFmowp3OAj2KZhf3mhNpTU4GOArnCBFZegzifS2XkiZO3/fNicGAbGEM6SBFExUj/GhKKkTm09TeFvaThrIPdvlVKATW5eP6gwwopURzLlq4hzMqm1T2ir9XZR/paZEQ+giiN8rVcg8NTNiU/u3RgEwd5jZ57vBnyBSnNrtcIco1CcfQXZOlSLexvjshwWfePy7m07XhyDzWCBW5Tv4Soqd1APN3KToEeiIASSjSTm1FP8z4/Tl/zWpRCiAr9KLbzzEbJkH5JxkmhjxldwnzeThpJlGOnlda4DmaYD6+2r/KJsbjKDbVComplXtSv8sHykZkywuxMTbZqyOoMUJRYdpFqQoEQsxGJvawO71fMxoSKS1TaGYmID4mlEubvamcC1PdLzsN1ma5LSRCZT6KEkNgHd4hONY2xL"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
fontdrvhost.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
fontdrvhost.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
fontdrvhost.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef13:$x1: Quasar.Common.Messages 0x29f23c:$x1: Quasar.Common.Messages 0x2ab81e:$x4: Uninstalling... good bye :-( 0x2ad013:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
fontdrvhost.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadd0:$f1: FileZilla\recentservers.xml 0x2aae10:$f2: FileZilla\sitemanager.xml 0x2aae52:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09e:$b1: Chrome\User Data\ 0x2ab0f4:$b1: Chrome\User Data\ 0x2ab3cc:$b2: Mozilla\Firefox\Profiles 0x2ab4c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd4cc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab620:$b4: Opera Software\Opera Stable\Login Data 0x2ab6da:$b5: YandexBrowser\User Data\ 0x2ab748:$b5: YandexBrowser\User Data\ 0x2ab41c:$s4: logins.json 0x2ab152:$a1: username_value 0x2ab170:$a2: password_value 0x2ab45c:$a3: encryptedUsername 0x2fd410:$a3: encryptedUsername 0x2ab480:$a4: encryptedPassword 0x2fd42e:$a4: encryptedPassword 0x2fd3ac:$a5: httpRealm
fontdrvhost.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab908:$s3: Process already elevated. 0x28ec12:$s4: get_PotentiallyVulnerablePasswords 0x278cce:$s5: GetKeyloggerLogsDirectory 0x29e99b:$s5: GetKeyloggerLogsDirectory 0x28ec35:$s6: set_PotentiallyVulnerablePasswords 0x2feafa:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1533946464.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: fontdrvhost.exe PID: 6360	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.fontdrvhost.exe.fd0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.fontdrvhost.exe.fd0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.fontdrvhost.exe.fd0000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef13:$x1: Quasar.Common.Messages 0x29f23c:$x1: Quasar.Common.Messages 0x2ab81e:$x4: Uninstalling... good bye :-( 0x2ad013:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.fontdrvhost.exe.fd0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadd0:$f1: FileZilla\recentservers.xml 0x2aae10:$f2: FileZilla\sitemanager.xml 0x2aae52:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09e:$b1: Chrome\User Data\ 0x2ab0f4:$b1: Chrome\User Data\ 0x2ab3cc:$b2: Mozilla\Firefox\Profiles 0x2ab4c8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd4cc:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab620:$b4: Opera Software\Opera Stable\Login Data 0x2ab6da:$b5: YandexBrowser\User Data\ 0x2ab748:$b5: YandexBrowser\User Data\ 0x2ab41c:$s4: logins.json 0x2ab152:$a1: username_value 0x2ab170:$a2: password_value 0x2ab45c:$a3: encryptedUsername 0x2fd410:$a3: encryptedUsername 0x2ab480:$a4: encryptedPassword 0x2fd42e:$a4: encryptedPassword 0x2fd3ac:$a5: httpRealm
0.0.fontdrvhost.exe.fd0000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab908:$s3: Process already elevated. 0x28ec12:$s4: get_PotentiallyVulnerablePasswords 0x278cce:$s5: GetKeyloggerLogsDirectory 0x29e99b:$s5: GetKeyloggerLogsDirectory 0x28ec35:$s6: set_PotentiallyVulnerablePasswords 0x2feafa:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fontdrvhost.exe

