Edit tour

Windows Analysis Report
vanilla.exe

Overview

General Information

Sample name:	vanilla.exe
Analysis ID:	1575642
MD5:	7b168e023b1876cd9163d58f98f3b67c
SHA1:	906a5cfacd3797c603f3efe863aaedeabacb5918
SHA256:	781cdac62a589c52b2fb004eb53b262d4c2c29229cbbbd19a16d1669237ae553
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

vanilla.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\vanilla.exe" MD5: 7B168E023B1876CD9163D58F98F3B67C)

schtasks.exe (PID: 1380 cmdline: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 5796 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 7B168E023B1876CD9163D58F98F3B67C)

schtasks.exe (PID: 5648 cmdline: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 1280 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: 7B168E023B1876CD9163D58F98F3B67C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "98.51.190.130:20;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "11bbf22e-826e-486b-b024-adbd86228a9e", "StartupKey": "ctfmon", "Tag": "RunTimeBroker", "LogDirectoryName": "Logs", "ServerSignature": "J5q73mSQenQ4qqaxjEhsdFbydQBK2sXWN1tc9c/zYSLUodB5/jc/D6Pbnak7tqIIs/gPms4mT5axK46o+bBODyjp/zMD6DjJn0gD2eUv/tFcOlCDK5mxhEaZWkB+ALLms0wVSoq1oNywJL/NeEVSvwSDoNUWd+hka4rG1K2J+2BShfqeTZmf1ZkRcaKc4gByPQBUlmqYaZu1X6rJMGF0hJuvqGIm7zasd8NYKymg6hzi3s+uHuapNFHFOdAoy7EJf8fA/J5Z1J6d4iom1Gh+URmGn2Ip4zoWj0JW2iwyDBuHeB13J5I3DUI7IKhuRw2H7WFCrZOGgASr1fVIwvSH7arhO2CgIaHslxGYwfsnUQDrx9qT3NxzJ7OR/LapbynIxLVcNY9gu9VYMDx+zMrT8n6Qz4pr1ElsaM0b8WajRJWHR+OI1Hh+aI4DbPD5qicnZvh4OjymhxV+lOPaqvvee0+aD3AJsFlFqwNkI85STdIY5lJX4NRIjtVwCxYZPNGD/G3TRxUEBr1XqMw7tBIAAPot2FTNI4ij39o0esNXRlkiRiBTreSaVA6wruHSdCGJGje3690ZGk1eoXOKl2OBeizrUgoAYNNTiQe0WlfhLUK5vRRF0SfGWaBWTDb9HbdwdTlur6LKANBA8sqJbPpEIEGrHQteTvhCtU//ngFQjp4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPhUPS2VQ64wLwfd497kbzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNTIwMTQzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAytxbCLcvvJHBaKrSjs/03LIBGtEL/sIDrLa+BgDNAnZzfAHr4yrtx8+u9ZZk1NjWigTPIgeaCKJ83QYHxYlhHp1FCqiVNbS/aRxfpfiH50g7NH5zkSkykIR7mpiTJ4JXkZdusSYxzMUg+72gVI6ahR4YsF4B9xF/itQPGcMTDvx1WTAKAuCe4GoE157Bu9gLuXd/DfkCTzPeXCzR4lT+P4R1QbppLDUq8otglC/aYM7IvKZ8WK1IJ/MLYj71pkaOBvzVTpxhl75NMMs5QqRdEViHgEgRXtXhH6JjhcbZ/7083ijxjbrv5aHKAqxQO2zt+ctW16vq2vdbzmjL01jJYPsiDNOEJwarUyIWgnD6dMxxbhyEozbCzj50qrHuK9gZtfyyE/u75YK/0Sk6JWrC4caDaCXQ9aR3se/RwuqI42hyCD1dZ7XRTG6BIabiCsccEnzbLhvL/EJlYNEnZNrHAOiTqtDexWS8D0bbYhVudxGTLs6FHGY07hUXgJF43xW/91lMVl+GZb1JWDZddIGG+G9wuwh26qbqpPzA5/opmed0SHdtPH/HG+BCVoG8rsmjjgFiAO7Jxp6r0+d4W3g11k6ARVe910sjDfUmpNJwowBgD5D6n9ttYxTshZo1+uhsDO2Gj9KPZR5mI5NNVBh9JEOaMQiGlFHpXNt1RA8N1i0CAwEAAaMyMDAwHQYDVR0OBBYEFEMccL9EmQ/xWnqFOYlr6nqsJ6QrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJwQtqjn9D36fO6JrY+oXOgotdAkQpBm7dfsrvMwr7xsfWbqo3tn6oSg+ktMVYEimrQGLKjmkJ/ed/BsbL5TvdUZId2G4a4jupKvLqy2m8ebK07NflTgy7g4YI/HmmSz6b9mUfUU2OXij9p6ciExRsWlGxFqPDU3NLb5zBxuv4kQtOMCfmPCgR3SVrE7y/YtS0fRjTQ11J1JvmFhYoz9Q/K1ZlMYx4IkRMVfzeUIHCP3jAArjRatXlgsUaiy4+Mph4xHaTjBBefqiuGcQSh1CaOGsp6Pla10SZ2wCJfCFfk/WhGARxeH/rQpJ0T4dUf2725vDR8kpCIL40TUUZ12BH8hF5xKCjlPZwS5H95L7QRWutHSOf7ySJsET9I1PJ2GGhmoPc7hQSrcfzId3AEMZCfAO0XF/NqDHpE5zcY7buK6g0+3mt9GzzwNa+HhCKDL0XIh2CEkbff3/WWyFokv8fVIYM1z2X2jkKUnhxyj4t+QRTJyS78wLp8BWT9cRhblJ1/5z0rWkYMyFN3H+yGP6KNa2fpl6bYa4dXyg6pL52GfRqY7loz6z7cC52YMa0HckCe9W29DI+1vrYhOlytN9H2o+PpZLIb3vrW1gzIeucrmAs3Q2q6EfYplpYQVkvHrJbbmaJcxahsDU8HaT4sZW9gucwz+GbfZ6FStq4lFC/lX"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vanilla.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
vanilla.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
vanilla.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab82a:$x4: Uninstalling... good bye :-( 0x2ad01f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
vanilla.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aaddc:$f1: FileZilla\recentservers.xml 0x2aae1c:$f2: FileZilla\sitemanager.xml 0x2aae5e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0aa:$b1: Chrome\User Data\ 0x2ab100:$b1: Chrome\User Data\ 0x2ab3d8:$b2: Mozilla\Firefox\Profiles 0x2ab4d4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd430:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab62c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6e6:$b5: YandexBrowser\User Data\ 0x2ab754:$b5: YandexBrowser\User Data\ 0x2ab428:$s4: logins.json 0x2ab15e:$a1: username_value 0x2ab17c:$a2: password_value 0x2ab468:$a3: encryptedUsername 0x2fd374:$a3: encryptedUsername 0x2ab48c:$a4: encryptedPassword 0x2fd392:$a4: encryptedPassword 0x2fd310:$a5: httpRealm
vanilla.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab914:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea5e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab82a:$x4: Uninstalling... good bye :-( 0x2ad01f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aaddc:$f1: FileZilla\recentservers.xml 0x2aae1c:$f2: FileZilla\sitemanager.xml 0x2aae5e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0aa:$b1: Chrome\User Data\ 0x2ab100:$b1: Chrome\User Data\ 0x2ab3d8:$b2: Mozilla\Firefox\Profiles 0x2ab4d4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd430:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab62c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6e6:$b5: YandexBrowser\User Data\ 0x2ab754:$b5: YandexBrowser\User Data\ 0x2ab428:$s4: logins.json 0x2ab15e:$a1: username_value 0x2ab17c:$a2: password_value 0x2ab468:$a3: encryptedUsername 0x2fd374:$a3: encryptedUsername 0x2ab48c:$a4: encryptedPassword 0x2fd392:$a4: encryptedPassword 0x2fd310:$a5: httpRealm
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab914:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea5e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1359375048.0000000000402000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: vanilla.exe PID: 1460	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 5796	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.vanilla.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.vanilla.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.vanilla.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab82a:$x4: Uninstalling... good bye :-( 0x2ad01f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.vanilla.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aaddc:$f1: FileZilla\recentservers.xml 0x2aae1c:$f2: FileZilla\sitemanager.xml 0x2aae5e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0aa:$b1: Chrome\User Data\ 0x2ab100:$b1: Chrome\User Data\ 0x2ab3d8:$b2: Mozilla\Firefox\Profiles 0x2ab4d4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd430:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab62c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6e6:$b5: YandexBrowser\User Data\ 0x2ab754:$b5: YandexBrowser\User Data\ 0x2ab428:$s4: logins.json 0x2ab15e:$a1: username_value 0x2ab17c:$a2: password_value 0x2ab468:$a3: encryptedUsername 0x2fd374:$a3: encryptedUsername 0x2ab48c:$a4: encryptedPassword 0x2fd392:$a4: encryptedPassword 0x2fd310:$a5: httpRealm
0.0.vanilla.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab914:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea5e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 5796, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 5648, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\vanilla.exe", ParentImage: C:\Users\user\Desktop\vanilla.exe, ParentProcessId: 1460, ParentProcessName: vanilla.exe, ProcessCommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 1380, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T07:39:43.611993+0100	2035595	1	Domain Observed Used for C2 Detected	98.51.190.130	20	192.168.2.9	49722	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T07:39:43.611993+0100	2027619	1	Domain Observed Used for C2 Detected	98.51.190.130	20	192.168.2.9	49722	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vanilla.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: vanilla.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "98.51.190.130:20;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "11bbf22e-826e-486b-b024-adbd86228a9e", "StartupKey": "ctfmon", "Tag": "RunTimeBroker", "LogDirectoryName": "Logs", "ServerSignature": "J5q73mSQenQ4qqaxjEhsdFbydQBK2sXWN1tc9c/zYSLUodB5/jc/D6Pbnak7tqIIs/gPms4mT5axK46o+bBODyjp/zMD6DjJn0gD2eUv/tFcOlCDK5mxhEaZWkB+ALLms0wVSoq1oNywJL/NeEVSvwSDoNUWd+hka4rG1K2J+2BShfqeTZmf1ZkRcaKc4gByPQBUlmqYaZu1X6rJMGF0hJuvqGIm7zasd8NYKymg6hzi3s+uHuapNFHFOdAoy7EJf8fA/J5Z1J6d4iom1Gh+URmGn2Ip4zoWj0JW2iwyDBuHeB13J5I3DUI7IKhuRw2H7WFCrZOGgASr1fVIwvSH7arhO2CgIaHslxGYwfsnUQDrx9qT3NxzJ7OR/LapbynIxLVcNY9gu9VYMDx+zMrT8n6Qz4pr1ElsaM0b8WajRJWHR+OI1Hh+aI4DbPD5qicnZvh4OjymhxV+lOPaqvvee0+aD3AJsFlFqwNkI85STdIY5lJX4NRIjtVwCxYZPNGD/G3TRxUEBr1XqMw7tBIAAPot2FTNI4ij39o0esNXRlkiRiBTreSaVA6wruHSdCGJGje3690ZGk1eoXOKl2OBeizrUgoAYNNTiQe0WlfhLUK5vRRF0SfGWaBWTDb9HbdwdTlur6LKANBA8sqJbPpEIEGrHQteTvhCtU//ngFQjp4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPhUPS2VQ64wLwfd497kbzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNTIwMTQzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAytxbCLcvvJHBaKrSjs/03LIBGtEL/sIDrLa+BgDNAnZzfAHr4yrtx8+u9ZZk1NjWigTPIgeaCKJ83QYHxYlhHp1FCqiVNbS/aRxfpfiH50g7NH5zkSkykIR7mpiTJ4JXkZdusSYxzMUg+72gVI6ahR4YsF4B9xF/itQPGcMTDvx1WTAKAuCe4GoE157Bu9gLuXd/DfkCTzPeXCzR4lT+P4R1QbppLDUq8otglC/aYM7IvKZ8WK1IJ/MLYj71pkaOBvzVTpxhl75NMMs5QqRdEViHgEgRXtXhH6JjhcbZ/7083ijxjbrv5aHKAqxQO2zt+ctW16vq2vdbzmjL01jJYPsiDNOEJwarUyIWgnD6dMxxbhyEozbCzj50qrHuK9gZtfyyE/u75YK/0Sk6JWrC4caDaCXQ9aR3se/RwuqI42hyCD1dZ7XRTG6BIabiCsccEnzbLhvL/EJlYNEnZNrHAOiTqtDexWS8D0bbYhVudxGTLs6FHGY07hUXgJF43xW/91lMVl+GZb1JWDZddIGG+G9wuwh26qbqpPzA5/opmed0SHdtPH/HG+BCVoG8rsmjjgFiAO7Jxp6r0+d4W3g11k6ARVe910sjDfUmpNJwowBgD5D6n9ttYxTshZo1+uhsDO2Gj9KPZR5mI5NNVBh9JEOaMQiGlFHpXNt1RA8N1i0CAwEAAaMyMDAwHQYDVR0OBBYEFEMccL9EmQ/xWnqFOYlr6nqsJ6QrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJwQtqjn9D36fO6JrY+oXOgotdAkQpBm7dfsrvMwr7xsfWbqo3tn6oSg+ktMVYEimrQGLKjmkJ/ed/BsbL5TvdUZId2G4a4jupKvLqy2m8ebK07NflTgy7g4YI/HmmSz6b9mUfUU2OXij9p6ciExRsWlGxFqPDU3NLb5zBxuv4kQtOMCfmPCgR3SVrE7y/YtS0fRjTQ11J1JvmFhYoz9Q/K1ZlMYx4IkRMVfzeUIHCP3jAArjRatXlgsUaiy4+Mph4xHaTjBBefqiuGcQSh1CaOGsp6Pla10SZ2wCJfCFfk/WhGARxeH/rQpJ0T4dUf2725vDR8kpCIL40TUUZ12BH8hF5xKCjlPZwS5H95L7QRWutHSOf7ySJsET9I1PJ2GGhmoPc7hQSrcfzId3AEMZCfAO0XF/NqDHpE5zcY7buK6g0+3mt9GzzwNa+HhCKDL0XIh2CEkbff3/WWyFokv8fVIYM1z2X2jkKUnhxyj4t+QRTJyS78wLp8BWT9cRhblJ1/5z0rWkYMyFN3H+yGP6KNa2fpl6bYa4dXyg6pL52GfRqY7loz6z7cC52YMa0HckCe9W29DI+1vrYhOlytN9H2o+PpZLIb3vrW1gzIeucrmAs3Q2q6EfYplpYQVkvHrJbbmaJcxahsDU8HaT4sZW9gucwz+GbfZ6FStq4lFC/lX"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Virustotal: Detection: 75%			Perma Link

