Windows Analysis Report
Loader.exe

AI detected suspicious sample

Source: Yara match	File source: Loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1235547319.00000000005E0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1264333421.000000001B460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1235147298.00000000002C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Loader.exe

Joe Sandbox ML: detected

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.7:49702 version: TLS 1.2

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 193.161.193.99:62863 -> 192.168.2.7:49699
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 193.161.193.99:62863 -> 192.168.2.7:49699

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: Dystopian-62863.portmap.host

Yara detected Generic Downloader

Source: Yara match	File source: Loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 193.161.193.99:62863

Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99
Source: Joe Sandbox View	IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: Dystopian-62863.portmap.host
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: Client.exe, 00000004.00000002.3713603694.000000001C107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Client.exe, 00000004.00000002.3706720852.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Client.exe, 00000004.00000002.3706720852.00000000018B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9cdf77c02eb3b
Source: Client.exe, 00000004.00000002.3708336873.000000000398E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: Client.exe, 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Loader.exe, 00000000.00000002.1259103778.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3708336873.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Loader.exe, Client.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: Client.exe, 00000004.00000002.3708336873.0000000003974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: Loader.exe, Client.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: Loader.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Loader.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Loader.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.7:49702 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: Loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1235547319.00000000005E0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1264333421.000000001B460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1235147298.00000000002C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary

Source: Loader.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Loader.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Loader.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAAC973C6F	4_2_00007FFAAC973C6F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBFE581	4_2_00007FFAACBFE581
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBFFE90	4_2_00007FFAACBFFE90
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBE55E9	4_2_00007FFAACBE55E9
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBFB861	4_2_00007FFAACBFB861
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBE9FD0	4_2_00007FFAACBE9FD0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBEAFDD	4_2_00007FFAACBEAFDD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBE9271	4_2_00007FFAACBE9271
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBF8A1B	4_2_00007FFAACBF8A1B
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBFCAE5	4_2_00007FFAACBFCAE5
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBF7C26	4_2_00007FFAACBF7C26
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBFEBD4	4_2_00007FFAACBFEBD4
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBE621F	4_2_00007FFAACBE621F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACD02321	4_2_00007FFAACD02321

Source: Loader.exe, 00000000.00000002.1264333421.000000001B460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Loader.exe
Source: Loader.exe, 00000000.00000000.1235547319.00000000005E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Loader.exe
Source: Loader.exe	Binary or memory string: OriginalFilenameClient.exe. vs Loader.exe

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Loader.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Loader.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Loader.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/5@2/2

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\e1de8f9b-5a7a-4798-a6fb-c03591ef3442
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_03

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Loader.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Loader.exe

ReversingLabs: Detection: 78%

Source: Loader.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\Loader.exe

File read: C:\Users\user\Desktop\Loader.exe

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Loader.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Loader.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Loader.exe

Static file information: File size 3266048 > 1048576

Source: Loader.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_00007FFAAC9600BD pushad ; iretd	0_2_00007FFAAC9600C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAAC85D2A5 pushad ; iretd	4_2_00007FFAAC85D2A6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAAC9700BD pushad ; iretd	4_2_00007FFAAC9700C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBFDBB0 push ss; retn FFD7h	4_2_00007FFAACBFDD1F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACBE33FF push eax; ret	4_2_00007FFAACBE340C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFAACD02321 push edx; retf 5F20h	4_2_00007FFAACD05A3B
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 5_2_00007FFAAC9A00BD pushad ; iretd	5_2_00007FFAAC9A00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 5_2_00007FFAAC9A0B2D push esp; ret	5_2_00007FFAAC9A0B26
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 5_2_00007FFAAC9A0231 push ecx; ret	5_2_00007FFAAC9A02B6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 5_2_00007FFAAC9A0A08 push edi; ret	5_2_00007FFAAC9A0A76
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 5_2_00007FFAAC9A0B17 push esp; ret	5_2_00007FFAAC9A0B26

Source: C:\Users\user\Desktop\Loader.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\Loader.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\Desktop\Loader.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Memory allocated: 1A850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B490000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Code function: 4_2_00007FFAAC97F1F2 str ax