Avira: detected

Found malware configuration

Source: fontdrvhost.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "server1.trustedvpnservices.com:13832;higradevpn.xyz:13832;", "SubDirectory": "C:\\Windows\\System32", "InstallName": "fontdrvhost.exe", "MutexName": "071e2576-e94a-492e-8303-baae1cb4641c", "StartupKey": "Usermode Font Driver Host", "Tag": "My VM", "LogDirectoryName": "CrashLogs", "ServerSignature": "FLZ1Lpw8XlsgQI40R2GVSAOj2JZ4VqMdRJB7rrJNTweyv8dOaC0LCPpTHe1i6RnXZ92Dq6zgY9VQWx3Cfdsc6k50ObD9IHKZhlhfs3XT/7W5mA9P6YltSoLsExkQaDdpFUPp3/apFnQXMPJ7tu2kC3y3njQKQLFJlOdSjudbSiPqwQg1i1s9pzrL3NT875VcwjNzPVUA+wJ2MsRfS5T17hanRjajym7tXCfohU79P1bM/87vCZWt331Z/JZs6IEXtpMplDj1RWjW9r2g06v0yEXbBdFmraRmVhsCRcG+thLjWMLq9qGY6yoQwnhwAvpi5hBMbCzWMj7ylWpNfARaLSzAIoKxTPwBGaXVN++l/4REVONcl70+S88kWDhXdRAKzDEROKQWN1zLdxRL4HZugBnerlOv8fzJVeph4I90TdpBabdfRoohcsdda0G1evDpMzvBi1y0SQk8y7WFzJ5yr+z8CyquNbaEGTO4DYnDl0zvwnZwLSp6OBlWjGPDsAdoweaWLms36bCj6uJzKqo5y55q1/m1NSZGdHhwYtsYBaqB8K7NiIPbgK3WiWCCRs+PaXOyMemmTKTws0blfcTgipeSyk/zg+9clEiNiAxmM3qsprWwv81jQ/z0yW5+UTApyQclQQan97XFNVyo7bhzwgT3jJCKL+r+cFKYFt85K68=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMV9gYCPPYjxUFLceUJE+zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDYyMDE3MDkyMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAppjaHGMcmiDo1t2eFgPJAv0mFvMkABnRzIo7er+Zfo8DoQ4Y2c9rMrXXyRi2IDVJpvwnQ9RirC8xf6oRoPfmkw8OJRWXVs4zjPMJZ8SCYv3xZZbxNvtYWp5GSCPVwibqmFT/loTfPihaGx3mW8yN7DYypcr/qkm58y77X6nfBA5R9u6rCWTAyfranf2/6HApCnGGD6qBa9uX5xwTZwHCVvlWrfI5bXJ7xrDCh0sZJW4IW82BY514in4OhMwhZ3SDx/adc7r0lCzcMhF0+SPvRwBQxle7lgzpL7GZ0KebzHezNN8hbA+Wjj7etXXd6AstFpWTe77Py1hVyQC5EYjIFRlw9UBT385Matp+m6HjcuNjTdKV+Z8R5/E0yXREVOypqAhVyYQ1O0lA+WYWj24NPIVBr9j+NoMMtTZXvA4/63VM/lUE6+Ae8NKySoet1k+EbNNtVypi7fLBDHMJajccaHjgzLg5G8KEuFfS2XBr1AdfI1cCoZjrQYcWimPfkVBzBa5dg+y2PXLWxm/fflVwlJOo9V6Wo5gnJuGiNWVRKHU6vudeNMVcIm2aBbVKnUQQT/9LqRSNkQG/D5iDzmZsOKnfqQs+9oAx5bIe/gYxp3U7SE/87OWjjDQywbVF1Bb86yEZisJD5oY+JGY/uZw6OEEtudfeyuJuVUwP2Np0kU8CAwEAAaMyMDAwHQYDVR0OBBYEFMTM+FnJCi2yR9MeYRze1hq1DLMBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACPy6ZoXPTcAsKdlyUVTsj1ocnMjMx3Q9WsNUc66COy4d9xWd3TPMc782YPDPw4s9OVFPEwbTYmUdND2WtJtg97JBQUOye1Adc9IDPfHpdRoSE6bxJHWT7HVYhxCH0VKoUvDjA+/oZTKi21No65XSmaUq8PHkuiTrcwAwe0VitWm/EcCJrLkuZxOFmpva1xZmcZ9vKeBFVBQRWOpWOe4nAsPnLCA1PsAyIoocBuOjcf7iILF8fcp8Lz+oe/JuvHzMUbO+wnhv7WFmowp3OAj2KZhf3mhNpTU4GOArnCBFZegzifS2XkiZO3/fNicGAbGEM6SBFExUj/GhKKkTm09TeFvaThrIPdvlVKATW5eP6gwwopURzLlq4hzMqm1T2ir9XZR/paZEQ+giiN8rVcg8NTNiU/u3RgEwd5jZ57vBnyBSnNrtcIco1CcfQXZOlSLexvjshwWfePy7m07XhyDzWCBW5Tv4Soqd1APN3KToEeiIASSjSTm1FP8z4/Tl/zWpRCiAr9KLbzzEbJkH5JxkmhjxldwnzeThpJlGOnlda4DmaYD6+2r/KJsbjKDbVComplXtSv8sHykZkywuxMTbZqyOoMUJRYdpFqQoEQsxGJvawO71fMxoSKS1TaGYmID4mlEubvamcC1PdLzsN1ma5LSRCZT6KEkNgHd4hONY2xL"}