Multi AV Scanner detection for submitted file

Source: vanilla.exe	Virustotal: Detection: 75%			Perma Link
Source: vanilla.exe	ReversingLabs: Detection: 73%

Yara detected Quasar RAT

Source: Yara match	File source: vanilla.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1359375048.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vanilla.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: vanilla.exe

Joe Sandbox ML: detected

Source: vanilla.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.9:49734 version: TLS 1.2

Source: vanilla.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 98.51.190.130:20 -> 192.168.2.9:49722
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 98.51.190.130:20 -> 192.168.2.9:49722

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 98.51.190.130

Yara detected Generic Downloader

Source: Yara match	File source: vanilla.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.9:49722 -> 98.51.190.130:20

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: COMCAST-7922US COMCAST-7922US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	TCP traffic detected without corresponding DNS query: 98.51.190.130
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipwho.is

Source: Client.exe, 00000004.00000002.3817967243.000000001B252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: Client.exe, 00000004.00000002.3817967243.000000001B252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Client.exe, 00000004.00000002.3811374980.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4
Source: Client.exe, 00000004.00000002.3812391004.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: Client.exe, 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: vanilla.exe, 00000000.00000002.1384968036.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3812391004.00000000028E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vanilla.exe, Client.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: Client.exe, 00000004.00000002.3812391004.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: vanilla.exe, Client.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: vanilla.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: vanilla.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: vanilla.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.9:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: vanilla.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1359375048.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vanilla.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: vanilla.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: vanilla.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: vanilla.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F88A0F	4_2_00007FF887F88A0F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F79271	4_2_00007FF887F79271
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F8EB29	4_2_00007FF887F8EB29
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F87C16	4_2_00007FF887F87C16
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F755D6	4_2_00007FF887F755D6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F79FD0	4_2_00007FF887F79FD0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F7AFDD	4_2_00007FF887F7AFDD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F8B851	4_2_00007FF887F8B851
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887F7621F	4_2_00007FF887F7621F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF888092321	4_2_00007FF888092321