4_2_00007FFAAC97F1F2

Source: C:\Users\user\Desktop\Loader.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 2036			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 7823			Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe TID: 6124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6524	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 396	Thread sleep count: 2036 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 396	Thread sleep count: 7823 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6880	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Loader.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Client.exe, 00000004.00000002.3713603694.000000001C184000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Client.exe, 00000004.00000002.3713004189.000000001BDB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)

Source: C:\Users\user\Desktop\Loader.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe	Queries volume information: C:\Users\user\Desktop\Loader.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: Loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1235547319.00000000005E0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1264333421.000000001B460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1235147298.00000000002C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: Loader.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Loader.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1235547319.00000000005E0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1264333421.000000001B460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1235147298.00000000002C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Loader.exe PID: 4892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Loader.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
Loader.exe	100%	Avira	HEUR/AGEN.1307453
Loader.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
Dystopian-62863.portmap.host	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
ipwho.is	108.181.61.49	true	false	high
Dystopian-62863.portmap.host	193.161.193.99	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
Dystopian-62863.portmap.host	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	Loader.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	Loader.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	Loader.exe, Client.exe.0.dr	false	high
http://schemas.datacontract.org/2004/07/	Client.exe, 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Loader.exe, 00000000.00000002.1259103778.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3708336873.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	Client.exe, 00000004.00000002.3708336873.000000000398E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Loader.exe, Client.exe.0.dr	false	high
https://ipwho.is	Client.exe, 00000004.00000002.3708336873.0000000003974000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.161.193.99	Dystopian-62863.portmap.host	Russian Federation		198134	BITREE-ASRU	true
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574484
Start date and time:	2024-12-13 11:15:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/5@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 88% Number of executed functions: 60 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.22.50.131, 2.22.50.144, 13.107.246.63, 4.245.163.56, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target Client.exe, PID 6992 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Loader.exe

Simulations

Behavior and APIs

Time	Type	Description
05:16:18	API Interceptor	14125009x Sleep call for process: Client.exe modified
11:16:16	Task Scheduler	Run new task: SubStart path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.161.193.99	Yq5Gp2g2vB.exe	Get hash	malicious	RedLine	Browse	okmaq-24505.portmap.host:24505/
	JnBNepHH7K.exe	Get hash	malicious	AsyncRAT RedLine	Browse	exara32-64703.portmap.host:64703/
	99SKW728vf.exe	Get hash	malicious	RedLine	Browse	lottie9nwtina-55339.portmap.host:55339/
	amazoninvoiceAF0388d83739dee83479171dbcf.exe	Get hash	malicious	RedLine	Browse	tete2792-22120.portmap.host:22120//
108.181.61.49	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	103.126.138.87
	TeudA4phjN.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://www.sbh.co.uk/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	103.126.138.87
	file.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	file.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	ugjigghFzZ.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://web-quorvyn.azurewebsites.net	Get hash	malicious	TechSupportScam	Browse	103.126.138.87
bg.microsoft.map.fastly.net	1434orz.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	file.exe	Get hash	malicious	Stealc	Browse	199.232.214.172
	3.exe	Get hash	malicious	CobaltStrike, ReflectiveLoader	Browse	199.232.210.172
	3.exe	Get hash	malicious	CobaltStrike	Browse	199.232.210.172
	Bilbao.dll.dll	Get hash	malicious	Unknown	Browse	199.232.210.172
	3181425fa7464801a03868a1adf86bc1.ps1	Get hash	malicious	Unknown	Browse	199.232.214.172
	job.ps1	Get hash	malicious	DcRat, StormKitty, VenomRAT	Browse	199.232.210.172
	job.ps1	Get hash	malicious	DcRat, StormKitty, VenomRAT	Browse	199.232.210.172
	Ni2ghr9eUJ.exe	Get hash	malicious	Socks5Systemz	Browse	199.232.214.172
	MN2MXYYRQG.exe	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	arm7.nn-20241213-0355.elf	Get hash	malicious	Mirai, Okiru	Browse	50.98.219.123
	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	75.158.230.151
	mpsl.elf	Get hash	malicious	Mirai	Browse	198.166.177.229
	mips.elf	Get hash	malicious	Mirai	Browse	142.41.252.248
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	PO2412010.exe	Get hash	malicious	FormBook	Browse	108.181.189.7
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	206.116.110.1
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.181.135.156
BITREE-ASRU	System.exe	Get hash	malicious	Quasar	Browse	193.161.193.99
	CritScript.exe	Get hash	malicious	Binder HackTool, Quasar	Browse	193.161.193.99
	Client-built.exe	Get hash	malicious	Quasar	Browse	193.161.193.99
	https://bb.vg/STDBANK	Get hash	malicious	Unknown	Browse	193.161.193.99
	0Nj1sxmCtr.exe	Get hash	malicious	Binder HackTool, Quasar	Browse	193.161.193.99
	10a790a9b50e4c6f915746b6794d78015c30d86f929e0.exe	Get hash	malicious	Quasar	Browse	193.161.193.99
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	https://fxwf9-53194.portmap.io:53194/?x=sb232111	Get hash	malicious	Unknown	Browse	193.161.193.99
	invoice263886766 AWB.vbs	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	193.161.193.99
	https://E.vg/FoedcaVhT	Get hash	malicious	Unknown	Browse	193.161.193.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	smb.ps1	Get hash	malicious	Xmrig	Browse	108.181.61.49
	j87MOFviv4.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	DvGZE4FU02.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	j3z5kxxt52.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	zpbiw0htk6.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49
	Uniswap Sniper Bot With GUI.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	Kopia%20p%C5%82atno%C5%9Bci_Santander_TF1903218545300000564290004.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	Kopia%20p%C5%82atno%C5%9Bci_Santander_TF1903218545300000564290004.exe	Get hash	malicious	Unknown	Browse	108.181.61.49
	archive.htm	Get hash	malicious	HTMLPhisher	Browse	108.181.61.49
	2024_12_12_Aster_Oak_Babywear_Advertising_Project_Shopify.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.150184159866505
Encrypted:	false
SSDEEP:	6:kKZL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:BiDnLNkPlE99SNxAhUe/3
MD5:	95FF8A558ADBD98EDCD33B5D65F5D13F
SHA1:	841A73C0BF8676AF0AE1AE569C87CEF716EDB22C
SHA-256:	3A2F04A668869AD7932CDAF98F149F30CBF59E4708CE399F01FA99047064F20E
SHA-512:	524161E461DEB55423425C15D0212AD554B4E368B5DD7D14D7DD4C7D8F5DB9B7520AA5CFCB8D78D4A845A15F85DFCC238FBC21EF3BEDFC401A19651604FC792E
Malicious:	false
Reputation:	low
Preview:	p...... ..........O.IM..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Process:	C:\Users\user\Desktop\Loader.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3266048
Entropy (8bit):	6.08501627050001
Encrypted:	false
SSDEEP:	49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm
MD5:	E9A138D8C5AB2CCCC8BF9976F66D30C8
SHA1:	E996894168F0D4E852162D1290250DFA986310F8
SHA-256:	E63B41BFDD3A89B6EBCFC05DB158FDC399DBC081E49B01498831A62DF34DEFC3
SHA-512:	5982FC759C8B1121AB5BEFAAC53E1521931F06D276140195FA1FCBCD1069F546253E366EF4CC37245B3BC2ED60C4B8D0583F133A1264EFD77938ADF456A08CCC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.K.....2...................... 2...................................................... ............... ..H............text...$.1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.08501627050001
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Loader.exe
File size:	3'266'048 bytes
MD5:	e9a138d8c5ab2cccc8bf9976f66d30c8
SHA1:	e996894168f0d4e852162d1290250dfa986310f8
SHA256:	e63b41bfdd3a89b6ebcfc05db158fdc399dbc081e49b01498831a62df34defc3
SHA512:	5982fc759c8b1121ab5befaac53e1521931f06d276140195fa1fcbcd1069f546253e366ef4cc37245b3bc2ed60c4b8d0583f133a1264efd77938adf456a08ccc
SSDEEP:	49152:fvrI22SsaNYfdPBldt698dBcjHCWvXE/sGkCqILo+dPVTHHB72eh2NT:fvU22SsaNYfdPBldt6+dBcjHCWvTm
TLSH:	A7E55B043BF85E23E1BBE27395B0041667F0FC6AB3A3EB1B6191677D1C53B4059426AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71e41e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e3d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c424	0x31c600	486d04f2872d865d32404745efd903de	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	fa735c7d99f8b46f526d66db4681db3b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T11:16:24.671472+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	193.161.193.99	62863	192.168.2.7	49699	TCP