Multi AV Scanner detection for submitted file

Source: fontdrvhost.exe

ReversingLabs: Detection: 76%

Antivirus detection for URL or domain

Source: server1.trustedvpnservices.com

Avira URL Cloud: Label: malware

Yara detected Quasar RAT

Source: Yara match	File source: fontdrvhost.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533946464.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6360, type: MEMORYSTR

Machine Learning detection for sample

Source: fontdrvhost.exe

Joe Sandbox ML: detected

Source: fontdrvhost.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fontdrvhost.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: fontdrvhost.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: server1.trustedvpnservices.com

Source: fontdrvhost.exe, 00000000.00000002.2787792825.00000000035A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: fontdrvhost.exe	String found in binary or memory: https://api.ipify.org/
Source: fontdrvhost.exe	String found in binary or memory: https://ipwho.is/
Source: fontdrvhost.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: fontdrvhost.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: fontdrvhost.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: fontdrvhost.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533946464.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6360, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: fontdrvhost.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: fontdrvhost.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: fontdrvhost.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: fontdrvhost.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fontdrvhost.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: fontdrvhost.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: fontdrvhost.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: fontdrvhost.exe

ReversingLabs: Detection: 76%

Source: fontdrvhost.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fontdrvhost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fontdrvhost.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\fontdrvhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\fontdrvhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\071e2576-e94a-492e-8303-baae1cb4641c

Source: fontdrvhost.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/0

Source: fontdrvhost.exe

Static file information: File size 3266048 > 1048576

Source: fontdrvhost.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: fontdrvhost.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fontdrvhost.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600

Source: fontdrvhost.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\fontdrvhost.exe

File opened: C:\Users\user\Desktop\fontdrvhost.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\fontdrvhost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\fontdrvhost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\fontdrvhost.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\fontdrvhost.exe

Queries volume information: C:\Users\user\Desktop\fontdrvhost.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\fontdrvhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: fontdrvhost.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533946464.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: fontdrvhost.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fontdrvhost.exe.fd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1533946464.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6360, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Disable or Modify Tools	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Application Layer Protocol	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
fontdrvhost.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Quasar
fontdrvhost.exe	100%	Avira	HEUR/AGEN.1305769
fontdrvhost.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
server1.trustedvpnservices.com	100%	Avira URL Cloud	malware
https://ipwho.is/	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
server1.trustedvpnservices.com	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	fontdrvhost.exe	false		high
https://stackoverflow.com/q/14436606/23354	fontdrvhost.exe	false		high
https://stackoverflow.com/q/2152978/23354sCannot	fontdrvhost.exe	false		high
https://ipwho.is/	fontdrvhost.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fontdrvhost.exe, 00000000.00000002.2787792825.00000000035A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	fontdrvhost.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1320266
Start date and time:	2023-10-05 14:58:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	fontdrvhost.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: fontdrvhost.exe