Source: vanilla.exe, 00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs vanilla.exe
Source: vanilla.exe, 00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs vanilla.exe
Source: vanilla.exe	Binary or memory string: OriginalFilenameClient.exe. vs vanilla.exe

Source: vanilla.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vanilla.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: vanilla.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: vanilla.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/5@1/2

Source: C:\Users\user\Desktop\vanilla.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\11bbf22e-826e-486b-b024-adbd86228a9e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_03

Source: vanilla.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: vanilla.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\vanilla.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vanilla.exe	Virustotal: Detection: 75%
Source: vanilla.exe	ReversingLabs: Detection: 73%

Source: vanilla.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\vanilla.exe

File read: C:\Users\user\Desktop\vanilla.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\vanilla.exe "C:\Users\user\Desktop\vanilla.exe"
Source: C:\Users\user\Desktop\vanilla.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vanilla.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vanilla.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: vanilla.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: vanilla.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: vanilla.exe

Static file information: File size 3265536 > 1048576

Source: vanilla.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: vanilla.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887BED2A5 pushad ; iretd	4_2_00007FF887BED2A6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887D0D848 push eax; iretd	4_2_00007FF887D0D869
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF887D0812B push ebx; ret	4_2_00007FF887D0816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FF888092321 push edx; retf 5F1Eh	4_2_00007FF888095A3B

Source: C:\Users\user\Desktop\vanilla.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\vanilla.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\vanilla.exe	File opened: C:\Users\user\Desktop\vanilla.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe	Memory allocated: 1060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1A8B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B220000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 2113			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 7729			Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe TID: 1872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 336	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 336	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6972	Thread sleep count: 2113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6972	Thread sleep count: 7729 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 2156	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\vanilla.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Client.exe, 00000004.00000002.3818570756.000000001B5A8000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3818570756.000000001B492000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\vanilla.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\vanilla.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe	Queries volume information: C:\Users\user\Desktop\vanilla.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vanilla.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: vanilla.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1359375048.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vanilla.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: vanilla.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vanilla.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1359375048.0000000000402000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vanilla.exe PID: 1460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 5796, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vanilla.exe	75%	Virustotal		Browse
vanilla.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
vanilla.exe	100%	Avira	HEUR/AGEN.1307453
vanilla.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
C:\Users\user\AppData\Roaming\SubDir\Client.exe	75%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
98.51.190.130	0%	Avira URL Cloud	safe
98.51.190.130	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
ipwho.is	108.181.61.49	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
98.51.190.130	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipwho.is/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	vanilla.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	vanilla.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	vanilla.exe, Client.exe.0.dr	false	high
http://schemas.datacontract.org/2004/07/	Client.exe, 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vanilla.exe, 00000000.00000002.1384968036.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000004.00000002.3812391004.00000000028E9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.v	Client.exe, 00000004.00000002.3817967243.000000001B252000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ipwho.is	Client.exe, 00000004.00000002.3812391004.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	vanilla.exe, Client.exe.0.dr	false	high
https://ipwho.is	Client.exe, 00000004.00000002.3812391004.0000000002C78000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
98.51.190.130	unknown	United States		7922	COMCAST-7922US	true
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575642
Start date and time:	2024-12-16 07:38:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vanilla.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/5@1/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 91% Number of executed functions: 60 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Client.exe, PID 1280 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:39:42	API Interceptor	14851160x Sleep call for process: Client.exe modified
06:39:39	Task Scheduler	Run new task: ctfmon path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
98.51.190.130	1434orz.exe	Get hash	malicious	Quasar	Browse
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	Fast Download.exe	Get hash	malicious	Njrat	Browse	13.107.246.63
	Client.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	backd00rhome.exe	Get hash	malicious	Metasploit	Browse	13.107.246.63
	fern_wifi_recon%2.34.exe	Get hash	malicious	Metasploit	Browse	13.107.246.63
	CrSpoofer.exe	Get hash	malicious	AsyncRAT	Browse	13.107.246.63
	ImageMso.Gallery.xll	Get hash	malicious	Unknown	Browse	13.107.246.63
	iAERhkhaZC.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	6eftz6UKDm.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.63
	Adver Ransomware.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
ipwho.is	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	103.126.138.87
	TeudA4phjN.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
	http://www.sbh.co.uk/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	103.126.138.87
bg.microsoft.map.fastly.net	ImageMso.Gallery.xll	Get hash	malicious	Unknown	Browse	199.232.210.172
	Setup.msi	Get hash	malicious	Vidar	Browse	199.232.214.172
	DVW8WyapUR.exe	Get hash	malicious	Spyrix Keylogger	Browse	199.232.210.172
	v12p3S8p36.exe	Get hash	malicious	GhostRat, Mimikatz	Browse	199.232.214.172
	3333.png.lnk.d.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	199.232.210.172
	PAYMENT COPY_PDF.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.214.172
	xu27D0L6Ak.exe	Get hash	malicious	DCRat	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	1.elf	Get hash	malicious	Unknown	Browse	207.83.27.163
	mips.elf	Get hash	malicious	Unknown	Browse	173.182.249.68
	mips.elf	Get hash	malicious	Unknown	Browse	199.175.133.251
	armv5l.elf	Get hash	malicious	Mirai	Browse	209.29.162.111
	armv6l.elf	Get hash	malicious	Mirai	Browse	75.156.205.249
	armv4l.elf	Get hash	malicious	Unknown	Browse	161.188.10.7
	armv6l.elf	Get hash	malicious	Mirai	Browse	204.191.203.107
	i686.elf	Get hash	malicious	Mirai	Browse	50.93.121.166
	IGz.m68k.elf	Get hash	malicious	Mirai	Browse	161.188.197.44
	IGz.x86.elf	Get hash	malicious	Mirai	Browse	173.182.47.170
COMCAST-7922US	arm5.elf	Get hash	malicious	Unknown	Browse	30.204.239.181
	arm.elf	Get hash	malicious	Unknown	Browse	29.140.48.103
	sh4.elf	Get hash	malicious	Unknown	Browse	30.230.215.28
	ppc.elf	Get hash	malicious	Unknown	Browse	26.208.197.77
	mips.elf	Get hash	malicious	Unknown	Browse	26.166.149.230
	arm6.elf	Get hash	malicious	Unknown	Browse	30.64.154.166
	m68k.elf	Get hash	malicious	Unknown	Browse	26.244.63.11
	arm7.elf	Get hash	malicious	Unknown	Browse	96.145.155.79
	x86.elf	Get hash	malicious	Unknown	Browse	98.33.187.70
	sparc.elf	Get hash	malicious	Unknown	Browse	28.205.101.237

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	108.181.61.49
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	108.181.61.49
	c2.hta	Get hash	malicious	XWorm	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar, Xmrig	Browse	108.181.61.49
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	108.181.61.49
	TD2HjoogPx.dll	Get hash	malicious	Unknown	Browse	108.181.61.49
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	108.181.61.49
	LaRHzSijsq.exe	Get hash	malicious	DCRat	Browse	108.181.61.49
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	108.181.61.49
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	108.181.61.49

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.253995428229511
Encrypted:	false
SSDEEP:	6:kKZD9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:RaDImsLNkPlE99SNxAhUe/3
MD5:	B1CBB4532546B9FC90FCE10E310FD6C3
SHA1:	D6EC1F08DF175AA7B3F94CBC03E3E3038BBCFA9D
SHA-256:	269189BD4546802BB19FF4379C2E49A5D7CD9F03FDD017E2B447ACD0D5A091FE
SHA-512:	98A571E724C6A68D5F7A874E863489530537BD92A1517A198B05B4C553DE4DEC850AEB3A6D9178BE839EAA055A6D438D077C222CB232B99AD14F468C1B96642C
Malicious:	false
Reputation:	low
Preview:	p...... ........x.Z$.O..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vanilla.exe.log

Download File

Process:	C:\Users\user\Desktop\vanilla.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Download File

Process:	C:\Users\user\Desktop\vanilla.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3265536
Entropy (8bit):	6.084091986096179
Encrypted:	false
SSDEEP:	49152:avkt62XlaSFNWPjljiFa2RoUYIlBRJ63bR3LoGdGFTHHB72eh2NT:av462XlaSFNWPjljiFXRoUYIlBRJ6J
MD5:	7B168E023B1876CD9163D58F98F3B67C
SHA1:	906A5CFACD3797C603F3EFE863AAEDEABACB5918
SHA-256:	781CDAC62A589C52B2FB004EB53B262D4C2C29229CBBBD19A16D1669237AE553
SHA-512:	BED18054E9FCE2CDC185E4536386D042F20D98C9354E1603BB87B8747403E63BDBABFB88E72708DCDFB3468860655DCB34B237024D3395782C092DD772FEC518
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.S.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.084091986096179
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	vanilla.exe
File size:	3'265'536 bytes
MD5:	7b168e023b1876cd9163d58f98f3b67c
SHA1:	906a5cfacd3797c603f3efe863aaedeabacb5918
SHA256:	781cdac62a589c52b2fb004eb53b262d4c2c29229cbbbd19a16d1669237ae553
SHA512:	bed18054e9fce2cdc185e4536386d042f20d98c9354e1603bb87b8747403e63bdbabfb88e72708dcdfb3468860655dcb34b237024d3395782c092dd772fec518
SSDEEP:	49152:avkt62XlaSFNWPjljiFa2RoUYIlBRJ63bR3LoGdGFTHHB72eh2NT:av462XlaSFNWPjljiFXRoUYIlBRJ6J
TLSH:	FBE56B143BF85E27E1BBE277E5B0041267F0FC1AB363EB0B6581677A1C53B5098426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71e3ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e398	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3f4	0x31c400	36465c385302daa1cb02f5d560475620	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	221440a5d95d2d9aec29428c5700ca78	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T07:39:43.611993+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	98.51.190.130	20	192.168.2.9	49722	TCP
2024-12-16T07:39:43.611993+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	98.51.190.130	20	192.168.2.9	49722	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 07:39:41.862929106 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:41.982719898 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:41.982820988 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:41.993304014 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:42.113223076 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:43.251625061 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:43.251657963 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:43.251730919 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:43.487413883 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:43.492213964 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:43.611993074 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:43.894793034 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:43.937330961 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:46.160738945 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:46.160769939 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:46.160835028 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:46.162261963 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:46.162276030 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:48.557213068 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:48.557472944 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:48.561136961 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:48.561147928 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:48.561508894 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:48.568242073 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:48.611377954 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:49.167525053 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:49.167615891 CET	443	49734	108.181.61.49	192.168.2.9
Dec 16, 2024 07:39:49.167654037 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:49.256494045 CET	49734	443	192.168.2.9	108.181.61.49
Dec 16, 2024 07:39:49.475724936 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:49.595603943 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:49.595676899 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:49.715466022 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:50.013526917 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:50.062357903 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:39:50.205123901 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:39:50.249866962 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:40:15.218666077 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:40:15.338485956 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:40:40.343820095 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:40:40.463746071 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:41:05.562494993 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:41:05.682303905 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:41:30.687638044 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:41:30.807415962 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:41:55.883002996 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:41:56.002962112 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:42:21.015757084 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:42:21.135396957 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:42:46.250188112 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:42:46.370094061 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:43:11.409044981 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:43:11.528970003 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:43:36.578418016 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:43:36.698179007 CET	20	49722	98.51.190.130	192.168.2.9
Dec 16, 2024 07:44:01.702131987 CET	49722	20	192.168.2.9	98.51.190.130
Dec 16, 2024 07:44:01.822046041 CET	20	49722	98.51.190.130	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 07:39:45.920744896 CET	51500	53	192.168.2.9	1.1.1.1
Dec 16, 2024 07:39:46.153126001 CET	53	51500	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 07:39:45.920744896 CET	192.168.2.9	1.1.1.1	0xf2c3	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 07:39:33.554651976 CET	1.1.1.1	192.168.2.9	0x3bf5	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 07:39:33.554651976 CET	1.1.1.1	192.168.2.9	0x3bf5	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 16, 2024 07:39:44.114716053 CET	1.1.1.1	192.168.2.9	0x58da	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 07:39:44.114716053 CET	1.1.1.1	192.168.2.9	0x58da	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 07:39:46.153126001 CET	1.1.1.1	192.168.2.9	0xf2c3	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49734	108.181.61.49	443	5796	C:\Users\user\AppData\Roaming\SubDir\Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 06:39:48 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-16 06:39:49 UTC	223	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 06:39:48 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-16 06:39:49 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	01:39:37
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\vanilla.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\vanilla.exe"
Imagebase:	0x400000
File size:	3'265'536 bytes
MD5 hash:	7B168E023B1876CD9163D58F98F3B67C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1359754879.0000000000720000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1387299925.000000001B422000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1359375048.0000000000402000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:39:39
Start date:	16/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff7f5720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:39:39
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:39:39
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x390000
File size:	3'265'536 bytes
MD5 hash:	7B168E023B1876CD9163D58F98F3B67C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.3812391004.0000000002CE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:39:39
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Imagebase:	0xc20000
File size:	3'265'536 bytes
MD5 hash:	7B168E023B1876CD9163D58F98F3B67C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:39:40
Start date:	16/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff7f5720000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:39:40
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF887D03525 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF887D03607

Strings

8eL, xrefs: 00007FF887D034D5

Memory Dump Source

Source File: 00000000.00000002.1389075719.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d00000_vanilla.jbxd

Similarity

API ID: DeleteFile
String ID: 8eL
API String ID: 4033686569-2915619072
Opcode ID: e3ee325de2205da956ac54ad56675cdc135fba272187db8effad2fa74ddd190c
Instruction ID: 5203220dad1e0d50297bc36c0c0e13113e1b4c4627935e98b0fa1bf3754617e5
Opcode Fuzzy Hash: e3ee325de2205da956ac54ad56675cdc135fba272187db8effad2fa74ddd190c
Instruction Fuzzy Hash: 5751F33290DA488FDB59EB6898496FDBBF0FF65311F04427FD00EC72A2DA28A8458741

Function 00007FF887D03650 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1389075719.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d00000_vanilla.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7605d474c4850c829c68574e7d8d8f7031ae757644da80921f99fd9600a0336c
Instruction ID: d95ab6dd473c6301e3784752871fb46257c8d37ba7dfa4c8bd74aabd16e11daf
Opcode Fuzzy Hash: 7605d474c4850c829c68574e7d8d8f7031ae757644da80921f99fd9600a0336c
Instruction Fuzzy Hash: 9D31D432D0C6458EEB64AB6990093FDBBE1FF41390F04427AD05EC36CADF6DA8158792

Function 00007FF887D03569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF887D03607

Memory Dump Source

Source File: 00000000.00000002.1389075719.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d00000_vanilla.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c3fef29095dd5818450215124e18d0c9ae21d072f06dd9325e7bd39a24815607
Instruction ID: f9d5e35e7f4a81fa3771a85ab1ac917c41e6f5e2cd1a9f1508b39c088140134d
Opcode Fuzzy Hash: c3fef29095dd5818450215124e18d0c9ae21d072f06dd9325e7bd39a24815607
Instruction Fuzzy Hash: 8C31BE3190CA5C8FDB59DB5888496E9BBF0FF65311F04426FD049D3292DB64A806CB81

Analysis Process: Client.exePID: 5796, Parent PID: 1460COMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF887F8B851 Relevance: 9.7, Strings: 7, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0WL, xrefs: 00007FF887F8BF99
b4B, xrefs: 00007FF887F8B9C5
0WL, xrefs: 00007FF887F8BF04
0WL, xrefs: 00007FF887F8BF3D
d$_H, xrefs: 00007FF887F8C074
6B, xrefs: 00007FF887F8C04A
b4B, xrefs: 00007FF887F8BB6A

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID: 6B$0WL$0WL$0WL$b4B$b4B$d$_H
API String ID: 0-3837676482
Opcode ID: 38f63fd3a5caf734b2a27c71c189fdabf03bb270ebc879faac028a5c5bf18b6a
Instruction ID: 2506a13d67070f726c1c499333b06cb04c236e5511c711d6a9484bb19bb32df8
Opcode Fuzzy Hash: 38f63fd3a5caf734b2a27c71c189fdabf03bb270ebc879faac028a5c5bf18b6a
Instruction Fuzzy Hash: 6A52E231A58E4D8FEBA8DB299445AB973E1FF98354F44067DC44EC3296DE38B842C781

Function 00007FF888092321 Relevance: 7.5, Strings: 1, Instructions: 6205COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF888095619

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 3450a0e4ec8e4cadde4ced81a784b15fd7e82a165c1794ddfecea6f8fe9a7b63
Instruction ID: 447d022830ec0a7c9d619f003cb4c178b6bd18c6bf9216e05e47664c074bd0a1
Opcode Fuzzy Hash: 3450a0e4ec8e4cadde4ced81a784b15fd7e82a165c1794ddfecea6f8fe9a7b63
Instruction Fuzzy Hash: 0683D961F58E4B5FFAE5962C086937952D2FF98690F59017AC01EC76DAEE38EC02C344

Function 00007FF887F8EB29 Relevance: 4.7, Strings: 3, Instructions: 966
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6B, xrefs: 00007FF887F8EDEE
(LL, xrefs: 00007FF887F8F0D9
0XL, xrefs: 00007FF887F8EF6D

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID: 6B$(LL$0XL
API String ID: 0-1192899223
Opcode ID: 8b4da225457557fefc942b1ac25c10e5add7d1c24c9b991305b88c09d91c688c
Instruction ID: 98251878123121293e8773f350731603da12342bc0735cd093e29bc8bb3f886f
Opcode Fuzzy Hash: 8b4da225457557fefc942b1ac25c10e5add7d1c24c9b991305b88c09d91c688c
Instruction Fuzzy Hash: 3562A030A18A4A8FEB98EF19D495BB973E1FF98740F540179D45EC7296CE38E842CB41

Function 00007FF887F755D6 Relevance: 4.5, Strings: 2, Instructions: 2032COMMON

Download Yara Rule

Strings

0XL, xrefs: 00007FF887F763D2
0#L, xrefs: 00007FF887F766A7

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID: 0#L$0XL
API String ID: 0-892149821
Opcode ID: 45313929dc1c455e1a48a85634b97d095bd464e1272f90372d4c98604a62bd20
Instruction ID: 6993fa91bd15906188aead798e5848a44e672ac1a89582f002cedb8c754e5c98
Opcode Fuzzy Hash: 45313929dc1c455e1a48a85634b97d095bd464e1272f90372d4c98604a62bd20
Instruction Fuzzy Hash: 56E29070A18A498FEF98DF18C494BA977F2FF99340F5441A9D04ED7296DE34E882CB41

Function 00007FF887F7621F Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

0XL, xrefs: 00007FF887F763D2

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID: 0XL
API String ID: 0-405417818
Opcode ID: 9f148a536aad876a295d7d12a10d4b94fd9f3089f2b71cd96d7be9ca86e429fd
Instruction ID: 52fc103cf4a2893627683e2e2adbe8c7429b06dce68799a0503425b37f4a6f2a
Opcode Fuzzy Hash: 9f148a536aad876a295d7d12a10d4b94fd9f3089f2b71cd96d7be9ca86e429fd
Instruction Fuzzy Hash: 12024A30E58A5A8FEB98EF19C4857A973F1FF99381F1441B9D44ED7296CA34B881CB40

Function 00007FF887F79FD0 Relevance: 1.1, Instructions: 1066COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1a087b7c195116b5d4e2384317c8c91d795a0f5a88819cec94bc038e7f847d
Instruction ID: 49d94b053e1faee829ded633be1f4122d7512a5b6cf50d71feb73dbcbb804157
Opcode Fuzzy Hash: 3e1a087b7c195116b5d4e2384317c8c91d795a0f5a88819cec94bc038e7f847d
Instruction Fuzzy Hash: 45621231B5CD894FEB98EB2CD454AB933E1FF99391B0501BAD44EC7296DE28AC42C741

Function 00007FF887F7AFDD Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a2f816e206633a7c443f81bb7e4a2c11760e124d9b9417d3904183126319a3
Instruction ID: 74d8596424970a9b8e9abad0816c0350dfa2014f48920a324b4bd38c9111ec87
Opcode Fuzzy Hash: c5a2f816e206633a7c443f81bb7e4a2c11760e124d9b9417d3904183126319a3
Instruction Fuzzy Hash: 94525030618A498FEB98EB2CC458BB977E1FF99345F1445B9E44DC72A2DE34E841CB42

Function 00007FF887F79271 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fb17ee89ffbc9356dd464741008260e95dc7966f92dbcb53bf6c70fdd3e3b3
Instruction ID: d83eb5b36e6ba5fc7dfb4060d141cf2ef97e3e1de933e8980bc3986a31973be3
Opcode Fuzzy Hash: 52fb17ee89ffbc9356dd464741008260e95dc7966f92dbcb53bf6c70fdd3e3b3
Instruction Fuzzy Hash: 64228E30A58A494FEB98EB2994957BD73F2FFA8380F54417DD44EC7292DE38A842C741

Function 00007FF887F87C16 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22950eeb0f8b9cca40758d385b5858f200c54def85f36fe4a62e1c7e947e0262
Instruction ID: ce6575da2b3a85d0cee9162ea76efb6987e8fb8fc119d544557a6130cd9e2432
Opcode Fuzzy Hash: 22950eeb0f8b9cca40758d385b5858f200c54def85f36fe4a62e1c7e947e0262
Instruction Fuzzy Hash: E2F19330908A8D8FEBA8DF29C855BF977E1FF55350F04426AE85DC7291CB389945CB82

Function 00007FF887F88A0F Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b68f70e11590a9b0be156d35bd0eae10acfac064355e6c4dcf696b66627599e
Instruction ID: 123c8eea550f6f0b460ab5f2861400a2e1cc521f7cdf2bc7d67fbe50a6091590
Opcode Fuzzy Hash: 3b68f70e11590a9b0be156d35bd0eae10acfac064355e6c4dcf696b66627599e
Instruction Fuzzy Hash: FFE18130A18A4D8FEBA8DF28D855BED77E1FB54351F04422ED80DC7295CB78A945CB82

Function 00007FF887D03525 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FF887D03607

Strings

8eL, xrefs: 00007FF887D034D5

Memory Dump Source

Source File: 00000004.00000002.3821072275.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887d00000_Client.jbxd

Similarity

API ID: DeleteFile
String ID: 8eL
API String ID: 4033686569-2915619072
Opcode ID: 40fb91fee20cd486e6b4295b74b7b88528bb2f4e7bad7e1e7acf8472b9aed51f
Instruction ID: fab2f6e9cea392571faff359b716978b8b4c743c78128b255c6fdb09d7703868
Opcode Fuzzy Hash: 40fb91fee20cd486e6b4295b74b7b88528bb2f4e7bad7e1e7acf8472b9aed51f
Instruction Fuzzy Hash: 0151F33290DA488FDB59EB6898496FDBBF1FF65311F04427FD40EC72A2DA28A845C741

Function 00007FF88809014A Relevance: 2.6, Strings: 2, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF88809073D
r6B, xrefs: 00007FF888090758

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: e174a03e6752e1fc9e2942616af09d04065851efc82a81bb065b8f45f87b28ab
Instruction ID: 2cff0fef2497530e7dbc823ff634965541040585b5ca87ab67eec6ac8cd05727
Opcode Fuzzy Hash: e174a03e6752e1fc9e2942616af09d04065851efc82a81bb065b8f45f87b28ab
Instruction Fuzzy Hash: A731E722F1CB898FEA59DA6C58663B477C1FB56360F1401BED44EC32D2EE199C41C746

Function 00007FF888090676 Relevance: 2.6, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r6B, xrefs: 00007FF88809073D
r6B, xrefs: 00007FF888090758

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID: r6B$r6B
API String ID: 0-2860294223
Opcode ID: 9638b15c92bd3c5caf8dbda38958865d8a1e12a175010aae4a69ad617b8961ed
Instruction ID: 4fb2679a8e5f8d9fc79ca64a7f9e118a1506285f3beca012b2b858c7e2712896
Opcode Fuzzy Hash: 9638b15c92bd3c5caf8dbda38958865d8a1e12a175010aae4a69ad617b8961ed
Instruction Fuzzy Hash: 51311422E1CB4A4FEA98DA6C6816378B7C1FBA5760F5401BDD48EC32D2DA289C018647

Function 00007FF887F7EB09 Relevance: 1.8, APIs: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF887F7ECF6

Memory Dump Source

Source File: 00000004.00000002.3823391100.00007FF887F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887f70000_Client.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: a0dbd698a49d1e6f37b4004814eb2b3bac18f7fdbbb33d9228fd7d6045c3c575
Instruction ID: d906269915034ed711354ec366f102ac9ac46d6290069a6873428309a7151ec2
Opcode Fuzzy Hash: a0dbd698a49d1e6f37b4004814eb2b3bac18f7fdbbb33d9228fd7d6045c3c575
Instruction Fuzzy Hash: D1711831A5CE898FD758AB6C94566F97BF0FF99351B04417FD04EC3192DE28A802CB82

Function 00007FF887D03650 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3821072275.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7605d474c4850c829c68574e7d8d8f7031ae757644da80921f99fd9600a0336c
Instruction ID: d95ab6dd473c6301e3784752871fb46257c8d37ba7dfa4c8bd74aabd16e11daf
Opcode Fuzzy Hash: 7605d474c4850c829c68574e7d8d8f7031ae757644da80921f99fd9600a0336c
Instruction Fuzzy Hash: 9D31D432D0C6458EEB64AB6990093FDBBE1FF41390F04427AD05EC36CADF6DA8158792

