Edit tour

Windows Analysis Report
Client.exe

Overview

General Information

Sample name:	Client.exe
Analysis ID:	1371143
MD5:	0b665294ec2063215cdc72c07caa5bce
SHA1:	1c2312f39df0b516def74ce8e925c33191275ff3
SHA256:	4e01c76200fe5e4cde437fdd12b42c9d2c884018b7f9b89e097ff53ee4e75ec9
Tags:	exeQuasarRAT
Infos:

Detection

Quasar

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Yara detected Generic Downloader

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Internet Provider seen in connection with other malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Client.exe (PID: 6284 cmdline: C:\Users\user\Desktop\Client.exe MD5: 0B665294EC2063215CDC72C07CAA5BCE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{
  "Version": "1.4.1",
  "Host:Port": "91.92.251.28:4782;",
  "SubDirectory": "SubDir",
  "InstallName": "Client.exe",
  "MutexName": "03ac8289-d1ca-4c45-b72e-cb527f9b533f",
  "StartupKey": "Quasar Client Startup",
  "Tag": "Office04",
  "LogDirectoryName": "Logs",
  "ServerSignature": "MHzZqa1Cf1Ktc4+k027v1ASX2rCJ79fJwtL1kIuUQ651qhf26AIY+ZOtlfSSBqH3FsuJXqGaEar5RIcikwbWp+MOnUAwVXtNWFmtYdYmgXROlaQuy/VQ7GlJL1UDeFRya72NbPMCbqbHnOiwfxAPEmA0aPDkNYSiqH/3Gq7EaFY35DbBM43E8QufFfz0IR7Y/gkP6EVNSiFqe5egBwfiLKwB0KVF1dJ6U0KMDNl2aXXray2dLQanlrt/46qbNAf5K0xVp86ImHJlb/tUjDcjpuyoLguaEYeBqNNDZFReRyZIUhTDpPcuq/h1AYpeVi6A1ojQiYhlMbKngfoGK0ISlNezDg0yIf1rIEbhM2j9Ap2WK1+AwX5O6f7IpFID/ENeEoyOqknYD91S3eNCDkS8UE2Zd0J5Zj/7Hnidazu6hvbJy8TsKpV6Q7sqP20AYa3jhlb4XHrUcJw8VGWMCEY6Vg2W3nKy4Bx08XnE17IuvQ/ATD3MAYlIoIZUuyu4NT2h/evXF+AgTYz97yXjA5zvKEU4GPo81QmJCI5VZDTixJijylaeRhls/5vfLM6ty1KYZijsDP4uFOp2Xoec5t6VUGOAOQ5Dpama+DBk67GczHGQ6JpQJFSS7FLzSUCjK2ScVm3EEPsEUw/exvri5XE92B6ARA8OoL7O/asLk8TT7yk=",
  "ServerCertificate": "MIIE9DCCAtygAwIBAgIQALUl5g3e3WtgSfBAkdoFFTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDEwMzE2MDkyN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAl9coRDtcQs+vmKaPpQq6qQdY4I4ECEoiO2tEK5XToAtrdU6A62WefXPP/tQCV5d/H0PhSaHJk/5x4Q0iWLFuB815nHfXeVIX9qiPtBjra7+ttsxusYmbpOLfAYmUEkucxTLsCqU6aTb9sbRrtdB5jMlBcppRkxodVXxICK/mtceUYJlSTundrWycSdspWlhSq7OeSw9NMYokX0jGaacsNotjpdrpMebctUQoUPzOd6fO7/zHITnqUWBbJl6Zq8yLkZKvaX/NRAyMWQksiScyaLlVkJ88Hetej5yeZtSw3JkLwaF1s4e30w/OZTMD00XjZo0sEg3wp/Vi49ntSbwfcR0kV4uO4H7od62cvyuunOT+vGxlYEsz1pDBwFS56/joOaoDPI150UW3Rv6nCqobOljBHLw8dGTZ83tDLNFFVE3zjGsge5qDmFxH+U6UeueNTfv0gI0PL/jz9Qp8/EB4WU5gp1DppHKzJVF45tDpft/BH7MEBwwhuuYpTzfvf7D7xw9yICmxfvaVHPGe0n5dOsZYrbKJk3711z80o6n5bTpDy6860X8cCURcIIQ0dgXnqK501Bt+8xMk9SHhnCf7dsWa3JbhkZxkOMJ5l4o09GKoan6Rm6bcTaaVOejDaYzkPqsiDROJm11Jenr4NLLOUDyvQnQ2uKxeyTVdFb8ftvMCAwEAAaMyMDAwHQYDVR0OBBYEFMuyx4khnBYLaPrNcAnPTSv+lnE9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAE7wTWcDGvkb+PXWjj+u5fLUbp8RmXTBZdIT8Vwlktq+DlerWvbXG1KKkP7OysbKdAE7lnezleA5a2JnpiaAbHxmg7I0UAtB+8oElkF0srvURJkihakMn0Dt2PRLcMGu7Ssmwfv9srQmwuy6RtoKUslaqhEC3+ZEN1hQ+rMiOLf2sJoDdNKBeUx4Oiuof6c81MOIxesmls9IWyZ92ZRT/pQU6ECtLsu70caAg/2fRxxMDic5/mOOzUSTGFrEgvXHljxvJVsvd+KdjKoaaBJTJ3IS2d3d7o9uBsJ1m7dENdWbTmFSvXWSMa9TpNnqeYO3vPb52JJXkwhSimcKMpeYxNJNnBFj/ATSoWICr4dtCLsALLuu0encOfmNYmoYmRrKA5+Tz5DZNQ7q1P93B9gn2gw+qQ7FJrHHEXpJamccPraofVFEs+0gIPD+MIjrhoj4cxgCPK053bgV6fkkvU59wEj/S2bWf9wVgoQ8nvL0K0olZbGVKt/b62BuwiRiplAXGFB1rhv8aXs7c0Lb/kQDp24951IBlaLTfdPJkwPp96IVSUtBRP6SO9FAjRSVA8e9phl26q4DmQgEnK/U0EXMJjDmGKMs/Hv7UzIUjXKPDeLdogmjzZJad+MA5YQQ87XesVpdNy3Ga+4yypslZq94fo9Fq9nRzUImtpVmaOFD2Ng+"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab80e:$x4: Uninstalling... good bye :-( 0x2ad003:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc0:$f1: FileZilla\recentservers.xml 0x2aae00:$f2: FileZilla\sitemanager.xml 0x2aae42:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab08e:$b1: Chrome\User Data\ 0x2ab0e4:$b1: Chrome\User Data\ 0x2ab3bc:$b2: Mozilla\Firefox\Profiles 0x2ab4b8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd43c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab610:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ca:$b5: YandexBrowser\User Data\ 0x2ab738:$b5: YandexBrowser\User Data\ 0x2ab40c:$s4: logins.json 0x2ab142:$a1: username_value 0x2ab160:$a2: password_value 0x2ab44c:$a3: encryptedUsername 0x2fd380:$a3: encryptedUsername 0x2ab470:$a4: encryptedPassword 0x2fd39e:$a4: encryptedPassword 0x2fd31c:$a5: httpRealm
Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f8:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea6a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1647837014.0000000001050000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1647508938.0000000000D32000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 6284	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Client.exe.d30000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.Client.exe.d30000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Client.exe.d30000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab80e:$x4: Uninstalling... good bye :-( 0x2ad003:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.Client.exe.d30000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc0:$f1: FileZilla\recentservers.xml 0x2aae00:$f2: FileZilla\sitemanager.xml 0x2aae42:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab08e:$b1: Chrome\User Data\ 0x2ab0e4:$b1: Chrome\User Data\ 0x2ab3bc:$b2: Mozilla\Firefox\Profiles 0x2ab4b8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd43c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab610:$b4: Opera Software\Opera Stable\Login Data 0x2ab6ca:$b5: YandexBrowser\User Data\ 0x2ab738:$b5: YandexBrowser\User Data\ 0x2ab40c:$s4: logins.json 0x2ab142:$a1: username_value 0x2ab160:$a2: password_value 0x2ab44c:$a3: encryptedUsername 0x2fd380:$a3: encryptedUsername 0x2ab470:$a4: encryptedPassword 0x2fd39e:$a4: encryptedPassword 0x2fd31c:$a5: httpRealm
0.0.Client.exe.d30000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8f8:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea6a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client.exe