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.075912097922754
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	fontdrvhost.exe
File size:	3'266'048 bytes
MD5:	3aaaf4be968f7846cc3697959a6ba5ec
SHA1:	66c6de49521762033bc0f08d2fc2a18c2c678197
SHA256:	29f9003753e24d20e597b7c71661dadd221b011c9f14531e25e0bf1c55145123
SHA512:	6626e7e982e65c02fac4b9ae40f5f57e7bc4e79aaa08c9aa12d4b42f1fee0ca6449608972dbe19d634fe48cd8835f8fa5456780f62da143614b28a1f18489ecf
SSDEEP:	49152:fvve821/aQWl8P0lSk3aKA3Z+new/6BxyLoGd0qQTHHB72eh2NT:fvm821/aQWl8P0lSk3DA3Z+n5/5E
TLSH:	45E56B0437F85E33E56BD2B3D5B05022A3F1F82AF363EB1B519167BA1C53B5488426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71e48e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e434	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xbe0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c494	0x31c600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xbe0	0xc00	False	0.3929036458333333	data	4.983012581723541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x468	data			0.3900709219858156
RT_MANIFEST	0x320508	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

• fontdrvhost.exe

Click to jump to process

Memory Usage

• fontdrvhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	14:58:59
Start date:	05/10/2023
Path:	C:\Users\user\Desktop\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\fontdrvhost.exe
Imagebase:	0xfd0000
File size:	3'266'048 bytes
MD5 hash:	3AAAF4BE968F7846CC3697959A6BA5EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1533946464.0000000000FD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FFD32DB3ED5 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryFullProcessImageNameA.KERNELBASE ref: 00007FFD32DB4081

Memory Dump Source

Source File: 00000000.00000002.2790500097.00007FFD32DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd32db0000_fontdrvhost.jbxd

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: b12800408fa9d425e9f77a410ec76e2690be93b671a633f3879a8c13b61747a9
Instruction ID: 37cbeb665195c974c15008ad7fd3d8d114bb4a276983bb8e0c745d878187dcdd
Opcode Fuzzy Hash: b12800408fa9d425e9f77a410ec76e2690be93b671a633f3879a8c13b61747a9
Instruction Fuzzy Hash: 09819230A08A8C4FDB68DF28D8657F977E1FB59311F14427EE84EC7292CBB498458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD32DB3525 Relevance: 1.6, APIs: 1, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD32DB3607

Memory Dump Source

Source File: 00000000.00000002.2790500097.00007FFD32DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd32db0000_fontdrvhost.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6961c82823314d5cdab3163374c2cb573eb158939bf248af1faa69abba880d94
Instruction ID: fd9cfaef82289d4566a527fd5f16cae3d735ecfd108d408b92b5e6cc559c738a
Opcode Fuzzy Hash: 6961c82823314d5cdab3163374c2cb573eb158939bf248af1faa69abba880d94
Instruction Fuzzy Hash: 31311231D0CB988FDB59CB6898596E9BBF0EF66321F04426BC049C3592CBA4A805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD32DB3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD32DB3607

Memory Dump Source

Source File: 00000000.00000002.2790500097.00007FFD32DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD32DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd32db0000_fontdrvhost.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 124ac300ca15cc439efe1baabcc1c842667412efd46d3ef610570d13852bb7c6
Instruction ID: 1115ad2b30c415e04953584bbb94d1ccd2d1b7995f03834475cfeef90e1727ed
Opcode Fuzzy Hash: 124ac300ca15cc439efe1baabcc1c842667412efd46d3ef610570d13852bb7c6
Instruction Fuzzy Hash: 8D31F03190CB5C8FDB59DB9888596E9BBF0FF66321F04426FC049D3692DBB4A805CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fontdrvhost.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: fontdrvhost.exePID: 6360, Parent PID: 4004

General

Windows Analysis Report
fontdrvhost.exe

Function 00007FFD32DB3ED5 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Function 00007FFD32DB3525 Relevance: 1.6, APIs: 1, Instructions: 119
fileCOMMON

Function 00007FFD32DB3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON