Loading... Additional Content is being loaded
Windows
Analysis Report
Xp7zCcGiGj.exe
Overview
General Information
| Sample name: | Xp7zCcGiGj.exerenamed because original name is a hash value |
| Original sample name: | dc17a1ec3a9bb84d21a7f6a7e77133f6.exe |
| Analysis ID: | 1546536 |
| MD5: | dc17a1ec3a9bb84d21a7f6a7e77133f6 |
| SHA1: | 2a6c10ea20bff9e297770bca2477a8bb82378c45 |
| SHA256: | 82687bbf89460d44b3cef2d06f5d09288c45d787323254026f39cb3421cc3954 |
| Tags: | 32exetrojan |
| Infos: |   |
 |
|
Detection
Quasar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Quasar RAT, QuasarRAT | Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. |
|
|
AV Detection |
  |
|---|
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Malware Configuration Extractor: | ||