Avira: detected

Found malware configuration

Source: Client.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "91.92.251.28:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "03ac8289-d1ca-4c45-b72e-cb527f9b533f", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "MHzZqa1Cf1Ktc4+k027v1ASX2rCJ79fJwtL1kIuUQ651qhf26AIY+ZOtlfSSBqH3FsuJXqGaEar5RIcikwbWp+MOnUAwVXtNWFmtYdYmgXROlaQuy/VQ7GlJL1UDeFRya72NbPMCbqbHnOiwfxAPEmA0aPDkNYSiqH/3Gq7EaFY35DbBM43E8QufFfz0IR7Y/gkP6EVNSiFqe5egBwfiLKwB0KVF1dJ6U0KMDNl2aXXray2dLQanlrt/46qbNAf5K0xVp86ImHJlb/tUjDcjpuyoLguaEYeBqNNDZFReRyZIUhTDpPcuq/h1AYpeVi6A1ojQiYhlMbKngfoGK0ISlNezDg0yIf1rIEbhM2j9Ap2WK1+AwX5O6f7IpFID/ENeEoyOqknYD91S3eNCDkS8UE2Zd0J5Zj/7Hnidazu6hvbJy8TsKpV6Q7sqP20AYa3jhlb4XHrUcJw8VGWMCEY6Vg2W3nKy4Bx08XnE17IuvQ/ATD3MAYlIoIZUuyu4NT2h/evXF+AgTYz97yXjA5zvKEU4GPo81QmJCI5VZDTixJijylaeRhls/5vfLM6ty1KYZijsDP4uFOp2Xoec5t6VUGOAOQ5Dpama+DBk67GczHGQ6JpQJFSS7FLzSUCjK2ScVm3EEPsEUw/exvri5XE92B6ARA8OoL7O/asLk8TT7yk=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQALUl5g3e3WtgSfBAkdoFFTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDEwMzE2MDkyN1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAl9coRDtcQs+vmKaPpQq6qQdY4I4ECEoiO2tEK5XToAtrdU6A62WefXPP/tQCV5d/H0PhSaHJk/5x4Q0iWLFuB815nHfXeVIX9qiPtBjra7+ttsxusYmbpOLfAYmUEkucxTLsCqU6aTb9sbRrtdB5jMlBcppRkxodVXxICK/mtceUYJlSTundrWycSdspWlhSq7OeSw9NMYokX0jGaacsNotjpdrpMebctUQoUPzOd6fO7/zHITnqUWBbJl6Zq8yLkZKvaX/NRAyMWQksiScyaLlVkJ88Hetej5yeZtSw3JkLwaF1s4e30w/OZTMD00XjZo0sEg3wp/Vi49ntSbwfcR0kV4uO4H7od62cvyuunOT+vGxlYEsz1pDBwFS56/joOaoDPI150UW3Rv6nCqobOljBHLw8dGTZ83tDLNFFVE3zjGsge5qDmFxH+U6UeueNTfv0gI0PL/jz9Qp8/EB4WU5gp1DppHKzJVF45tDpft/BH7MEBwwhuuYpTzfvf7D7xw9yICmxfvaVHPGe0n5dOsZYrbKJk3711z80o6n5bTpDy6860X8cCURcIIQ0dgXnqK501Bt+8xMk9SHhnCf7dsWa3JbhkZxkOMJ5l4o09GKoan6Rm6bcTaaVOejDaYzkPqsiDROJm11Jenr4NLLOUDyvQnQ2uKxeyTVdFb8ftvMCAwEAAaMyMDAwHQYDVR0OBBYEFMuyx4khnBYLaPrNcAnPTSv+lnE9MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAE7wTWcDGvkb+PXWjj+u5fLUbp8RmXTBZdIT8Vwlktq+DlerWvbXG1KKkP7OysbKdAE7lnezleA5a2JnpiaAbHxmg7I0UAtB+8oElkF0srvURJkihakMn0Dt2PRLcMGu7Ssmwfv9srQmwuy6RtoKUslaqhEC3+ZEN1hQ+rMiOLf2sJoDdNKBeUx4Oiuof6c81MOIxesmls9IWyZ92ZRT/pQU6ECtLsu70caAg/2fRxxMDic5/mOOzUSTGFrEgvXHljxvJVsvd+KdjKoaaBJTJ3IS2d3d7o9uBsJ1m7dENdWbTmFSvXWSMa9TpNnqeYO3vPb52JJXkwhSimcKMpeYxNJNnBFj/ATSoWICr4dtCLsALLuu0encOfmNYmoYmRrKA5+Tz5DZNQ7q1P93B9gn2gw+qQ7FJrHHEXpJamccPraofVFEs+0gIPD+MIjrhoj4cxgCPK053bgV6fkkvU59wEj/S2bWf9wVgoQ8nvL0K0olZbGVKt/b62BuwiRiplAXGFB1rhv8aXs7c0Lb/kQDp24951IBlaLTfdPJkwPp96IVSUtBRP6SO9FAjRSVA8e9phl26q4DmQgEnK/U0EXMJjDmGKMs/Hv7UzIUjXKPDeLdogmjzZJad+MA5YQQ87XesVpdNy3Ga+4yypslZq94fo9Fq9nRzUImtpVmaOFD2Ng+"}

Multi AV Scanner detection for submitted file

Source: Client.exe	ReversingLabs: Detection: 75%
Source: Client.exe	Virustotal: Detection: 79%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1647837014.0000000001050000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1647508938.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6284, type: MEMORYSTR