2024-12-13T11:16:24.671472+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	193.161.193.99	62863	192.168.2.7	49699	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 11:16:19.363657951 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:19.484633923 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:19.485301018 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:19.516057968 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:19.636174917 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:24.312633038 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:24.312659979 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:24.312774897 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:24.544712067 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:24.551382065 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:24.671472073 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:25.105519056 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:25.152365923 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:27.494064093 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:27.494108915 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:27.494229078 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:27.495754004 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:27.495765924 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:29.904550076 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:29.904689074 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:29.909032106 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:29.909068108 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:29.909339905 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:29.913090944 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:29.959338903 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:30.524059057 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:30.524147034 CET	443	49702	108.181.61.49	192.168.2.7
Dec 13, 2024 11:16:30.524188042 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:30.648833036 CET	49702	443	192.168.2.7	108.181.61.49
Dec 13, 2024 11:16:30.877738953 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:30.998281002 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:30.998486042 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:31.118458986 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:32.374737024 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:32.417714119 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:32.675568104 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:16:32.730206013 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:57.683864117 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:16:57.803679943 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:17:22.808572054 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:17:22.932614088 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:17:47.933659077 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:17:48.053730011 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:18:13.058885098 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:18:13.179228067 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:18:38.183901072 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:18:38.304728985 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:19:03.310910940 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:19:03.430783033 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:19:28.468522072 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:19:28.588588953 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:19:53.605962992 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:19:53.725895882 CET	62863	49699	193.161.193.99	192.168.2.7
Dec 13, 2024 11:20:18.731066942 CET	49699	62863	192.168.2.7	193.161.193.99
Dec 13, 2024 11:20:18.851042032 CET	62863	49699	193.161.193.99	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 11:16:18.825575113 CET	50118	53	192.168.2.7	1.1.1.1
Dec 13, 2024 11:16:19.151226044 CET	53	50118	1.1.1.1	192.168.2.7
Dec 13, 2024 11:16:27.349133968 CET	50666	53	192.168.2.7	1.1.1.1
Dec 13, 2024 11:16:27.489552975 CET	53	50666	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 11:16:18.825575113 CET	192.168.2.7	1.1.1.1	0xb91d	Standard query (0)	Dystopian-62863.portmap.host	A (IP address)	IN (0x0001)	false
Dec 13, 2024 11:16:27.349133968 CET	192.168.2.7	1.1.1.1	0x15d8	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 11:16:19.151226044 CET	1.1.1.1	192.168.2.7	0xb91d	No error (0)	Dystopian-62863.portmap.host	193.161.193.99	A (IP address)	IN (0x0001)	false
Dec 13, 2024 11:16:27.489552975 CET	1.1.1.1	192.168.2.7	0x15d8	No error (0)	ipwho.is	108.181.61.49	A (IP address)	IN (0x0001)	false
Dec 13, 2024 11:16:32.525046110 CET	1.1.1.1	192.168.2.7	0xc8f7	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 13, 2024 11:16:32.525046110 CET	1.1.1.1	192.168.2.7	0xc8f7	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	108.181.61.49	443	6632	C:\Users\user\AppData\Roaming\SubDir\Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 10:16:29 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-13 10:16:30 UTC	223	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 10:16:30 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-13 10:16:30 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	05:16:13
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x2c0000
File size:	3'266'048 bytes
MD5 hash:	E9A138D8C5AB2CCCC8BF9976F66D30C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1235547319.00000000005E0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1264333421.000000001B460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1235147298.00000000002C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	05:16:15
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff606200000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	05:16:15
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	05:16:15
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0xef0000
File size:	3'266'048 bytes
MD5 hash:	E9A138D8C5AB2CCCC8BF9976F66D30C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.3708336873.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	5
Start time:	05:16:16
Start date:	13/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Imagebase:	0xf70000
File size:	3'266'048 bytes
MD5 hash:	E9A138D8C5AB2CCCC8BF9976F66D30C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	05:16:17
Start date:	13/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "SubStart" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff606200000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	05:16:17
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true