Function 00007FF887D03569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FF887D03607

Memory Dump Source

Source File: 00000004.00000002.3821072275.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887d00000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c3fef29095dd5818450215124e18d0c9ae21d072f06dd9325e7bd39a24815607
Instruction ID: f9d5e35e7f4a81fa3771a85ab1ac917c41e6f5e2cd1a9f1508b39c088140134d
Opcode Fuzzy Hash: c3fef29095dd5818450215124e18d0c9ae21d072f06dd9325e7bd39a24815607
Instruction Fuzzy Hash: 8C31BE3190CA5C8FDB59DB5888496E9BBF0FF65311F04426FD049D3292DB64A806CB81

Function 00007FF8880952F1 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

H, xrefs: 00007FF8880952F1

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: d71089204879e590e4bbaa7f44902741ead7337eb82890749a460b267abd1519
Instruction ID: 1474a1e1cbdb6c840dec3987e14fc90d2f4954c442c5fef771e723b7d357edc2
Opcode Fuzzy Hash: d71089204879e590e4bbaa7f44902741ead7337eb82890749a460b267abd1519
Instruction Fuzzy Hash: CF210761F0CE4A0BFA96A63D186627852D2FF996A0F984179D04EC72DBDE3CDC42C304

Function 00007FF88809207D Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3830c98af8a15f765f69f2d29c4047607ee8ec5b2db79e4e26e1ff86e88ce9a
Instruction ID: 9fa33b46cb51b9c7eafa50573a3e186b21767c30721268e7abba360f3e2ce843
Opcode Fuzzy Hash: c3830c98af8a15f765f69f2d29c4047607ee8ec5b2db79e4e26e1ff86e88ce9a
Instruction Fuzzy Hash: 4A81B210B6CE5A0FEB85976D8895779A6E1FFA9740F4401BAD11DC72C7CE28EC06C385

Function 00007FF888090002 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe580636e0ee91c00e8a8e8ba4c59b1855a20169a0fbe8799a624461525ae89
Instruction ID: 104ed31e4c5ad90915ba2a7eafd6d016b62d1a1e1700ef2567fa6d1f19e0d7b9
Opcode Fuzzy Hash: ffe580636e0ee91c00e8a8e8ba4c59b1855a20169a0fbe8799a624461525ae89
Instruction Fuzzy Hash: CA41E131A0CA894FD75A97289C59A703FE0EF67210F1A01FBD48ECB1E3DA28AC45C741

Function 00007FF887BEED80 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3820784062.00007FF887BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff887bed000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9ee5fc4dadaaefe2b153fc0b3bd79826baf3faee8d392251958e5f4c93f755
Instruction ID: 4177e7090b639e8ec45e05611e1e9d40e4fc6b79bfbfe91ddb1a9ca7a3d50bc6
Opcode Fuzzy Hash: 7c9ee5fc4dadaaefe2b153fc0b3bd79826baf3faee8d392251958e5f4c93f755
Instruction Fuzzy Hash: 7241E53140DBC44FD756CB2898459523FF0FF56364B1906EFD088CB2A3D729A846C7A2

Function 00007FF888093D9F Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440261a5200568a1e13e1e8401312caa228d7642cb182d939b85ca01392e0943
Instruction ID: 15e75bb5813612608cd567f0755495d7312856c1a7a02729d055e20e264705a8
Opcode Fuzzy Hash: 440261a5200568a1e13e1e8401312caa228d7642cb182d939b85ca01392e0943
Instruction Fuzzy Hash: 7F310B21F0DE4B1FFA95963C18A527856D2FF98690B591179C00EC72DAEE38EC01C705

Function 00007FF8880935BA Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9c96b82170a2d08b24ca229821bc85f6bf20c5f4adc2a3d7342508c8ff1750
Instruction ID: fb2d7449d588b8c7f0fc928af9dddf85ee20733a7c899f35b232e91cf9f536fd
Opcode Fuzzy Hash: ad9c96b82170a2d08b24ca229821bc85f6bf20c5f4adc2a3d7342508c8ff1750
Instruction Fuzzy Hash: C721D821F18E4B1BFAD5923C189527952C2FF986A0B995179D00EC73EAEE38DC42C345

Function 00007FF888092AAF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a073ac3ee5302236b1140b19a861f1535376e6f965751ad2826607e09cb546
Instruction ID: 7e0a477d976befa22cce382d9a41a2b963e5cb575bed5841c694b10fb7f9aa5a
Opcode Fuzzy Hash: 66a073ac3ee5302236b1140b19a861f1535376e6f965751ad2826607e09cb546
Instruction Fuzzy Hash: 6721EC61F48E4A0FFAE5D62C185527992D2FFD87A0B98017AC01EC72DADE38DC028345

Function 00007FF888093293 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5634b95314e0155c8f8ac5ad0753368ca76a66919a5af19aa1d4fd62310ea308
Instruction ID: 3830c0b5110ce57e919e2267405b1141a800be201940edc2e4ba2d4ec6df497a
Opcode Fuzzy Hash: 5634b95314e0155c8f8ac5ad0753368ca76a66919a5af19aa1d4fd62310ea308
Instruction Fuzzy Hash: 7021E521F58E4B5BFAE5D23C185627852C2FF987A0F995179C00EC72DAEE38EC428745

Function 00007FF888095090 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07643474f92a3bb7526b8e28446299f20d1df91738446bfbdb3fd27b1969f7ad
Instruction ID: 47f82a64d7a9892dc1ceb4bd19f8447720bbc41d8243b587cb33fad58ada3906
Opcode Fuzzy Hash: 07643474f92a3bb7526b8e28446299f20d1df91738446bfbdb3fd27b1969f7ad
Instruction Fuzzy Hash: A8219B31F48E4A5FFAD5962D186527952D2FFD86A0F580179C44EC72DAEE38DC028345

Function 00007FF8880943EE Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d88ed9aadcf67c269364914a93d8dc3c8df21942328ef7653969eeea3b2942
Instruction ID: 2fdce0ce3bafe1de2af6b0c096c5f1693e723a87402fbc5fd916740b6f5bb925
Opcode Fuzzy Hash: 15d88ed9aadcf67c269364914a93d8dc3c8df21942328ef7653969eeea3b2942
Instruction Fuzzy Hash: A421DB61F58E4B0BFA99D63C085527862D2FF98691F980179D40ECB2DADE38EC028345

Function 00007FF88809292E Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7ee95d31de957d24d0d42e710376c1b1ccb8266ad486d880f67b851db7dbc7
Instruction ID: 2475b2830781d8f3069678ad5e7d6c42f0d37138c6c26d4b2ae8c833885946db
Opcode Fuzzy Hash: 5e7ee95d31de957d24d0d42e710376c1b1ccb8266ad486d880f67b851db7dbc7
Instruction Fuzzy Hash: 7721B321F59E0A4FFA95E62C185523852D2FF986A0B9D017AC44EC72DBDE38DC428345

Function 00007FF8880939C2 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065b9bfdc02437879638fee4bf8a648c3a022511a7266870bc6205a2fb61e3c3
Instruction ID: 4d160f4fc600358fa2659b7b4e7cd909d75eca52758b35132667e8bce9d03f86
Opcode Fuzzy Hash: 065b9bfdc02437879638fee4bf8a648c3a022511a7266870bc6205a2fb61e3c3
Instruction Fuzzy Hash: 5F21C521F0CE4A0BFAE5E63C185527C56D2FFD86A0B99117AC00EC72DADE38DC428745

Function 00007FF88809555F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8494a3ebeabafd124b618e14ee8df319a2382feeac5fcd82ed667dbadb03df
Instruction ID: 7f9d24da7f4e18afebb0a0750bc602ec2a719a75002be349f26c2c1c12990e59
Opcode Fuzzy Hash: fe8494a3ebeabafd124b618e14ee8df319a2382feeac5fcd82ed667dbadb03df
Instruction Fuzzy Hash: 1421C521F18E0A1FFA95E62D186523852C3FFD86A0B98027AD54EC73DBDE38DC428345