Machine Learning detection for sample

Source: Client.exe

Joe Sandbox ML: detected

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 91.92.251.28

Yara detected Generic Downloader

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 91.92.251.28:4782

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.251.28

Source: Client.exe, 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Client.exe	String found in binary or memory: https://api.ipify.org/
Source: Client.exe	String found in binary or memory: https://ipwho.is/
Source: Client.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Client.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Client.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1647837014.0000000001050000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1647508938.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6284, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Client.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Client.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Client.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD45BE1	0_2_00007FFD9BD45BE1
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD493C1	0_2_00007FFD9BD493C1
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD44DC6	0_2_00007FFD9BD44DC6
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD4A7CD	0_2_00007FFD9BD4A7CD
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD48A61	0_2_00007FFD9BD48A61
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD410FA	0_2_00007FFD9BD410FA
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD410D1	0_2_00007FFD9BD410D1

Source: Client.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Client.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Client.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal96.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\Client.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\03ac8289-d1ca-4c45-b72e-cb527f9b533f

Source: Client.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Client.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client.exe	ReversingLabs: Detection: 75%
Source: Client.exe	Virustotal: Detection: 79%

Source: Client.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Client.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Client.exe

Static file information: File size 3266048 > 1048576

Source: Client.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600

Source: Client.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BADCB4F pushfd ; ret	0_2_00007FFD9BADCB52
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BADBB3C push edx; ret	0_2_00007FFD9BADBA82
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BADBA84 push esp; ret	0_2_00007FFD9BADBAA2
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BADBACC push edx; ret	0_2_00007FFD9BADBA82
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BADBAA4 push esi; ret	0_2_00007FFD9BADBACA
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BAD8163 push ebx; ret	0_2_00007FFD9BAD816A
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BADB9B4 push edx; ret	0_2_00007FFD9BADBA82
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BAD00BD pushad ; iretd	0_2_00007FFD9BAD00C1
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BAD7569 push ebx; iretd	0_2_00007FFD9BAD756A
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD42C10 push eax; ret	0_2_00007FFD9BD42BFC
Source: C:\Users\user\Desktop\Client.exe	Code function: 0_2_00007FFD9BD42A42 push eax; ret	0_2_00007FFD9BD42BFC

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Client.exe

File opened: C:\Users\user\Desktop\Client.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Client.exe, 00000000.00000002.2907860296.000000001BCE2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.C

Source: C:\Users\user\Desktop\Client.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Client.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Users\user\Desktop\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1647837014.0000000001050000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1647508938.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6284, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: Client.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1647837014.0000000001050000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1647508938.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6284, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Hidden Files and Directories	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Client.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Quasar
Client.exe	80%	Virustotal		Browse
Client.exe	100%	Avira	HEUR/AGEN.1307453
Client.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://ipwho.is/	0%	Virustotal		Browse
91.92.251.28	0%	Avira URL Cloud	safe
91.92.251.28	1%	Virustotal		Browse
https://ipwho.is/	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
91.92.251.28	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	Client.exe	false		high
https://stackoverflow.com/q/14436606/23354	Client.exe	false		high
https://stackoverflow.com/q/2152978/23354sCannot	Client.exe	false		high
https://ipwho.is/	Client.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Client.exe, 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	Client.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.251.28	unknown	Bulgaria		34368	THEZONEBG	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1371143
Start date and time:	2024-01-08 11:01:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Client.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 61 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THEZONEBG	SecuriteInfo.com.Win32.TrojanX-gen.31521.10259.exe	Get hash	malicious	Snake Keylogger	Browse	91.92.253.149
	WEXTRACT.EXE.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.245.204
	Jw45oL7Dqh.exe	Get hash	malicious	PureLog Stealer	Browse	91.92.241.244
	C14AkzrXP2.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.245.204
	Framework.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.92.245.204
	vHihz5bxaP.exe	Get hash	malicious	Njrat	Browse	91.92.250.243
	twointe.exe	Get hash	malicious	Unknown	Browse	91.92.254.7
	twointe.exe	Get hash	malicious	Unknown	Browse	91.92.254.7
	1ceRxDhQNT.exe	Get hash	malicious	AsyncRAT	Browse	91.92.250.243
	DyNsfeutFQ.exe	Get hash	malicious	Fabookie, Glupteba, SmokeLoader, Stealc, Vidar	Browse	91.92.254.7
	file.exe	Get hash	malicious	RedLine, Xmrig	Browse	91.92.251.179
	Had.exe	Get hash	malicious	Petite Virus	Browse	91.92.254.7
	InstallSetup3.exe	Get hash	malicious	Stealc, Vidar	Browse	91.92.254.7
	InstallSetup2.exe	Get hash	malicious	Petite Virus	Browse	91.92.254.7
	file.exe	Get hash	malicious	Unknown	Browse	91.92.254.7
	170iHJWEj3.exe	Get hash	malicious	Glupteba, Stealc, Vidar	Browse	91.92.254.7
	file.exe	Get hash	malicious	RedLine	Browse	91.92.245.15
	file.exe	Get hash	malicious	Unknown	Browse	91.92.254.7
	xgWw2DJAn8.exe	Get hash	malicious	Unknown	Browse	91.92.254.7
	xgWw2DJAn8.exe	Get hash	malicious	Unknown	Browse	91.92.254.7

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.083588221813721
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Client.exe
File size:	3'266'048 bytes
MD5:	0b665294ec2063215cdc72c07caa5bce
SHA1:	1c2312f39df0b516def74ce8e925c33191275ff3
SHA256:	4e01c76200fe5e4cde437fdd12b42c9d2c884018b7f9b89e097ff53ee4e75ec9
SHA512:	3c56ab85b5732dd2cd0dabdd4e78065665f55a2a5ba3a686c083fd4e91ddd4c7b401d089c0881ac4188c4911aa9ec62dd3715c5a2cae19f525c52f59074c919a
SSDEEP:	49152:PvbI22SsaNYfdPBldt698dBcjHXYRJ6pbR3LoGdKTHHB72eh2NT:Pvk22SsaNYfdPBldt6+dBcjHXYRJ6r
TLSH:	59E56B143BF85E27E1BBE277A5B0041267F0FC1AF363EB0B6581677A1C53B5098426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x71e3fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e3a4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c404	0x31c600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2024 11:01:58.480252028 CET	49729	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:01:59.491393089 CET	49729	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:01.491344929 CET	49729	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:05.491286993 CET	49729	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:13.491972923 CET	49729	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:22.898092985 CET	49735	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:23.897809029 CET	49735	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:25.897552013 CET	49735	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:29.897697926 CET	49735	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:37.913244009 CET	49735	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:48.549446106 CET	49736	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:49.553961992 CET	49736	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:51.569431067 CET	49736	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:02:55.569443941 CET	49736	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:03.569474936 CET	49736	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:13.257942915 CET	49738	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:14.272861004 CET	49738	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:16.288783073 CET	49738	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:20.288333893 CET	49738	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:28.288233995 CET	49738	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:37.960603952 CET	49739	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:38.991344929 CET	49739	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:40.991468906 CET	49739	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:44.991432905 CET	49739	4782	192.168.2.4	91.92.251.28
Jan 8, 2024 11:03:52.991400003 CET	49739	4782	192.168.2.4	91.92.251.28

Statistics

CPU Usage

• Client.exe

Click to jump to process

Memory Usage

• Client.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	11:01:54
Start date:	08/01/2024
Path:	C:\Users\user\Desktop\Client.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Client.exe
Imagebase:	0xd30000
File size:	3'266'048 bytes
MD5 hash:	0B665294EC2063215CDC72C07CAA5BCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1647837014.0000000001050000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2905668268.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1647508938.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FFD9BD45BE1 Relevance: 1.9, Strings: 1, Instructions: 694
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

u, xrefs: 00007FFD9BD460BD

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 116fdfdca38026e45729fceeb02aaa2c3cf7e537cd64569f7648fcea0583c980
Instruction ID: 9904589248795d0a4de589cce334fe2f45c9e07329e937e5ab72130b630f513e
Opcode Fuzzy Hash: 116fdfdca38026e45729fceeb02aaa2c3cf7e537cd64569f7648fcea0583c980
Instruction Fuzzy Hash: B3326F70A18A1D8FDBA8EF58C8957A973E2FF98304F1145B9D44ED32A5DF34A981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD493C1 Relevance: 1.4, Instructions: 1434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534bb7ac4840c8499a05f9c186bcb0a435712692894623745fefbcaa672ad795
Instruction ID: bad8dfad7b709a077f31937892bcdc30a85b4c37e3f74f98b5e50388b9483c59
Opcode Fuzzy Hash: 534bb7ac4840c8499a05f9c186bcb0a435712692894623745fefbcaa672ad795
Instruction Fuzzy Hash: EC92193171D90D4FEBA8EB6D9469A7533D2FF99310F0501BAE44EC72E6DE28AC428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD44DC6 Relevance: 1.3, Instructions: 1313
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6be248f8970c26236d6f7a55f901e6d58963303c146e6da9c11ebcf68025dd6
Instruction ID: 360fd5ef5c4295ae5c4abbcd51e33acfea9504b768569c70dabb4520cf79404f
Opcode Fuzzy Hash: f6be248f8970c26236d6f7a55f901e6d58963303c146e6da9c11ebcf68025dd6
Instruction Fuzzy Hash: 87A28E70A19A0D8FDFA8EF58C490BA977E2FF98304F5141A9D44ED72D6CA35E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4A7CD Relevance: .9, Instructions: 932
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fccac0b19cfcb7b639db89e0b89b02bf49a7ce1993679a619d9a7e130f84f3
Instruction ID: 5215e83197aa38b1d32aef9d0d0090d9e6e952a459d6184cd28d65997fe92092
Opcode Fuzzy Hash: 09fccac0b19cfcb7b639db89e0b89b02bf49a7ce1993679a619d9a7e130f84f3
Instruction Fuzzy Hash: 22625130709A098FEB98EB2CC4A5B6977E2FF99304F1545B9E44DC72A6DE34EC418B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48A61 Relevance: .7, Instructions: 714
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35d516f0520a4b35b9a32d9008b12ee959e317f5752c497bb2397b7e3b98099
Instruction ID: 5f3342e71da4dcf2ff0dc86910d823ada88b04a1a1883bc47214fcc7d66e618a
Opcode Fuzzy Hash: d35d516f0520a4b35b9a32d9008b12ee959e317f5752c497bb2397b7e3b98099
Instruction Fuzzy Hash: 0222AF30B09A0D4FEBA8EB5984A57B873E2FF98340F55417DD44EC32E2DE39A9428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD43F3D Relevance: 1.7, Strings: 1, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFD9BD44457

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7c3e6d41121c81899a4bc8c255ddbbd598a10cdf9f548715867ebc9df2131f7f
Instruction ID: f29f604141e05e8f45d2e6c9480bd27db78a93c9e665c57a4824131faa25600e
Opcode Fuzzy Hash: 7c3e6d41121c81899a4bc8c255ddbbd598a10cdf9f548715867ebc9df2131f7f
Instruction Fuzzy Hash: 58D11B31B0E74E4FE7A99B6894653783BD2EF85310F0512BED48EC71E2DE58AD828741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3525 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9BAD3607

Memory Dump Source

Source File: 00000000.00000002.2909327055.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2135ae8f4ce132ad27761e2ed12d3176e85bc37aaf7025f8b2f26942bf098e95
Instruction ID: 27e327f135002f56c8891c192d94a2bcf692328840ee77c2fb44064f403c299e
Opcode Fuzzy Hash: 2135ae8f4ce132ad27761e2ed12d3176e85bc37aaf7025f8b2f26942bf098e95
Instruction Fuzzy Hash: 0741273190DB8C8FDB19DBA888596F97FF0EF66310F0542AFD049C71A2DA646805C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BAD3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9BAD3607

Memory Dump Source

Source File: 00000000.00000002.2909327055.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bad0000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0e6403526c0e0dcafb119d11ab9d7e30699f28b427d7bd7a2ff633214a2ffe10
Instruction ID: c0bdd0801691b3c77f0f858c15730e45abafacfaa5b1a1bd4014b3011c5eb606
Opcode Fuzzy Hash: 0e6403526c0e0dcafb119d11ab9d7e30699f28b427d7bd7a2ff633214a2ffe10
Instruction Fuzzy Hash: 5D31D03190CB5C8FDB19DB988859AF9BBF0FF66320F04426BD049D3292DB74A805CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD43451 Relevance: 1.6, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$_L, xrefs: 00007FFD9BD43673

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID: $_L
API String ID: 0-1448256362
Opcode ID: 44f1475e0c55e76cf0fe27a205367238e1d47f1e4736dd2b873068bc03339ba7
Instruction ID: 114d278830d07803656289bfb75093df5287aa64f547fbcf68e74e51e2639546
Opcode Fuzzy Hash: 44f1475e0c55e76cf0fe27a205367238e1d47f1e4736dd2b873068bc03339ba7
Instruction Fuzzy Hash: 18911731B0EA4E4FDBA9DB6C84645B577E2EF55320B0505BED04EC32E2CE28E9058741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4C349 Relevance: 1.5, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a$_H, xrefs: 00007FFD9BD4C373

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID: a$_H
API String ID: 0-3636341119
Opcode ID: c3beb7ee3d0bc865dcca370f57d896c915e40bfb86fdb62b5f358f473db9731e
Instruction ID: 64f48288544ddb3333098d569b3bcee17b9a1917e6b201526a8e0ec165a99c5c
Opcode Fuzzy Hash: c3beb7ee3d0bc865dcca370f57d896c915e40bfb86fdb62b5f358f473db9731e
Instruction Fuzzy Hash: 4B513A72B1AE4E0FE7E8D66844656B573C2FF98354B54057ED05EC72E7ED28B9028700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4D6D4 Relevance: 1.4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N$_H, xrefs: 00007FFD9BD4D764

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID: N$_H
API String ID: 0-552572439
Opcode ID: bbddc484bd758c375f633dc7225c45ece0ec354ce4e52a596beb1dc44d2fd9bb
Instruction ID: c0f9d9b9a93e9717bc4e3e3b8d42df8c19f6f2dca59f925a03ac2781cfcf2004
Opcode Fuzzy Hash: bbddc484bd758c375f633dc7225c45ece0ec354ce4e52a596beb1dc44d2fd9bb
Instruction Fuzzy Hash: CF316C71B0D7890FE3298B2C582A1617BD2EF86314B1941BFE48EC72D7DD29AC028341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD42C10 Relevance: .5, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc04e846b2dc94df7b16b57214ee2bb676107d3488255885d8ba52c7d46b395c
Instruction ID: 7910494459f521e18f56f9fe9eec2c27cf0ba53c5508c98b89f3fd621622f3e7
Opcode Fuzzy Hash: fc04e846b2dc94df7b16b57214ee2bb676107d3488255885d8ba52c7d46b395c
Instruction Fuzzy Hash: 41F19062B2E98D0FE779DBAC88652A477D2FF96310B4501BAD04ECB1E3DD1CAD068341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD49763 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fc55312942d625372e6a1f3c884dde135e5d39bbd43caf93efd3edbe0b979e
Instruction ID: 7f173831454e5ea993ffedc20af021de2f5a4155631cfa4521815d3f0188f241
Opcode Fuzzy Hash: 72fc55312942d625372e6a1f3c884dde135e5d39bbd43caf93efd3edbe0b979e
Instruction Fuzzy Hash: 50D1823071990D4FDB98EF2DC4A9A7973D2FF99314B1211B9E44EC72A6DE28EC428741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4A3D9 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51b34cf893c0756c29bf78fe5a0fbcb9dbe72e3d1ab686036a25c9fab8a1b72
Instruction ID: 0ae8db8a535efb86853d2d78414864e976d779a7aa1bf0c352e9ac3280b28de3
Opcode Fuzzy Hash: e51b34cf893c0756c29bf78fe5a0fbcb9dbe72e3d1ab686036a25c9fab8a1b72
Instruction Fuzzy Hash: 3FD1A731B0990D8FEBA8EB68C495BB977E2FF98310F055179D05EC72E2DE34A9418B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48BD9 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951e76d5f8a03fb93505af1b5204b5b980b5a0f47ff937dbbc783b84d3d30095
Instruction ID: 31b6454f3b8b76884c9aa27e9fce079818550b773cb6ea561f66edcbe61b1a11
Opcode Fuzzy Hash: 951e76d5f8a03fb93505af1b5204b5b980b5a0f47ff937dbbc783b84d3d30095
Instruction Fuzzy Hash: 68C1C420B0A60E4FEBA8DB6984657B873D2FF94344F515179D44FC72E3DE2DAA468700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD43125 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc6697cc7e85fdde9ca40ded2b868d16e57ea004b2c2802f0a22b477353fc4b
Instruction ID: d6dd8bd9e5fe715df399e833b2af324b6b0157b92c0bf2eb48676e915542ffdb
Opcode Fuzzy Hash: 8bc6697cc7e85fdde9ca40ded2b868d16e57ea004b2c2802f0a22b477353fc4b
Instruction Fuzzy Hash: 30B1A131B19A0D4FDB68EB6CD4616B973E2FF88324F114279E45EC32D2DE35A9028740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48C28 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4018659cad2b94386b9387c890fa8703aa2617f1a51b570aeb906c150851f40a
Instruction ID: e4c650849161e861719caa76a18dcbb4eae06040bc5b2603513a414f6f74eee6
Opcode Fuzzy Hash: 4018659cad2b94386b9387c890fa8703aa2617f1a51b570aeb906c150851f40a
Instruction Fuzzy Hash: E2A19220B0A50E4FEBA8DA6D84697A873D2FF94340F55517DD48FC32E3DE29AA468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48CA8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3047ff9666db960cea3f5f557fd993263bcf216ed4bf9e1edfe35eb54e0e93
Instruction ID: bbabbe6df27f0e246da89ea58e60a05185f2aab5a2934c73fc9d27cb809a96e3
Opcode Fuzzy Hash: 7e3047ff9666db960cea3f5f557fd993263bcf216ed4bf9e1edfe35eb54e0e93
Instruction Fuzzy Hash: 17A1A420B0990E4FEBA8DB5D84A97B873D2FF98340F515179D44FC32E3DE69AA468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD46FC5 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d9a8a9eebcdf16c69404d2731d2963dd7e6c0c5ea56d9c27b02b538bdc357b
Instruction ID: ac5165f9403ac1a985742d619343df400dd6133f84fdf96c9ec3c11a1289de9a
Opcode Fuzzy Hash: 28d9a8a9eebcdf16c69404d2731d2963dd7e6c0c5ea56d9c27b02b538bdc357b
Instruction Fuzzy Hash: FE815B3171E94D0FE7A8EB6C986567537D2EF99320B0501BAE08EC72E7DD25EC428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48D58 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b8537067b74d5064a989bee86dae0e5bebacf5f956159e43e139227f8eeee7
Instruction ID: f36c0812a7b1223af53ffd290dd79fd5e94e34a1d58554f8a7fa02328fa72dae
Opcode Fuzzy Hash: c2b8537067b74d5064a989bee86dae0e5bebacf5f956159e43e139227f8eeee7
Instruction Fuzzy Hash: 1C917120B0990D4FEBA8DA5E84A97B873D2FF98344F515179E44FC32E2DE29EA458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48CE3 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79deb672ab4a64c9b90901986dc8387566a4eb5553d5276b8e879864ced75a93
Instruction ID: 78b61c4a3b2218819a45992396124d1ea074e57509e34e0a5f5e8330e02caf64
Opcode Fuzzy Hash: 79deb672ab4a64c9b90901986dc8387566a4eb5553d5276b8e879864ced75a93
Instruction Fuzzy Hash: 84918120B0990D4FEBA8DA5E84A97B873D2FF98340F515179E44FC36E2DE29EA458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48CC6 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf40eb76a0614675fe6a9fcd2a455f872a1646debc777e6a19b8f6572d43cef
Instruction ID: 0dcf225819433a7274c2499191fb9b2a1df78be36b75c7fe2bc34f5650a4ce90
Opcode Fuzzy Hash: fcf40eb76a0614675fe6a9fcd2a455f872a1646debc777e6a19b8f6572d43cef
Instruction Fuzzy Hash: 79918120B0990D4FEBA8EA5E84A97B873D2FF98340F515179E44FC36D2DE29EA458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48D3B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59697395bc00df2f1ab05b98abb66d415601773b3f1b1bd5b0670e0256736772
Instruction ID: 10d0d46df3f1160035b7415075cf12524aee1c967ef02a9e49884b9c1e6b4cb5
Opcode Fuzzy Hash: 59697395bc00df2f1ab05b98abb66d415601773b3f1b1bd5b0670e0256736772
Instruction Fuzzy Hash: 50918120B0990D4FEBA8EB5E84A97B873D2FF98340F515179E44FC32D2CE29EA458744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48BBD Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b62b24139207ff59ea2c1c21fc205ee1e4b4ca18dfd9ba8581e19357ccab7a
Instruction ID: 98ec1eb851f6c2398c9c1daf4e31422169726345795afbfeda441b37c1630e8e
Opcode Fuzzy Hash: 05b62b24139207ff59ea2c1c21fc205ee1e4b4ca18dfd9ba8581e19357ccab7a
Instruction Fuzzy Hash: 10918020B0990D4FEBA8EA5E84A97B873D2FF98340F515179E44FC32D2CE29EA458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48D1D Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578790a581a9b07c417b99096986bd9cbe2cd1b738bcd1945e50d731e576caf4
Instruction ID: 1bc62645a38bb57432e3f767c35b42d07706899b581c8db2aace97ab2b70dff3
Opcode Fuzzy Hash: 578790a581a9b07c417b99096986bd9cbe2cd1b738bcd1945e50d731e576caf4
Instruction Fuzzy Hash: B5918120B0990D4FEBA8DB5E84A97B873D2FF98340F515179E44FC32D2DE29EA458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD48D01 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7a4e55e28e1f67e59de95cae5eb244f6f9049938b539e95753e9c336a45af5
Instruction ID: 26046f3697a67af83bf57cb4a3b4054dbaa7e977ce9c61fd96117a0dca2be198
Opcode Fuzzy Hash: ca7a4e55e28e1f67e59de95cae5eb244f6f9049938b539e95753e9c336a45af5
Instruction Fuzzy Hash: 23918120B0990D4FEBA8DA5E84A97B873D2FF98340F515179E48FC32D2DE29EA458744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4BD32 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485c8a34b54b68cbff83bd24d4097a8a4a370a194e4a14e48fa719d412b12210
Instruction ID: a323b79d9d08874a273036c013b61966b4991b2b68c7664e04709b5705000897
Opcode Fuzzy Hash: 485c8a34b54b68cbff83bd24d4097a8a4a370a194e4a14e48fa719d412b12210
Instruction Fuzzy Hash: F981C030B09A4E4FEBA9DF688864AB577E2EF95300F0604F6D45EC71E6DA28AD41C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4D231 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed9259d99b137641317bf79e3f027c31bc0a025b835ee606b96e5d0662e81d4
Instruction ID: ca754318934e812bcccd1c7beeb3cf4e7884066dcd4b50e177acf8a8dc230d6d
Opcode Fuzzy Hash: 8ed9259d99b137641317bf79e3f027c31bc0a025b835ee606b96e5d0662e81d4
Instruction Fuzzy Hash: D971927171D94D4FDB98EF6CC4A4AA977E2FF98314B0506BAE04EC72E6DA24EC018741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD46C31 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df64bb9227cde9b0c43ea6907d7e661e77ff30c31370ca849068224cad96375e
Instruction ID: e9c66e808de843f51b41b84051f8f890046d5a9964ff8dd4bc5da3a2d7eb802e
Opcode Fuzzy Hash: df64bb9227cde9b0c43ea6907d7e661e77ff30c31370ca849068224cad96375e
Instruction Fuzzy Hash: 2161F461B1A94E4FE7A9AB6C846167623D3FF99350B4511FDE04FC72E6CE29BC428340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4C15F Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18cec5f572d00c568be40a6d9a1aad45d5f3d8649863998d68a910c39444a74
Instruction ID: 5d96db81290ae3d896a25f826678b5a89d39eb40fa7da4ed1ef7fd8206df7854
Opcode Fuzzy Hash: f18cec5f572d00c568be40a6d9a1aad45d5f3d8649863998d68a910c39444a74
Instruction Fuzzy Hash: 5351B571B19E4D4FEBE9AF6C40A46B463C2EF98384B54017AD41EC32EBDD29A8428700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD436F5 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e33a629c2a9279ef77e3c26728b28d18d24a9a1b0e1c9758fed2b443e3cee9f
Instruction ID: 04f8e73efaa57b8325fb0fced26f8716728a6a3667cbe0cfc8e8a7009364e116
Opcode Fuzzy Hash: 9e33a629c2a9279ef77e3c26728b28d18d24a9a1b0e1c9758fed2b443e3cee9f
Instruction Fuzzy Hash: 6A51F730B0DA4D4FEB6DAB6C94506757BD1EF96338F11127ED48EC31E6DD19A8028781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4CAC9 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4375963d3e5910bfa0419d45db1dd6ec9402505ad593d96b0da4c062b62d639f
Instruction ID: bc29dcaf06f58fb1fdd49db534d6a46e04fb90d7682c7532b65a0f7ef64dab8a
Opcode Fuzzy Hash: 4375963d3e5910bfa0419d45db1dd6ec9402505ad593d96b0da4c062b62d639f
Instruction Fuzzy Hash: 75514862B0EA8A0FE77DCB6844655A47BD2EF94350B0942BED08ACB1E3DD586985C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4CED0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8894eb26c1fd615560eea83dab913f24b2d641c356076ef245934749f5449d03
Instruction ID: ae04179e90d562c1e0621889bbc012902c08e35b7b73ff86a9fa7e54a9f34dbf
Opcode Fuzzy Hash: 8894eb26c1fd615560eea83dab913f24b2d641c356076ef245934749f5449d03
Instruction Fuzzy Hash: B9517C30B0AA4E8FEBA8DF58C461BA937A1FF45315F4501B9E40EC71E2CB29A955CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4CD75 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57e369fb119b4b652a7a1a78036d2afb6fbe169d5b9d1934ab21db4e173ce2a
Instruction ID: a93e7e1252228dadc6fc678f67ff7024560c4a19e27591a88be1ce3baaf9c9fc
Opcode Fuzzy Hash: c57e369fb119b4b652a7a1a78036d2afb6fbe169d5b9d1934ab21db4e173ce2a
Instruction Fuzzy Hash: 9A41DF71A08A4D8FDB58DF6898596F97BE1FF98311F04427FE04ED32A1DB34A9418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD44705 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a472e847f882ec7c716c2ab8c28f800cb4de7418412879b6a9d55b8088018fd
Instruction ID: 51b33776b7876f7add24fc2ee99baa88e526f818f1f691ee5955129a6b47e295
Opcode Fuzzy Hash: 8a472e847f882ec7c716c2ab8c28f800cb4de7418412879b6a9d55b8088018fd
Instruction Fuzzy Hash: CA41B23170DC1D4FEAA8FA5CE4A0AB433D1FF5932471110BAD44EC72A6DE19EC828B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD46E69 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa74ad8b524ad97d272067ab7e62f56682b83d1dc50cc9e0d73e49758f49dbbc
Instruction ID: 91a8fb811484ab31afe4d0c3a58fbdbf9932726236d9d7bd2a24da083f0c67f3
Opcode Fuzzy Hash: aa74ad8b524ad97d272067ab7e62f56682b83d1dc50cc9e0d73e49758f49dbbc
Instruction Fuzzy Hash: 5B41E561B1FA890FE7A6973C84646657FE2DFA6300B0944FAD4CECB1F3D919AD858301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD42EC6 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddf3d5ca2f23d8a6ed2d2e483d7bfa5b7d30844a30add9d271b9528bd827344
Instruction ID: 29b08222ac2cfaefcba04dd53c4942400d458ca862f9a7e16bbbc725884942c6
Opcode Fuzzy Hash: bddf3d5ca2f23d8a6ed2d2e483d7bfa5b7d30844a30add9d271b9528bd827344
Instruction Fuzzy Hash: 39418072B1FA8E0FD7AA97B844505A037D2EF9A324B4501BBC44DCB1E7DD299946C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD420B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a87d391cb3b2de223e2e787ef0294d47dae6f29d58ff662500f0661ebd0f79
Instruction ID: 860560bd97d49bc7e5ef53da0ba0232220fea0981920831b1a5a24f39f5adc4f
Opcode Fuzzy Hash: 84a87d391cb3b2de223e2e787ef0294d47dae6f29d58ff662500f0661ebd0f79
Instruction Fuzzy Hash: 4741E563A1D5550AD329BABCACA24E437509F2A63EB0986F3E4BE8E0D7DD1C6440C295

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4CDF1 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dd767c7754c066465a84175298d3617a27e42566f531ce85bacdf1c45b0512
Instruction ID: ab90123f196146f18499607c4bae876d804e4c34950c852bfd963a95b331fbaf
Opcode Fuzzy Hash: 59dd767c7754c066465a84175298d3617a27e42566f531ce85bacdf1c45b0512
Instruction Fuzzy Hash: A841BE71A08A4C8FDB58DF58D855AE9BBE1FF99310F04426EE04DD32A1DB34A912CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4387D Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8a43bc940097f7c1f9089a45a36cb744e290c514cdb351ef9a7bd0aedbd906
Instruction ID: 77c677d3f9221ebef8ae211f6a754bd0e0908596acbe0e7cd6fc17373a3b9768
Opcode Fuzzy Hash: 5b8a43bc940097f7c1f9089a45a36cb744e290c514cdb351ef9a7bd0aedbd906
Instruction Fuzzy Hash: 46315D22B1EA8D0FF36C966C6C565B47BD2DF9537070642BAE09EC71E7DC19AD028340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD44CD5 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b65f97734ce6f6cf91a093795a69e16130769552091f9403c27c8e446e48e5
Instruction ID: ec897b7dfc581d2a3501df4836ef5bcd080e6573994834c961567c246f618638
Opcode Fuzzy Hash: e1b65f97734ce6f6cf91a093795a69e16130769552091f9403c27c8e446e48e5
Instruction Fuzzy Hash: E3312721B1FB8E0FEBA9DA6C84649617BD2EF65340B0950BED44DCB1E2DE24D9818741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD428F2 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2d13d69ce5e39da673e5963fda4a087f3356c4362d87685dc57c2923bcb4ec
Instruction ID: 2276e982d86d60b459c8211db0d9cf0a759b87a1fa75ddfe0ff66e0c11eeb85c
Opcode Fuzzy Hash: 2f2d13d69ce5e39da673e5963fda4a087f3356c4362d87685dc57c2923bcb4ec
Instruction Fuzzy Hash: A8312C21B3DA8E0FE758A79888B16F937A1EF59314F010277E48FC71D7DD2869058351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD43730 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdceb7bc8bf36ec280829af7292a3f5123f8cdbcee076dacf1f83882deec266d
Instruction ID: 8b9b181f2091b606b3842d33ea069bc93255fcf90c1ee60822cd61addf388936
Opcode Fuzzy Hash: fdceb7bc8bf36ec280829af7292a3f5123f8cdbcee076dacf1f83882deec266d
Instruction Fuzzy Hash: 8431E83171C90D4FFB9CFB6C9455A7573D2EF95324B011179E85EC32E6ED28A8114781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4D155 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33e239d4163255f7e6a1d2b60a800ef3a793fe93d7b3f17a7b9b4005abd8080
Instruction ID: 43bc1d12736a67eba8b57e4746905f5b14051aeb4b6933a6d62445f6c02e9d63
Opcode Fuzzy Hash: c33e239d4163255f7e6a1d2b60a800ef3a793fe93d7b3f17a7b9b4005abd8080
Instruction Fuzzy Hash: A8312631A0E98B5FE77D836894B467476D2EF46310F5A50BAC84FC71E2DE18EE818741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD475EC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df99508aba0fae87e8ba62c10f761fe767d0b17a303724758aa7d98808608c7
Instruction ID: 70dea2f9c42605ed4d7ccdbfaaec38726bc90071e10efcc64a185eb72a1a4c10
Opcode Fuzzy Hash: 3df99508aba0fae87e8ba62c10f761fe767d0b17a303724758aa7d98808608c7
Instruction Fuzzy Hash: 9511EB23B1EE4D0BE3FCA65C68555B537C3EF9876071612BAE45EC72D6DC14BC424280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD475F0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871b1f300397e81551f6ddd04f6653b9e5cb68b3ff2e888cf242318e60a1af3e
Instruction ID: db87b827d632f9b129411e4e825d080a38e34e92b060a4eade503fc3e9c2c1d6
Opcode Fuzzy Hash: 871b1f300397e81551f6ddd04f6653b9e5cb68b3ff2e888cf242318e60a1af3e
Instruction Fuzzy Hash: E5110A22B1EE0D0BE3FCA65C68555B533C3EF9836071612BAE45EC32D6EC14BC424280

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD43140 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d306e300ab19d9a866b1bb30f5b6352f8144b87aaf74db5aabb2dfde5da812
Instruction ID: 27a4762c755784c43e5fcb3a3cf5eee9b0aa7bbe5a8b6ed3404f78c86b246cb3
Opcode Fuzzy Hash: 15d306e300ab19d9a866b1bb30f5b6352f8144b87aaf74db5aabb2dfde5da812
Instruction Fuzzy Hash: D521D131A08A0C8FDB58EF6CC4556A973E2FF89325B10013EE40DD3292CB31E812CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4CD09 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86da5ca74f715cdc76ff87a1b7bd6541549851b9872fd9048d73e462f9c79ec3
Instruction ID: 9138ccd4f9c5c7a0f9c3744158c8ae43456f1e5868cada048a021e938edcd138
Opcode Fuzzy Hash: 86da5ca74f715cdc76ff87a1b7bd6541549851b9872fd9048d73e462f9c79ec3
Instruction Fuzzy Hash: CF219041A4F6DA0FE35B67B80C394A53FA19F9715071E41FBD086CB4F3D84C494A8362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4C466 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2945f4dc1968ddb7f60036fb42f9b540a951f22a9a7425207e14435ae80399b2
Instruction ID: 7b13a707b9f72c0fc2bb1e5c811b634f29cc118bb08ee0f24a4b5d3258fb25e2
Opcode Fuzzy Hash: 2945f4dc1968ddb7f60036fb42f9b540a951f22a9a7425207e14435ae80399b2
Instruction Fuzzy Hash: 75217B93B1EE8A0FE79D926804667B467C2FFA8350B0805BED08FC71E7ED18B8064300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4D0CD Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5a59b4c79cd79e585651f8f3c251af60f2de52077c88096fc4af672b04c15e
Instruction ID: b23ba426657fd26f5e4a57d648b98c04230befe596d6e20d46fdbb72f6279b4a
Opcode Fuzzy Hash: 9f5a59b4c79cd79e585651f8f3c251af60f2de52077c88096fc4af672b04c15e
Instruction Fuzzy Hash: 6721023158F6CA1FC346A7B888259D57FE5EF8B12030D02FAE089CB5A3C91C9847C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4798D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1329c3421ddfb9a6296552c99b4fa8519dab1f22082a91f990c96cb2a85b1a2d
Instruction ID: a7c6e5c2e617384af81fade11770ecee6bfbd59d3c163fceae2f77fc56c0e1bf
Opcode Fuzzy Hash: 1329c3421ddfb9a6296552c99b4fa8519dab1f22082a91f990c96cb2a85b1a2d
Instruction Fuzzy Hash: C0218B3061CA0D8FDB98DF1CD4556A9B7E2FF98321F10113EE48AD32A1CE32E8428B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD42943 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc6ed693ddfd1ce69d00a8b8e1d6eaaea5b10679f2eb1e95322a8442906c5bf
Instruction ID: 92e7ef446ffc889eb6fcc55de62fd66ede52ab4c85d2feabfd85679ca4ea3f51
Opcode Fuzzy Hash: 2cc6ed693ddfd1ce69d00a8b8e1d6eaaea5b10679f2eb1e95322a8442906c5bf
Instruction Fuzzy Hash: F121C222B35A4E0BE768A79884A16FA73D2EF98314F40463AD44FC71DBDD68A9024380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD42309 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c873139c9716f49fdd261c66c2166b41a479430f423fae2ae494a5df4000723d
Instruction ID: 01677cecb82c3b831fdad8545641544dd49846f0726026625319e4a4b37e1d2d
Opcode Fuzzy Hash: c873139c9716f49fdd261c66c2166b41a479430f423fae2ae494a5df4000723d
Instruction Fuzzy Hash: 4B012F32A2D6CD0FD7599BA448650E97FF1EF96210B4602FBE059CB0D3DE6465068340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4CCA5 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c939784502e6817093b0604cd0defa557c0ecf6870b2726ce3e611574e27e2
Instruction ID: eea30179425957cf865a089c9fded8899931da1644dfe88ae942a99aea6f39c1
Opcode Fuzzy Hash: 14c939784502e6817093b0604cd0defa557c0ecf6870b2726ce3e611574e27e2
Instruction Fuzzy Hash: 4B01E56258F3D21FC3039BB48C289863FA99E9716030E85EBE085CB4B3D04D490BC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4C75F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd7758b12b945ccc8c4e66c45a6dc71daf738c2878b21df080e9102cd57dc4a
Instruction ID: cda0d6e570507073f5a78e0d3f545afe64e485bb25051bc59a15fbc26821d53d
Opcode Fuzzy Hash: 9cd7758b12b945ccc8c4e66c45a6dc71daf738c2878b21df080e9102cd57dc4a
Instruction Fuzzy Hash: 0401B162B16E4A0BD7ADEA38446057962D3FFD834070845BE901FC72D6CF29A9064700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD44C61 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b1c7fc1dd31703d20f8bf1152c28a276ea5f4997f785a93b41e63581658655
Instruction ID: 2ce77718f8058d82f3a5c3c71920e2a5f9445158860124a729904439146bc9a5
Opcode Fuzzy Hash: 08b1c7fc1dd31703d20f8bf1152c28a276ea5f4997f785a93b41e63581658655
Instruction Fuzzy Hash: 7D01F96190E6494FE756E32894552AA7FD1DFC5220F0D066ED08DC60F2CD584AC58382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4223A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f303d16d1f4e57a188a22a3357a375541673fceaf84793d395288fefa90ade
Instruction ID: d71da1ab8bbfc32d3fa076bca6ecd36b5855878d8e641e67ce9be621df67a4c9
Opcode Fuzzy Hash: 59f303d16d1f4e57a188a22a3357a375541673fceaf84793d395288fefa90ade
Instruction Fuzzy Hash: 6AF0F62291DACC2FDB5597A488655E67FB1EF86300F8601EBD498DB1A3C9286605C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD43020 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58dfe3d46efe15d6b9b18ae78697e3b818f707003424cca274444dcaffc2f456
Instruction ID: 07a3ecea5229457108ea1dc37640ebb3397ee80780ae23f66338107eae31a5a6
Opcode Fuzzy Hash: 58dfe3d46efe15d6b9b18ae78697e3b818f707003424cca274444dcaffc2f456
Instruction Fuzzy Hash: DFF0E921B29A4D4BE7A8AB3C541127133D1EF99314B5606B9D49ED71B2DF28ED024341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4340D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction ID: 353e0bb725f200bd6b54764fe31fb29fb9f16c7127775dfe6d6e3bb214501ae9
Opcode Fuzzy Hash: 70cf21d9e70ce76508cf83898484feef363597d488487a1893d6b1d777935134
Instruction Fuzzy Hash: E0F0A77150D50D5FD728EF59EC565EB37A4FF85230F00023AF45D82152E6756962C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD422A9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ddd055393d444eddee6397fbf68ba3c3544f40b13fa01678ca3940347b0742
Instruction ID: fc384e6c237297fc249001a1f5cfc36d6e11c0266d16076b562559b549d9960a
Opcode Fuzzy Hash: b2ddd055393d444eddee6397fbf68ba3c3544f40b13fa01678ca3940347b0742
Instruction Fuzzy Hash: 0EF0F631A2E6CC0FE7599BB448660E97FB1EF86210F4602E7E459DB0A3DE6859458300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD4C439 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892cd3458a3e502c3033daf4db22aaa917df622daddf30b7ab717899cab54aa4
Instruction ID: 8b52280ea69864d931fd68a4115038cfd0c251ae31749f486bbdb48bc522e3b4
Opcode Fuzzy Hash: 892cd3458a3e502c3033daf4db22aaa917df622daddf30b7ab717899cab54aa4
Instruction Fuzzy Hash: 49D02B43F0E18C06EBA0A15868501F96385DB92114F64427AC05A43057DC1A91058701

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9BD410D1 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cd676db17d0667adb9fd5b8c171563a1341fbd3b773f8741a5df9ab8669a1e
Instruction ID: ec2a9eb2d27d571b3bfd7972f86f5bf8dcec8f7328815fb1a1348d17dfe58b4d
Opcode Fuzzy Hash: a9cd676db17d0667adb9fd5b8c171563a1341fbd3b773f8741a5df9ab8669a1e
Instruction Fuzzy Hash: 8BE12016A0D1A24AE729B6BCACB28E52B509F1623FB0D47F3F4EE4D0D79D0C2586C195

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9BD410FA Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2911015791.00007FFD9BD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BD40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bd40000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb834bd7567410cb542e1ef1963193211126117ef225793434740dd0e2deb5f
Instruction ID: 7c9db82c34ac254dc112bf0fba6ac5abe346235209ca958f1ba75142d2b39c8f
Opcode Fuzzy Hash: edb834bd7567410cb542e1ef1963193211126117ef225793434740dd0e2deb5f
Instruction Fuzzy Hash: 94D12016A0D1A246E729B6BCACB28E53B509F1623FB0D87F3F4EE4D0D79D082586C195

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Client.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
Client.exe

Function 00007FFD9BD45BE1 Relevance: 1.9, Strings: 1, Instructions: 694
COMMON