Function 00007FF888093762 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950f4f7c09fdc7e9916934b017c3c4c519df24449b3e3b66639de327f756794b
Instruction ID: 16f0af02213d72534ba691240b183b889719c7935da097a20e499df879fee8bc
Opcode Fuzzy Hash: 950f4f7c09fdc7e9916934b017c3c4c519df24449b3e3b66639de327f756794b
Instruction Fuzzy Hash: 2621F821F08E0B0FFAA5E63C085523951D2FFD86A1B991179C00EC73DAEE38DC428705

Function 00007FF888094E48 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f8f6f4f7411bc3efe0785ef342e6dff6e06e3c8e8b76133c3abc3627adfcaa
Instruction ID: 2de3b597ffad24d767e9568c4507d6075aaa8d4f0e6cb53c45ec71496d97e21a
Opcode Fuzzy Hash: 29f8f6f4f7411bc3efe0785ef342e6dff6e06e3c8e8b76133c3abc3627adfcaa
Instruction Fuzzy Hash: D721F961F58E0B4FFB95E62C48A527852C2FFD96A1B990179C00ECB3DADE38DC428345

Function 00007FF888093CF1 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627ca5a4b11a880b112c80fa795b6e2251c6c8f1aa181451a0b8594ada5cd6f5
Instruction ID: dfda1abe462fbb6a2cfc5413c2168b93cd0c8f9bbca4d47dcf4489505596e41d
Opcode Fuzzy Hash: 627ca5a4b11a880b112c80fa795b6e2251c6c8f1aa181451a0b8594ada5cd6f5
Instruction Fuzzy Hash: AA21F921F48E0B4FFADAA63C186627851D2FFD86A0B991179C00EC72DADE38DC028745

Function 00007FF8880926DA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0560f771ccda03d47ead9e8091cae77846689913253c73a867efe024e4ba4c04
Instruction ID: 984960a8e5e7706e254bf2050cf7f204dcb6cae9db4ac06966d29d2bd7a79e50
Opcode Fuzzy Hash: 0560f771ccda03d47ead9e8091cae77846689913253c73a867efe024e4ba4c04
Instruction Fuzzy Hash: 9621D421F58E4A1BFAD9A62C185527991D3FFD86A1F98017AC00EC72DADD38DC468345

Function 00007FF88809597E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ca95542a2836ff515930b197256d2cd815547336ce31359aefca5f1430a20e
Instruction ID: a0471cacadb3bd53f8cf535836de0390d8d07d3940a6592c28603119555ec186
Opcode Fuzzy Hash: 17ca95542a2836ff515930b197256d2cd815547336ce31359aefca5f1430a20e
Instruction Fuzzy Hash: 0411C831B19E4A0BFAE5A62D186533952D2FF982A1F99017ED44EC72DADE38DC028305

Function 00007FF888093B82 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40926eae33a9f508d47e5904b05ca9b2433b58f27f1d7df56609a990d2e80e0
Instruction ID: 592e2fd43daf670b5a255e8a3deee659bb124bc93efbb50621fd44df435a4462
Opcode Fuzzy Hash: e40926eae33a9f508d47e5904b05ca9b2433b58f27f1d7df56609a990d2e80e0
Instruction Fuzzy Hash: AA11CB31B0CD4B0BFAA5963C045527856C2FF946A1B990179C14EC72DBDE39DC028744

Function 00007FF888095330 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dc3084cf5b089ca734923474a76bfd841358df265163fa63ee3301ee8514ce
Instruction ID: b8e1809b09d82e027846abf5f62ea3b55a9480d734de535bd4887b952edd9b86
Opcode Fuzzy Hash: b5dc3084cf5b089ca734923474a76bfd841358df265163fa63ee3301ee8514ce
Instruction Fuzzy Hash: 8A119871B08E4A4FFA95D62D185523856D2FF992A0F9942BAD44EC72DADE38DC02C305

Function 00007FF888095268 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c86ffd1e76c796aea7ec368e4be39552d1e1505d984224be589f00c112662bd1
Instruction ID: abf50b6baa3eb821f3e09848a8c2d06a81772b490ebdde273deb05a6f16f4a92
Opcode Fuzzy Hash: c86ffd1e76c796aea7ec368e4be39552d1e1505d984224be589f00c112662bd1
Instruction Fuzzy Hash: 8211A731F0DE4A4BFA95A62D185523866D2FF996A0F9901B9D44EC72DADE38DC028305

Function 00007FF888090EE1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3824190842.00007FF888090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF888090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff888090000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2914b9a9e60c285f944ec0746a45b620bbffb717907ac044ee18591f6d5a9901
Instruction ID: d2ca7303ee761fdd086b38eee06ec27444f1e785f4df84cc282121ee6d399b81
Opcode Fuzzy Hash: 2914b9a9e60c285f944ec0746a45b620bbffb717907ac044ee18591f6d5a9901
Instruction Fuzzy Hash: 43D0C911B6941207FA04219C6C463B8B285EB98760F54513BE40ACA2CBC89EACC5C2C2

Analysis Process: Client.exePID: 1280, Parent PID: 1124COMMON

Executed Functions

Function 00007FF887D02DE9 Relevance: 5.2, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D02EA9
r6B, xrefs: 00007FF887D02F9B
r6B, xrefs: 00007FF887D02FC2
r6B, xrefs: 00007FF887D02F25

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: r6B$r6B$r6B$r6B
API String ID: 0-2530241429
Opcode ID: 242142529d3511f22d30ec10d1041be3d9dcf8918209ed36cde4dfb79732dfd9
Instruction ID: c99180b9ec398502d801c94e226d3a893f50f914f3c399c4201a30fb22a140f7
Opcode Fuzzy Hash: 242142529d3511f22d30ec10d1041be3d9dcf8918209ed36cde4dfb79732dfd9
Instruction Fuzzy Hash: 16614D31E589098FEB98EA6894557BDB7F2FF88390F545279D00ED32D6CE28AC42C741

Function 00007FF887D02729 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

0WL, xrefs: 00007FF887D0285A
(LH, xrefs: 00007FF887D0277C

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: (LH$0WL
API String ID: 0-3009823392
Opcode ID: b0c2e479e513c518b55e12ce1fd1e53ade2bd64eafddca0410a567882a8ecbea
Instruction ID: 4b8e76c879df2c175a6860b11c04db756812678a18f92277ad7940960db32f95
Opcode Fuzzy Hash: b0c2e479e513c518b55e12ce1fd1e53ade2bd64eafddca0410a567882a8ecbea
Instruction Fuzzy Hash: 2D410721E5DA498FE758A768941A3BE77E1FF99350F04027EE04EC32C6DD2C68428382

Function 00007FF887D020FA Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

0DL, xrefs: 00007FF887D023F8

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: 0DL
API String ID: 0-3174716889
Opcode ID: b8823c38317404b7cf231a8394a96bdbbaf0fa76e6a60e9681ad8331be5ad35b
Instruction ID: d58ced09724c1cc2ab59dde531ad4f013e705c350a9c1af570a7efd56e1e8020
Opcode Fuzzy Hash: b8823c38317404b7cf231a8394a96bdbbaf0fa76e6a60e9681ad8331be5ad35b
Instruction Fuzzy Hash: 29A1B431A4D98A8FEB95EB2894567FD77E1FF95380F0412BAD40EC719BCD28A842C741

Function 00007FF887D00BBD Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

;M_I, xrefs: 00007FF887D00C04

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: ;M_I
API String ID: 0-1276053120
Opcode ID: 9cb059b83cbbc41bd3e80fb59d48e410937bc737f887e15d9525f73fca1f7fbb
Instruction ID: 330be3e2a7371a242ccea03505cb8c7649de799c54a9adb10205ef091a36c34a
Opcode Fuzzy Hash: 9cb059b83cbbc41bd3e80fb59d48e410937bc737f887e15d9525f73fca1f7fbb
Instruction Fuzzy Hash: 97915631A0D6899BE315E76C98643FC7FE1FF55344B8842BAE4898728FCE2C9841C756

Function 00007FF887D015FA Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

.M_^, xrefs: 00007FF887D01601

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: .M_^
API String ID: 0-2820351210
Opcode ID: 4e4077945f2338d2048d840a73832a3187355aaa5cd5999943eb075ac7dbf746
Instruction ID: 6fc5d9c7c5f8d332a5e925d799f6d8f33ce799ecba5c64d07cfc5fc93d157155
Opcode Fuzzy Hash: 4e4077945f2338d2048d840a73832a3187355aaa5cd5999943eb075ac7dbf746
Instruction Fuzzy Hash: 8931E026B0D69D4BD311B67CA8692EC7BE0EF4237270813B7D59CCA093CD09184B879A

Function 00007FF887D0269D Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

r6B, xrefs: 00007FF887D026D9

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: r6B
API String ID: 0-2624010786
Opcode ID: 4482a8f2a4768b2c644489d8b0f42effab3e03273b34c1e6c1ae3375539bce4b
Instruction ID: a598e448aa282723e312ee2a914c863f773afc76598d99918cf37dfd6e4636e9
Opcode Fuzzy Hash: 4482a8f2a4768b2c644489d8b0f42effab3e03273b34c1e6c1ae3375539bce4b
Instruction Fuzzy Hash: 4621F321E0DA8E8FEB45A76898563FD7BB1FF85381F4412B6D00EC71D7DD2868458382

Function 00007FF887D00872 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

`mL, xrefs: 00007FF887D0090F

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: `mL
API String ID: 0-2103775323
Opcode ID: 48a89f95972d314d7e80c0b7aae9532722aa6f9f1d153baaf07fb2620c86b059
Instruction ID: 51c761a3143a5827f7f557cf0eb49380cacb15478b83804dd8e9cf0b7814fba1
Opcode Fuzzy Hash: 48a89f95972d314d7e80c0b7aae9532722aa6f9f1d153baaf07fb2620c86b059
Instruction Fuzzy Hash: 1521F7A1D1DAC69FF345A77458257A9ABB0FF51780F4902FAC09ECB1D7DC1C58048792

Function 00007FF887D03491 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

8eL, xrefs: 00007FF887D034D5

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID: 8eL
API String ID: 0-2915619072
Opcode ID: 651cd113f527d793fae52a42d6232d3cae7b0374677f49c8f81231dd5bcfb5bd
Instruction ID: 3b5d1291edcab839c486236a982f01d1e914b5395a310d58044cd6dc38dcb08e
Opcode Fuzzy Hash: 651cd113f527d793fae52a42d6232d3cae7b0374677f49c8f81231dd5bcfb5bd
Instruction Fuzzy Hash: 0F117A2294DA850FE341A6386C494F97BE0EB9026070842BBD40DC7197CD1CD586C341

Function 00007FF887D024A2 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884e51f76465967ecf32244b71f5283cd8a3c9fb4a6e2022e6858c4a8936a5d9
Instruction ID: fee68dcf0c9087970fedfe55f189187817e6046ccdf6d5b98a5a5eaefc6b2ef7
Opcode Fuzzy Hash: 884e51f76465967ecf32244b71f5283cd8a3c9fb4a6e2022e6858c4a8936a5d9
Instruction Fuzzy Hash: 8C51B620B4DA5A8FEB85F37844653ED6BE2EF952D078052B5E00EC719BCD2C9C42C342

Function 00007FF887D02110 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00826315447a4e21370183bd972deede704269db3d8137bc1f230ac86ff2322a
Instruction ID: e3b63acb31c64dd8d1075727464cf3c8824e98df2e767e85ac1246a51486f2fc
Opcode Fuzzy Hash: 00826315447a4e21370183bd972deede704269db3d8137bc1f230ac86ff2322a
Instruction Fuzzy Hash: B541E62194D68A8FEB91EB6898517FD3BB1FF55380F0412B6D00EC718BCE18A841C752

Function 00007FF887D0196D Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3708a5a9d72021305540000bba84f569c0aa6eb71e3641746ab2b74122b77fe
Instruction ID: 99333c9d54f22eb03c83f9f0834e2f93cfe7e520c5ddc23ea40146a79a9532ae
Opcode Fuzzy Hash: d3708a5a9d72021305540000bba84f569c0aa6eb71e3641746ab2b74122b77fe
Instruction Fuzzy Hash: D12123309496828FDB45DF28C0C55AD7BA1FF95310B1893FAD459CF19BD929EC86C381

Function 00007FF887D01BF5 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b758a0c0c043ea22ccdd01165a5d61068a51300f638c228739f8b3b2151ca881
Instruction ID: d4fd6627f429f799919f4df0507ce322dfd3c7c2621ed5d1c7b8f28663c5c59c
Opcode Fuzzy Hash: b758a0c0c043ea22ccdd01165a5d61068a51300f638c228739f8b3b2151ca881
Instruction Fuzzy Hash: D9316E3061965D8BE744FB5CC8993F97F62EB98348FD08164E5198338ACA3C6885CB53

Function 00007FF887D032DD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650823013f4f8bb03d57cb4b5fa779cb2767a917b18703c411c1e05596c1cc24
Instruction ID: 57e7f617cad2f3858362e4dd610d12cb7c19e82eadbfa5d9d0969b63d1bed5b1
Opcode Fuzzy Hash: 650823013f4f8bb03d57cb4b5fa779cb2767a917b18703c411c1e05596c1cc24
Instruction Fuzzy Hash: DE21B331F18A598FD794FB7894A96B877E1FF58351B4541BAE00DC72A2DE28D801C741

Function 00007FF887D028D5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b8c99f6c7b40c9bc85bf177998a8f6129bc5e78db761cf24cad47740f37359
Instruction ID: 27d5a79cfce5d881007ef374fa946b8726ec63e385961c1c33d90845a1a11108
Opcode Fuzzy Hash: 18b8c99f6c7b40c9bc85bf177998a8f6129bc5e78db761cf24cad47740f37359
Instruction Fuzzy Hash: 6711E920A4EAC85FE347E3385899BB83FE1AF47254B0901F7D049CB0B7C9585845C352

Function 00007FF887D00DA9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d517d45b1cf157e080886c36060e5faf32eb6a480911739b848a07cc8e5aa600
Instruction ID: 4cc32d3ad7230782103e2a5ae8e38251e2560c56d63b2aced3a31ce877711484
Opcode Fuzzy Hash: d517d45b1cf157e080886c36060e5faf32eb6a480911739b848a07cc8e5aa600
Instruction Fuzzy Hash: 43014922EA8D8A1BD696A22858456F967E1FB95391B440776D00EC328ADD1868428382

Function 00007FF887D01E58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23093d31cecc9c8b4ee99b857080552a7725e90faa00c3d4ca87974933f7a2
Instruction ID: cefac0e902430f3b6d5bbc70a281ed97ef4a5fca7759da2b1fb55b59964a3635
Opcode Fuzzy Hash: fb23093d31cecc9c8b4ee99b857080552a7725e90faa00c3d4ca87974933f7a2
Instruction Fuzzy Hash: 02F02B21B08C1C1FA640F2AD64DDBFD67E0DFAC26130402B7E40CC7163DC0898828381

Function 00007FF887D01E70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a54d0953cef1cc230fc61801eac45947fbf94abe42ac04b7f58ed6b5a56469
Instruction ID: c8eee9639d47fb0bd138c96703fa66a2c9147901f5544aec184cb45c4e3ae9d4
Opcode Fuzzy Hash: 03a54d0953cef1cc230fc61801eac45947fbf94abe42ac04b7f58ed6b5a56469
Instruction Fuzzy Hash: 66E09221B18C1D5FAB94F2AD50DDBBD62D1EBAC25171006B6E40DC72A6DD19EC81C381

Function 00007FF887D0094D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ddaaa409c0b2f3d8d3b2ceea0543f858216d697a317d1e5b180ff4b4fae589
Instruction ID: a5a26a284cfd4ed532ca8a075bec733bfd71318e41cbf4ad9c1f09dbeb2c0005
Opcode Fuzzy Hash: 38ddaaa409c0b2f3d8d3b2ceea0543f858216d697a317d1e5b180ff4b4fae589
Instruction Fuzzy Hash: 37E08622F89A2617E18932B834062FC66D1EF446D1B4415BAE54EEA28BDC1D6D424385

Function 00007FF887D02DC8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1418173386.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff887d00000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a76897c144fd02747de3f5a3256680d939d16e2a55b632939f2469077ed25d
Instruction ID: 09bcadf011f7fa082b177a25f1f3ff440c0dbf112213718a243cd2c3a57cc5fc
Opcode Fuzzy Hash: 64a76897c144fd02747de3f5a3256680d939d16e2a55b632939f2469077ed25d
Instruction Fuzzy Hash: 5DC01222D55D4E8B9655CB5834852FC62B2FF883807940335C00DE2169CF2424A1D240

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vanilla.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vanilla.exe.log

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
vanilla.exe

Function 00007FF887D03525 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181
fileCOMMON

Function 00007FF887D03650 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Function 00007FF887D03569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Function 00007FF887F8B851 Relevance: 9.7, Strings: 7, Instructions: 924
COMMON

Function 00007FF887F8EB29 Relevance: 4.7, Strings: 3, Instructions: 966
COMMON

Function 00007FF887D03525 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181
fileCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre