Edit tour

Windows Analysis Report
skibidi.exe

Overview

General Information

Sample name:	skibidi.exe
Analysis ID:	1575659
MD5:	5c73e901190eb50c2794a879a354417d
SHA1:	e7e0e5552b9656e3790aa748f9af8774b606ed66
SHA256:	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (STR)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

skibidi.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\skibidi.exe" MD5: 5C73E901190EB50C2794A879A354417D)

schtasks.exe (PID: 7552 cmdline: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Client.exe" MD5: 5C73E901190EB50C2794A879A354417D)

schtasks.exe (PID: 7672 cmdline: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Client.exe (PID: 7648 cmdline: C:\Users\user\AppData\Roaming\SubDir\Client.exe MD5: 5C73E901190EB50C2794A879A354417D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "hilol.zapto.org:20;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "11bbf22e-826e-486b-b024-adbd86228a9e", "StartupKey": "ctfmon", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "J5q73mSQenQ4qqaxjEhsdFbydQBK2sXWN1tc9c/zYSLUodB5/jc/D6Pbnak7tqIIs/gPms4mT5axK46o+bBODyjp/zMD6DjJn0gD2eUv/tFcOlCDK5mxhEaZWkB+ALLms0wVSoq1oNywJL/NeEVSvwSDoNUWd+hka4rG1K2J+2BShfqeTZmf1ZkRcaKc4gByPQBUlmqYaZu1X6rJMGF0hJuvqGIm7zasd8NYKymg6hzi3s+uHuapNFHFOdAoy7EJf8fA/J5Z1J6d4iom1Gh+URmGn2Ip4zoWj0JW2iwyDBuHeB13J5I3DUI7IKhuRw2H7WFCrZOGgASr1fVIwvSH7arhO2CgIaHslxGYwfsnUQDrx9qT3NxzJ7OR/LapbynIxLVcNY9gu9VYMDx+zMrT8n6Qz4pr1ElsaM0b8WajRJWHR+OI1Hh+aI4DbPD5qicnZvh4OjymhxV+lOPaqvvee0+aD3AJsFlFqwNkI85STdIY5lJX4NRIjtVwCxYZPNGD/G3TRxUEBr1XqMw7tBIAAPot2FTNI4ij39o0esNXRlkiRiBTreSaVA6wruHSdCGJGje3690ZGk1eoXOKl2OBeizrUgoAYNNTiQe0WlfhLUK5vRRF0SfGWaBWTDb9HbdwdTlur6LKANBA8sqJbPpEIEGrHQteTvhCtU//ngFQjp4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPhUPS2VQ64wLwfd497kbzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNTIwMTQzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAytxbCLcvvJHBaKrSjs/03LIBGtEL/sIDrLa+BgDNAnZzfAHr4yrtx8+u9ZZk1NjWigTPIgeaCKJ83QYHxYlhHp1FCqiVNbS/aRxfpfiH50g7NH5zkSkykIR7mpiTJ4JXkZdusSYxzMUg+72gVI6ahR4YsF4B9xF/itQPGcMTDvx1WTAKAuCe4GoE157Bu9gLuXd/DfkCTzPeXCzR4lT+P4R1QbppLDUq8otglC/aYM7IvKZ8WK1IJ/MLYj71pkaOBvzVTpxhl75NMMs5QqRdEViHgEgRXtXhH6JjhcbZ/7083ijxjbrv5aHKAqxQO2zt+ctW16vq2vdbzmjL01jJYPsiDNOEJwarUyIWgnD6dMxxbhyEozbCzj50qrHuK9gZtfyyE/u75YK/0Sk6JWrC4caDaCXQ9aR3se/RwuqI42hyCD1dZ7XRTG6BIabiCsccEnzbLhvL/EJlYNEnZNrHAOiTqtDexWS8D0bbYhVudxGTLs6FHGY07hUXgJF43xW/91lMVl+GZb1JWDZddIGG+G9wuwh26qbqpPzA5/opmed0SHdtPH/HG+BCVoG8rsmjjgFiAO7Jxp6r0+d4W3g11k6ARVe910sjDfUmpNJwowBgD5D6n9ttYxTshZo1+uhsDO2Gj9KPZR5mI5NNVBh9JEOaMQiGlFHpXNt1RA8N1i0CAwEAAaMyMDAwHQYDVR0OBBYEFEMccL9EmQ/xWnqFOYlr6nqsJ6QrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJwQtqjn9D36fO6JrY+oXOgotdAkQpBm7dfsrvMwr7xsfWbqo3tn6oSg+ktMVYEimrQGLKjmkJ/ed/BsbL5TvdUZId2G4a4jupKvLqy2m8ebK07NflTgy7g4YI/HmmSz6b9mUfUU2OXij9p6ciExRsWlGxFqPDU3NLb5zBxuv4kQtOMCfmPCgR3SVrE7y/YtS0fRjTQ11J1JvmFhYoz9Q/K1ZlMYx4IkRMVfzeUIHCP3jAArjRatXlgsUaiy4+Mph4xHaTjBBefqiuGcQSh1CaOGsp6Pla10SZ2wCJfCFfk/WhGARxeH/rQpJ0T4dUf2725vDR8kpCIL40TUUZ12BH8hF5xKCjlPZwS5H95L7QRWutHSOf7ySJsET9I1PJ2GGhmoPc7hQSrcfzId3AEMZCfAO0XF/NqDHpE5zcY7buK6g0+3mt9GzzwNa+HhCKDL0XIh2CEkbff3/WWyFokv8fVIYM1z2X2jkKUnhxyj4t+QRTJyS78wLp8BWT9cRhblJ1/5z0rWkYMyFN3H+yGP6KNa2fpl6bYa4dXyg6pL52GfRqY7loz6z7cC52YMa0HckCe9W29DI+1vrYhOlytN9H2o+PpZLIb3vrW1gzIeucrmAs3Q2q6EfYplpYQVkvHrJbbmaJcxahsDU8HaT4sZW9gucwz+GbfZ6FStq4lFC/lX"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
skibidi.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
skibidi.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
skibidi.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab7ee:$x4: Uninstalling... good bye :-( 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
skibidi.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada0:$f1: FileZilla\recentservers.xml 0x2aade0:$f2: FileZilla\sitemanager.xml 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab06e:$b1: Chrome\User Data\ 0x2ab0c4:$b1: Chrome\User Data\ 0x2ab39c:$b2: Mozilla\Firefox\Profiles 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd3f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data 0x2ab6aa:$b5: YandexBrowser\User Data\ 0x2ab718:$b5: YandexBrowser\User Data\ 0x2ab3ec:$s4: logins.json 0x2ab122:$a1: username_value 0x2ab140:$a2: password_value 0x2ab42c:$a3: encryptedUsername 0x2fd338:$a3: encryptedUsername 0x2ab450:$a4: encryptedPassword 0x2fd356:$a4: encryptedPassword 0x2fd2d4:$a5: httpRealm
skibidi.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8d8:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea22:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab7ee:$x4: Uninstalling... good bye :-( 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Users\user\AppData\Roaming\SubDir\Client.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada0:$f1: FileZilla\recentservers.xml 0x2aade0:$f2: FileZilla\sitemanager.xml 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab06e:$b1: Chrome\User Data\ 0x2ab0c4:$b1: Chrome\User Data\ 0x2ab39c:$b2: Mozilla\Firefox\Profiles 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd3f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data 0x2ab6aa:$b5: YandexBrowser\User Data\ 0x2ab718:$b5: YandexBrowser\User Data\ 0x2ab3ec:$s4: logins.json 0x2ab122:$a1: username_value 0x2ab140:$a2: password_value 0x2ab42c:$a3: encryptedUsername 0x2fd338:$a3: encryptedUsername 0x2ab450:$a4: encryptedPassword 0x2fd356:$a4: encryptedPassword 0x2fd2d4:$a5: httpRealm
C:\Users\user\AppData\Roaming\SubDir\Client.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8d8:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea22:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1745821607.0000000000742000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: skibidi.exe PID: 7500	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client.exe PID: 7620	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.skibidi.exe.740000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.skibidi.exe.740000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.skibidi.exe.740000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab7ee:$x4: Uninstalling... good bye :-( 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.skibidi.exe.740000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada0:$f1: FileZilla\recentservers.xml 0x2aade0:$f2: FileZilla\sitemanager.xml 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab06e:$b1: Chrome\User Data\ 0x2ab0c4:$b1: Chrome\User Data\ 0x2ab39c:$b2: Mozilla\Firefox\Profiles 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd3f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data 0x2ab6aa:$b5: YandexBrowser\User Data\ 0x2ab718:$b5: YandexBrowser\User Data\ 0x2ab3ec:$s4: logins.json 0x2ab122:$a1: username_value 0x2ab140:$a2: password_value 0x2ab42c:$a3: encryptedUsername 0x2fd338:$a3: encryptedUsername 0x2ab450:$a4: encryptedPassword 0x2fd356:$a4: encryptedPassword 0x2fd2d4:$a5: httpRealm
0.0.skibidi.exe.740000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8d8:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea22:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Client.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Client.exe, ParentProcessId: 7620, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7672, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\skibidi.exe", ParentImage: C:\Users\user\Desktop\skibidi.exe, ParentProcessId: 7500, ParentProcessName: skibidi.exe, ProcessCommandLine: "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 7552, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T08:02:56.348295+0100	2035595	1	Domain Observed Used for C2 Detected	98.51.190.130	20	192.168.2.4	49730	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T08:02:56.348295+0100	2027619	1	Domain Observed Used for C2 Detected	98.51.190.130	20	192.168.2.4	49730	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: skibidi.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: skibidi.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "hilol.zapto.org:20;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "11bbf22e-826e-486b-b024-adbd86228a9e", "StartupKey": "ctfmon", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "J5q73mSQenQ4qqaxjEhsdFbydQBK2sXWN1tc9c/zYSLUodB5/jc/D6Pbnak7tqIIs/gPms4mT5axK46o+bBODyjp/zMD6DjJn0gD2eUv/tFcOlCDK5mxhEaZWkB+ALLms0wVSoq1oNywJL/NeEVSvwSDoNUWd+hka4rG1K2J+2BShfqeTZmf1ZkRcaKc4gByPQBUlmqYaZu1X6rJMGF0hJuvqGIm7zasd8NYKymg6hzi3s+uHuapNFHFOdAoy7EJf8fA/J5Z1J6d4iom1Gh+URmGn2Ip4zoWj0JW2iwyDBuHeB13J5I3DUI7IKhuRw2H7WFCrZOGgASr1fVIwvSH7arhO2CgIaHslxGYwfsnUQDrx9qT3NxzJ7OR/LapbynIxLVcNY9gu9VYMDx+zMrT8n6Qz4pr1ElsaM0b8WajRJWHR+OI1Hh+aI4DbPD5qicnZvh4OjymhxV+lOPaqvvee0+aD3AJsFlFqwNkI85STdIY5lJX4NRIjtVwCxYZPNGD/G3TRxUEBr1XqMw7tBIAAPot2FTNI4ij39o0esNXRlkiRiBTreSaVA6wruHSdCGJGje3690ZGk1eoXOKl2OBeizrUgoAYNNTiQe0WlfhLUK5vRRF0SfGWaBWTDb9HbdwdTlur6LKANBA8sqJbPpEIEGrHQteTvhCtU//ngFQjp4=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAPhUPS2VQ64wLwfd497kbzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwNTIwMTQzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAytxbCLcvvJHBaKrSjs/03LIBGtEL/sIDrLa+BgDNAnZzfAHr4yrtx8+u9ZZk1NjWigTPIgeaCKJ83QYHxYlhHp1FCqiVNbS/aRxfpfiH50g7NH5zkSkykIR7mpiTJ4JXkZdusSYxzMUg+72gVI6ahR4YsF4B9xF/itQPGcMTDvx1WTAKAuCe4GoE157Bu9gLuXd/DfkCTzPeXCzR4lT+P4R1QbppLDUq8otglC/aYM7IvKZ8WK1IJ/MLYj71pkaOBvzVTpxhl75NMMs5QqRdEViHgEgRXtXhH6JjhcbZ/7083ijxjbrv5aHKAqxQO2zt+ctW16vq2vdbzmjL01jJYPsiDNOEJwarUyIWgnD6dMxxbhyEozbCzj50qrHuK9gZtfyyE/u75YK/0Sk6JWrC4caDaCXQ9aR3se/RwuqI42hyCD1dZ7XRTG6BIabiCsccEnzbLhvL/EJlYNEnZNrHAOiTqtDexWS8D0bbYhVudxGTLs6FHGY07hUXgJF43xW/91lMVl+GZb1JWDZddIGG+G9wuwh26qbqpPzA5/opmed0SHdtPH/HG+BCVoG8rsmjjgFiAO7Jxp6r0+d4W3g11k6ARVe910sjDfUmpNJwowBgD5D6n9ttYxTshZo1+uhsDO2Gj9KPZR5mI5NNVBh9JEOaMQiGlFHpXNt1RA8N1i0CAwEAAaMyMDAwHQYDVR0OBBYEFEMccL9EmQ/xWnqFOYlr6nqsJ6QrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJwQtqjn9D36fO6JrY+oXOgotdAkQpBm7dfsrvMwr7xsfWbqo3tn6oSg+ktMVYEimrQGLKjmkJ/ed/BsbL5TvdUZId2G4a4jupKvLqy2m8ebK07NflTgy7g4YI/HmmSz6b9mUfUU2OXij9p6ciExRsWlGxFqPDU3NLb5zBxuv4kQtOMCfmPCgR3SVrE7y/YtS0fRjTQ11J1JvmFhYoz9Q/K1ZlMYx4IkRMVfzeUIHCP3jAArjRatXlgsUaiy4+Mph4xHaTjBBefqiuGcQSh1CaOGsp6Pla10SZ2wCJfCFfk/WhGARxeH/rQpJ0T4dUf2725vDR8kpCIL40TUUZ12BH8hF5xKCjlPZwS5H95L7QRWutHSOf7ySJsET9I1PJ2GGhmoPc7hQSrcfzId3AEMZCfAO0XF/NqDHpE5zcY7buK6g0+3mt9GzzwNa+HhCKDL0XIh2CEkbff3/WWyFokv8fVIYM1z2X2jkKUnhxyj4t+QRTJyS78wLp8BWT9cRhblJ1/5z0rWkYMyFN3H+yGP6KNa2fpl6bYa4dXyg6pL52GfRqY7loz6z7cC52YMa0HckCe9W29DI+1vrYhOlytN9H2o+PpZLIb3vrW1gzIeucrmAs3Q2q6EfYplpYQVkvHrJbbmaJcxahsDU8HaT4sZW9gucwz+GbfZ6FStq4lFC/lX"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: skibidi.exe	Virustotal: Detection: 76%			Perma Link
Source: skibidi.exe	ReversingLabs: Detection: 73%

Yara detected Quasar RAT

Source: Yara match	File source: skibidi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1745821607.0000000000742000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skibidi.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: skibidi.exe

Joe Sandbox ML: detected

Source: skibidi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: skibidi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 98.51.190.130:20 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 98.51.190.130:20 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: hilol.zapto.org

Yara detected Generic Downloader

Source: Yara match	File source: skibidi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 98.51.190.130:20

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: COMCAST-7922US COMCAST-7922US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: hilol.zapto.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: Client.exe, 00000003.00000002.4210667220.000000001B3BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Client.exe, 00000003.00000002.4202264413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/t
Source: Client.exe, 00000003.00000002.4202264413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Client.exe, 00000003.00000002.4202264413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authr
Source: Client.exe, 00000003.00000002.4211520746.000000001B6FF000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Client.exe, 00000003.00000002.4203256061.0000000002E42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: Client.exe, 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: skibidi.exe, 00000000.00000002.1774156264.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.4203256061.0000000002A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: skibidi.exe, Client.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: Client.exe, 00000003.00000002.4203256061.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: skibidi.exe, Client.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: skibidi.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: skibidi.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: skibidi.exe, Client.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: skibidi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1745821607.0000000000742000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skibidi.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: skibidi.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: skibidi.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: skibidi.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B701867	3_2_00007FFD9B701867
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B977C26	3_2_00007FFD9B977C26
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B97EBD4	3_2_00007FFD9B97EBD4
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B983B09	3_2_00007FFD9B983B09
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B97CAE5	3_2_00007FFD9B97CAE5
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B969271	3_2_00007FFD9B969271
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B9789D2	3_2_00007FFD9B9789D2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B97B861	3_2_00007FFD9B97B861
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B96AFDD	3_2_00007FFD9B96AFDD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B969FD0	3_2_00007FFD9B969FD0
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B97FE90	3_2_00007FFD9B97FE90
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B9655D6	3_2_00007FFD9B9655D6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B96621F	3_2_00007FFD9B96621F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA82321	3_2_00007FFD9BA82321

Source: skibidi.exe, 00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs skibidi.exe
Source: skibidi.exe, 00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs skibidi.exe
Source: skibidi.exe	Binary or memory string: OriginalFilenameClient.exe. vs skibidi.exe

Source: skibidi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: skibidi.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: skibidi.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: skibidi.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/5@2/2

Source: C:\Users\user\Desktop\skibidi.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\11bbf22e-826e-486b-b024-adbd86228a9e
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03

Source: skibidi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: skibidi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\skibidi.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: skibidi.exe	Virustotal: Detection: 76%
Source: skibidi.exe	ReversingLabs: Detection: 73%

Source: skibidi.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\skibidi.exe

File read: C:\Users\user\Desktop\skibidi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\skibidi.exe "C:\Users\user\Desktop\skibidi.exe"
Source: C:\Users\user\Desktop\skibidi.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\skibidi.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\skibidi.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: skibidi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: skibidi.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: skibidi.exe

Static file information: File size 3265536 > 1048576

Source: skibidi.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: skibidi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\skibidi.exe	Code function: 0_2_00007FFD9B6F00AD pushad ; iretd	0_2_00007FFD9B6F00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B5DD2A5 pushad ; iretd	3_2_00007FFD9B5DD2A6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B6F00AD pushad ; iretd	3_2_00007FFD9B6F00C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B96336E push eax; ret	3_2_00007FFD9B96340C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9B97DBB0 push ss; retn FFD7h	3_2_00007FFD9B97DD1F
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 3_2_00007FFD9BA82321 push edx; retf 5F20h	3_2_00007FFD9BA85A3B
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 4_2_00007FFD9B6E00AD pushad ; iretd	4_2_00007FFD9B6E00C1

Source: C:\Users\user\Desktop\skibidi.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\skibidi.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\skibidi.exe	File opened: C:\Users\user\Desktop\skibidi.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Memory allocated: 1AE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1AA60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B090000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Code function: 3_2_00007FFD9B6FF1F2 str ax

3_2_00007FFD9B6FF1F2

Source: C:\Users\user\Desktop\skibidi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 3657			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 6169			Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe TID: 7524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7744	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7744	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7752	Thread sleep count: 3657 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7752	Thread sleep count: 6169 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7696	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\skibidi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Client.exe, 00000003.00000002.4211520746.000000001B6FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Client.exe, 00000003.00000002.4211520746.000000001B783000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Client.exe, 00000003.00000002.4202264413.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$

Source: C:\Users\user\Desktop\skibidi.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\skibidi.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe	Queries volume information: C:\Users\user\Desktop\skibidi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\skibidi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: skibidi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1745821607.0000000000742000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skibidi.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: skibidi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.skibidi.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1745821607.0000000000742000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: skibidi.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
skibidi.exe	76%	Virustotal		Browse
skibidi.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
skibidi.exe	100%	Avira	HEUR/AGEN.1307453
skibidi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
hilol.zapto.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
ipwho.is	108.181.61.49	true	false	high
hilol.zapto.org	98.51.190.130	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipwho.is/	false		high
hilol.zapto.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	skibidi.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	skibidi.exe, Client.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	skibidi.exe, Client.exe.0.dr	false	high
http://crl.micro	Client.exe, 00000003.00000002.4210667220.000000001B3BE000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.datacontract.org/2004/07/	Client.exe, 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	skibidi.exe, 00000000.00000002.1774156264.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.4203256061.0000000002A99000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipwho.is	Client.exe, 00000003.00000002.4203256061.0000000002E42000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	skibidi.exe, Client.exe.0.dr	false	high
https://ipwho.is	Client.exe, 00000003.00000002.4203256061.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
98.51.190.130	hilol.zapto.org	United States		7922	COMCAST-7922US	true
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575659
Start date and time:	2024-12-16 08:01:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	skibidi.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/5@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 62 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 172.202.163.200, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Client.exe, PID 7648 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:02:53	API Interceptor	11905147x Sleep call for process: Client.exe modified
07:02:51	Task Scheduler	Run new task: ctfmon path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
98.51.190.130	vanilla.exe	Get hash	malicious	Quasar	Browse
98.51.190.130	1434orz.exe	Get hash	malicious	Quasar	Browse
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, Vidar, XWorm	Browse	103.126.138.87
	TeudA4phjN.exe	Get hash	malicious	Quasar	Browse	103.126.138.87
bg.microsoft.map.fastly.net	vanilla.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	ImageMso.Gallery.xll	Get hash	malicious	Unknown	Browse	199.232.210.172
	Setup.msi	Get hash	malicious	Vidar	Browse	199.232.214.172
	DVW8WyapUR.exe	Get hash	malicious	Spyrix Keylogger	Browse	199.232.210.172
	v12p3S8p36.exe	Get hash	malicious	GhostRat, Mimikatz	Browse	199.232.214.172
	3333.png.lnk.d.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	199.232.210.172
	PAYMENT COPY_PDF.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	1.elf	Get hash	malicious	Unknown	Browse	207.83.27.163
	mips.elf	Get hash	malicious	Unknown	Browse	173.182.249.68
	mips.elf	Get hash	malicious	Unknown	Browse	199.175.133.251
	armv5l.elf	Get hash	malicious	Mirai	Browse	209.29.162.111
	armv6l.elf	Get hash	malicious	Mirai	Browse	75.156.205.249
	armv4l.elf	Get hash	malicious	Unknown	Browse	161.188.10.7
	armv6l.elf	Get hash	malicious	Mirai	Browse	204.191.203.107
	i686.elf	Get hash	malicious	Mirai	Browse	50.93.121.166
	IGz.m68k.elf	Get hash	malicious	Mirai	Browse	161.188.197.44
COMCAST-7922US	Sentil.exe	Get hash	malicious	Quasar	Browse	73.62.14.5
	vanilla.exe	Get hash	malicious	Quasar	Browse	98.51.190.130
	arm5.elf	Get hash	malicious	Unknown	Browse	30.204.239.181
	arm.elf	Get hash	malicious	Unknown	Browse	29.140.48.103
	sh4.elf	Get hash	malicious	Unknown	Browse	30.230.215.28
	ppc.elf	Get hash	malicious	Unknown	Browse	26.208.197.77
	mips.elf	Get hash	malicious	Unknown	Browse	26.166.149.230
	arm6.elf	Get hash	malicious	Unknown	Browse	30.64.154.166
	m68k.elf	Get hash	malicious	Unknown	Browse	26.244.63.11
	arm7.elf	Get hash	malicious	Unknown	Browse	96.145.155.79

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	108.181.61.49
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	108.181.61.49
	c2.hta	Get hash	malicious	XWorm	Browse	108.181.61.49
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar, Xmrig	Browse	108.181.61.49
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	108.181.61.49
	TD2HjoogPx.dll	Get hash	malicious	Unknown	Browse	108.181.61.49
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	108.181.61.49
	LaRHzSijsq.exe	Get hash	malicious	DCRat	Browse	108.181.61.49
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse	108.181.61.49

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.232211138510833
Encrypted:	false
SSDEEP:	6:kKO9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:ZDImsLNkPlE99SNxAhUe/3
MD5:	F3EE3AD7F61D4A218CA22034DE41108A
SHA1:	63C69E95F162472B6F58868AD3EC89B0C40C2D7D
SHA-256:	A377B54D83E10F226E246BB7DBB17703F07CA251A52933CB513067547C4606BC
SHA-512:	18950B1CB304AB32BA582BF9C2E672FEB919D64DF4F1C16BA9CB900C2089310EC0A9113B7C3FA67EE01ED79A0A61A1796337E22579E637CD0D8219EFB79772F9
Malicious:	false
Reputation:	low
Preview:	p...... ........sT.r.O..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\skibidi.exe.log

Download File

Process:	C:\Users\user\Desktop\skibidi.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Download File

Process:	C:\Users\user\Desktop\skibidi.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3265536
Entropy (8bit):	6.083947130153912
Encrypted:	false
SSDEEP:	49152:Wvkt62XlaSFNWPjljiFa2RoUYIf1So1J/UoGd8zTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYIf1SX
MD5:	5C73E901190EB50C2794A879A354417D
SHA1:	E7E0E5552B9656E3790AA748F9AF8774B606ED66
SHA-256:	7CCFCE0EFE92CB5EDD40257CE119BC91B50012C8081CB639AAD6CAAB663A3FF6
SHA-512:	FC3BB5C1C6B2917E6169CFC7633F91335EDA82C68518F801E26805FC6381AFB54508DBC689EB7C946EBE5E6195B37DAA1639243E3FEF3EE2073DBB1AA8495FD6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@.................................\.1.O.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H...........L............k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.083947130153912
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	skibidi.exe
File size:	3'265'536 bytes
MD5:	5c73e901190eb50c2794a879a354417d
SHA1:	e7e0e5552b9656e3790aa748f9af8774b606ed66
SHA256:	7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6
SHA512:	fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6
SSDEEP:	49152:Wvkt62XlaSFNWPjljiFa2RoUYIf1So1J/UoGd8zTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYIf1SX
TLSH:	59E55A1437F85F23E1BBE273D5B0041667F1E82AB3A3FB5B6181677A1C53B505801AAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x71e3ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e35c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3b4	0x31c400	4e70a7f3bf025a237f5123171ff49d87	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	db08f4863a011f0cee33bb292322ab94	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T08:02:56.348295+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	98.51.190.130	20	192.168.2.4	49730	TCP
2024-12-16T08:02:56.348295+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	98.51.190.130	20	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:02:54.590150118 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:02:54.709999084 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:54.710189104 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:02:54.721760035 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:02:54.841655016 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:55.985675097 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:55.985698938 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:55.985763073 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:02:56.222909927 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:56.228441954 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:02:56.348294973 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:56.636096001 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:02:56.682100058 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:02:58.992444992 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:02:58.992495060 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:02:58.993015051 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:02:58.994530916 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:02:58.994550943 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:01.400186062 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:01.400476933 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:03:01.406073093 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:03:01.406090021 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:01.406481028 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:01.433775902 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:03:01.475347042 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:02.042085886 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:02.042146921 CET	443	49732	108.181.61.49	192.168.2.4
Dec 16, 2024 08:03:02.042280912 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:03:02.128467083 CET	49732	443	192.168.2.4	108.181.61.49
Dec 16, 2024 08:03:02.405005932 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:03:02.524853945 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:03:02.525015116 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:03:02.644809008 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:03:02.976747036 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:03:03.025922060 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:03:03.258682966 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:03:03.307131052 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:03:28.260395050 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:03:28.414752007 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:03:53.416615963 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:03:53.536515951 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:04:18.541707039 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:04:18.661655903 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:04:43.683623075 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:04:43.803437948 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:05:08.807395935 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:05:08.927360058 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:05:33.951700926 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:05:34.071620941 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:05:59.106904984 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:05:59.227524996 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:06:24.307517052 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:06:24.427416086 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:06:49.441910028 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:06:49.561927080 CET	20	49730	98.51.190.130	192.168.2.4
Dec 16, 2024 08:07:14.575025082 CET	49730	20	192.168.2.4	98.51.190.130
Dec 16, 2024 08:07:14.694833040 CET	20	49730	98.51.190.130	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 08:02:54.354485035 CET	50024	53	192.168.2.4	1.1.1.1
Dec 16, 2024 08:02:54.576672077 CET	53	50024	1.1.1.1	192.168.2.4
Dec 16, 2024 08:02:58.674504042 CET	52516	53	192.168.2.4	1.1.1.1
Dec 16, 2024 08:02:58.988118887 CET	53	52516	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 08:02:54.354485035 CET	192.168.2.4	1.1.1.1	0x8a15	Standard query (0)	hilol.zapto.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:02:58.674504042 CET	192.168.2.4	1.1.1.1	0x6062	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 08:02:54.576672077 CET	1.1.1.1	192.168.2.4	0x8a15	No error (0)	hilol.zapto.org	98.51.190.130	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:02:56.896842003 CET	1.1.1.1	192.168.2.4	0xecae	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:02:56.896842003 CET	1.1.1.1	192.168.2.4	0xecae	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 16, 2024 08:02:58.988118887 CET	1.1.1.1	192.168.2.4	0x6062	No error (0)	ipwho.is	108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	108.181.61.49	443	7620	C:\Users\user\AppData\Roaming\SubDir\Client.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 07:03:01 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-16 07:03:02 UTC	223	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 07:03:01 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-16 07:03:02 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	02:02:48
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\skibidi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\skibidi.exe"
Imagebase:	0x740000
File size:	3'265'536 bytes
MD5 hash:	5C73E901190EB50C2794A879A354417D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1746168466.0000000000A60000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1778204579.000000001B952000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1745821607.0000000000742000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:02:50
Start date:	16/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:02:50
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:02:51
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x430000
File size:	3'265'536 bytes
MD5 hash:	5C73E901190EB50C2794A879A354417D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.4203256061.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:02:52
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Imagebase:	0xb70000
File size:	3'265'536 bytes
MD5 hash:	5C73E901190EB50C2794A879A354417D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:02:52
Start date:	16/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:02:52
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B6F3525 Relevance: 1.7, APIs: 1, Instructions: 158
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B6F3607

Memory Dump Source

Source File: 00000000.00000002.1778857962.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_skibidi.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 957d593ec3d96b275ec279727597db334a98b24f3446fce95a50c355732618d3
Instruction ID: 898d483edcd410d2ee34101cbfecbe8ef3203d3994093ad6e927b8f08e3f7281
Opcode Fuzzy Hash: 957d593ec3d96b275ec279727597db334a98b24f3446fce95a50c355732618d3
Instruction Fuzzy Hash: FF411831A0DB4C4FDB19DB689895AF9BFF1EF55310F0442BFD049C72A2DE24A9458781

Function 00007FFD9B6F3650 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1778857962.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_skibidi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10b566bd4692e0bfaa13e4b17104d40eecc134af6ace87b01dbaceae420d18b
Instruction ID: c9dded09cf63d031ce6c10a2740a823d8f4282a6212a0cba7c7a5feaafef1b2d
Opcode Fuzzy Hash: d10b566bd4692e0bfaa13e4b17104d40eecc134af6ace87b01dbaceae420d18b
Instruction Fuzzy Hash: 3B313571F0D64A4EEB24ABA894262F9BBE1EF41310F00027ED069C72D6CF69B9458781

Function 00007FFD9B6F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B6F3607

Memory Dump Source

Source File: 00000000.00000002.1778857962.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b6f0000_skibidi.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 870106628b2b55c3a43b3c29b321dbfc901a85682413f788b718bed1f9432b96
Instruction ID: 16383bbfc94b01492328a291435ae14587b806f391e62c27bee741f419bb00de
Opcode Fuzzy Hash: 870106628b2b55c3a43b3c29b321dbfc901a85682413f788b718bed1f9432b96
Instruction Fuzzy Hash: 0D31C13190DB5C8FDB19DB588859AE9BBF0FF65310F04426FD049D7292DB74A805CB91

Analysis Process: Client.exePID: 7620, Parent PID: 7500COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BA82321 Relevance: 7.4, Strings: 1, Instructions: 6139COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BA85619

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: cccf6e75bad204796b24757b4640525e0c08e34acd42e0716dd204ea75861c98
Instruction ID: cf72cb474b37d9541d29671b4cbb0271f674dc12238686ebb457f5151ceec63d
Opcode Fuzzy Hash: cccf6e75bad204796b24757b4640525e0c08e34acd42e0716dd204ea75861c98
Instruction Fuzzy Hash: 4A83F822B1AE4F0BFBB5979C047527956C3EFD8640B9A01BAD45EC36F6ED68ED024340

Function 00007FFD9B97FE90 Relevance: 3.8, Strings: 2, Instructions: 1268COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9B980571
, xrefs: 00007FFD9B980266

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 29593648e20d8d1d9ed4cd396ea2fa1aae5bfe6fc83b87cf74366e246e512bbc
Instruction ID: 9dc2b396c24c583e030c209d313369dcf87440d20282636f0c7e8936e7d4e935
Opcode Fuzzy Hash: 29593648e20d8d1d9ed4cd396ea2fa1aae5bfe6fc83b87cf74366e246e512bbc
Instruction Fuzzy Hash: 0D82B331B29E4D5FEBB4EB6CC465A6837D1EF59700B1601BAE04EC72B2DE28ED418741

Function 00007FFD9B9655D6 Relevance: 2.1, Instructions: 2119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f5509e4abae3d7961e740ae22fe855f1189b11041e861df3fd4ff4291e96e4
Instruction ID: 533e4517d2dc741e4f121379b0dd2c70520e0a05f4a452f1aa0ea3ba8f816f70
Opcode Fuzzy Hash: 17f5509e4abae3d7961e740ae22fe855f1189b11041e861df3fd4ff4291e96e4
Instruction Fuzzy Hash: ACF2A270A19A0D8FDFA8DF68C4A4BA977E1FF58300F1141A9D44ED72A6DE35E942CB40

Function 00007FFD9B97CAE5 Relevance: 1.5, Instructions: 1536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18778d93fc39254e04dbb62bbe759dfba2c6d768d7531f05475dac39db51501
Instruction ID: 44c453b9ee00eafb77ea64ad45ddf48eec153f9ee65c76cbdbd501b6fc15960b
Opcode Fuzzy Hash: a18778d93fc39254e04dbb62bbe759dfba2c6d768d7531f05475dac39db51501
Instruction Fuzzy Hash: 11A26C71B2EA8D5FE7B5DB6888A56A43BE0EF95310F0501FAD04DC71E3DE18AD068781

Function 00007FFD9B969FD0 Relevance: 1.1, Instructions: 1064
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce9c5745f35108e766cbc33f803806e91b984d9fc71a2cb117ddacd17eb8460
Instruction ID: a1a4acc5a03af043eea629c0d9c94969e0f0261aa5793528163594a54d721b34
Opcode Fuzzy Hash: 1ce9c5745f35108e766cbc33f803806e91b984d9fc71a2cb117ddacd17eb8460
Instruction Fuzzy Hash: FC624931B1D94D8FEBA8EB6CD465A7937D1EF99310B0600BAE44EC72E2DD24EC428741

Function 00007FFD9B97EBD4 Relevance: 1.0, Instructions: 953COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c7ea47b587227edcc86ed783acf30b141e99a44e724c34473ffc2ce7511de9
Instruction ID: 5a890950c4831372e248bc3757439cec7a3059943f2750e5c29ec5df38fcc77d
Opcode Fuzzy Hash: f9c7ea47b587227edcc86ed783acf30b141e99a44e724c34473ffc2ce7511de9
Instruction Fuzzy Hash: 0D527031B18A4E4FDB98DF58C4A17A973D2FF99700F5501B9E45AC7296CE34EC428781

Function 00007FFD9B97B861 Relevance: .9, Instructions: 927COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca8bb9cda4791694baa8fae0d191563fa9297960272d6bf613d9f441e38ce56
Instruction ID: ae4c790a092dc875c3ed3ccb0da3184a28b2340a7934315e653ef69891253dc1
Opcode Fuzzy Hash: 2ca8bb9cda4791694baa8fae0d191563fa9297960272d6bf613d9f441e38ce56
Instruction Fuzzy Hash: 4F52D331B29E0D9FDBA8EB6C84A56B573D1FF98310F45027DD44EC32A6DE24B9428781

Function 00007FFD9B96AFDD Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c8082257591616580b98ccd46bf135a95c9cd2e1e8b00bb11473eca61da524
Instruction ID: 6c4ee03646885641ae3ba1e3a899f01055b1fccc3b33440924f47b4a051b73a8
Opcode Fuzzy Hash: b8c8082257591616580b98ccd46bf135a95c9cd2e1e8b00bb11473eca61da524
Instruction Fuzzy Hash: 2A528330B18A098FDBA8EB2CC4A5B6577E1FF99300F5545B9E44EC72A6DE34E841CB41

Function 00007FFD9B969271 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5928a549c201346b054cb30a1f2979c316bf67b64013177fb9f6f9609cca5166
Instruction ID: 4dd50079e9d92a22f03c1822870a6000512d39fb63fbd2850393b2c8521fc529
Opcode Fuzzy Hash: 5928a549c201346b054cb30a1f2979c316bf67b64013177fb9f6f9609cca5166
Instruction Fuzzy Hash: A2226E30B19A0D8FEBA8DA5C84A97B977E2FF99300F15417DD44EC72E6CE24E9428741

Function 00007FFD9B96621F Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d457306de0cb8115f19051bed9a99849b509526666bafbe7abde300ad9e333
Instruction ID: b2f80498cacc39637d816b5234bf8c1e8cdcc03651fabba25241381b0c2f0496
Opcode Fuzzy Hash: 75d457306de0cb8115f19051bed9a99849b509526666bafbe7abde300ad9e333
Instruction Fuzzy Hash: C3025C30E28A1D8FEBA8DF58C4957A977E1FF98301F1541B9D44ED32A5DE34B9818B40

Function 00007FFD9B983B09 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32f5217bc3a73530c6aae6467e1a5b09b5769447278bd915318aea76c227923
Instruction ID: e099248775c6386ee596fbc67428930e4bd83944281c3cf3d883b93d3ad86ff4
Opcode Fuzzy Hash: c32f5217bc3a73530c6aae6467e1a5b09b5769447278bd915318aea76c227923
Instruction Fuzzy Hash: 07F10331B2DE4D5FEBA4EB6C84A567477E2FF99300B1505B9E04DC72A2DE38E9428341

Function 00007FFD9B977C26 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef31a1b36268d10f54ba5626ffc87e6c03d98471902d6cee5c724d5dfb2c1c63
Instruction ID: d3e25511b75f62f2514a5087e113aedc3944655bcfc69d8c2952d7eb748d226c
Opcode Fuzzy Hash: ef31a1b36268d10f54ba5626ffc87e6c03d98471902d6cee5c724d5dfb2c1c63
Instruction Fuzzy Hash: 33F1C830A19A4D8FEBA8DF28C895BF937D1FF55310F14426EE84DC7295DB3899418B82

Function 00007FFD9B9789D2 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f447efd095f77eaca152b3d281a410feb70fe1e718f2b7c7a553e55c26a750a6
Instruction ID: 4d1720682663324f03ff53f0c044d1396005ef053dde2256cc1b3cab4da33dad
Opcode Fuzzy Hash: f447efd095f77eaca152b3d281a410feb70fe1e718f2b7c7a553e55c26a750a6
Instruction Fuzzy Hash: 08E1D330A19A4E8FEBA8DF28C8A57E977D1FF54310F14826ED84DC7295DF74A9408B81

Function 00007FFD9B96E709 Relevance: 1.8, APIs: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B96E8F6

Memory Dump Source

Source File: 00000003.00000002.4216676817.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b960000_Client.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 6c2c7bece13748acdc2d85440852cc09cf3d167e2df2452be210ad86e65bb3c1
Instruction ID: 686718ee0c5c6e15be2b1fb9d442e6b65f97facde72a7f292d9506d827493455
Opcode Fuzzy Hash: 6c2c7bece13748acdc2d85440852cc09cf3d167e2df2452be210ad86e65bb3c1
Instruction Fuzzy Hash: FE711631B1DE4D5FDB58AB6C98A65F97BE1EF59310B0401BED04AC31A3DE24AC4687C1

Function 00007FFD9B6F3525 Relevance: 1.7, APIs: 1, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FFD9B6F3607

Memory Dump Source

Source File: 00000003.00000002.4214219422.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b6f0000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6c92016e8f9e1f5fc6e71cf3e8f598d3751c1f3c88dd17185d42c536ad62d67e
Instruction ID: d3ea9d58fcb990a674472b8a0e54ad1e8ce7fb94960fedf09baaf8f2d5554efb
Opcode Fuzzy Hash: 6c92016e8f9e1f5fc6e71cf3e8f598d3751c1f3c88dd17185d42c536ad62d67e
Instruction Fuzzy Hash: BE512731B0DB4C4FDB59DB6C9895AF9BFE1EF55320F0442BFD049C72A2CA24A9458781

Function 00007FFD9B6F3650 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4214219422.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b6f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10b566bd4692e0bfaa13e4b17104d40eecc134af6ace87b01dbaceae420d18b
Instruction ID: c9dded09cf63d031ce6c10a2740a823d8f4282a6212a0cba7c7a5feaafef1b2d
Opcode Fuzzy Hash: d10b566bd4692e0bfaa13e4b17104d40eecc134af6ace87b01dbaceae420d18b
Instruction Fuzzy Hash: 3B313571F0D64A4EEB24ABA894262F9BBE1EF41310F00027ED069C72D6CF69B9458781

Function 00007FFD9B6F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32 ref: 00007FFD9B6F3607

Memory Dump Source

Source File: 00000003.00000002.4214219422.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b6f0000_Client.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 870106628b2b55c3a43b3c29b321dbfc901a85682413f788b718bed1f9432b96
Instruction ID: 16383bbfc94b01492328a291435ae14587b806f391e62c27bee741f419bb00de
Opcode Fuzzy Hash: 870106628b2b55c3a43b3c29b321dbfc901a85682413f788b718bed1f9432b96
Instruction Fuzzy Hash: 0D31C13190DB5C8FDB19DB588859AE9BBF0FF65310F04426FD049D7292DB74A805CB91

Function 00007FFD9BA852F1 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BA852F1

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: e8e40214c7550882df1e880678a5c1c7e79e532e171c01da9c89c120d6f4d136
Instruction ID: 6bb5629561bc66d4547251244ac136e68357a3527ee8744a60df6ce3ecc8d7cf
Opcode Fuzzy Hash: e8e40214c7550882df1e880678a5c1c7e79e532e171c01da9c89c120d6f4d136
Instruction Fuzzy Hash: F321CB12B1EE4E0BE7B5976C08B517866C2EF98140B5601FAD45EC76E7EDA9ED424300

Function 00007FFD9BA8207D Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e3e11947450d5cd16c33ecbc8f286e5c55dcef9a6d523039b4f133a5c4dd5f
Instruction ID: e5abcf98113e37bd1fb965f5da6ef78e78651aaabbd1399d500421fb3c2f6f78
Opcode Fuzzy Hash: c5e3e11947450d5cd16c33ecbc8f286e5c55dcef9a6d523039b4f133a5c4dd5f
Instruction Fuzzy Hash: 8181B320B2AF9B1BE79697EC44B577566D2EF99700F46007AD10CC76E7CD68EE014381

Function 00007FFD9BA80001 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b7349fb87619b469eefee521c25968fb4dbc5248930d4fe5c404c4a4787e5b
Instruction ID: 52d6473f1c338c8a13a722fbbdf8d9d9d92440ae0c2b592ec4c209f3b6afaf24
Opcode Fuzzy Hash: 60b7349fb87619b469eefee521c25968fb4dbc5248930d4fe5c404c4a4787e5b
Instruction Fuzzy Hash: F541DF7260EACD1FE77687684839A743FA0DF53610B0A01FBD089C75F3D959A9068345

Function 00007FFD9B5DED65 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4213954997.00007FFD9B5DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b5dd000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e6159153ada30acb4de3554812c40936abf28d07e7514dda721659583387c4
Instruction ID: 9bcd8eb0f6ce35240a8f13fe33a823f9f8336ae9c5c75f374988c9602bb006e2
Opcode Fuzzy Hash: f0e6159153ada30acb4de3554812c40936abf28d07e7514dda721659583387c4
Instruction Fuzzy Hash: CB41F73150EBC44FE7A6DB2998559523FF0EF5632071A47DFD088CB1A3C624A846C752

Function 00007FFD9BA8014A Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea42e4059f4ff66484f3202e8210a864e14eec27c881e7206615a5454dd8fa1
Instruction ID: 91fc6163bba21195a20abce8031056bf0653f020175bf8059f222c811caaa6fa
Opcode Fuzzy Hash: 6ea42e4059f4ff66484f3202e8210a864e14eec27c881e7206615a5454dd8fa1
Instruction Fuzzy Hash: 51314732B0EE890FE769D76C44762B077C1EB69620F0501BED08EC32E2DD65AC428346

Function 00007FFD9BA80676 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b3028b4ad3ed758bda4205a0ad9319691f4d4b7fb2f21b5667ced6303573c2
Instruction ID: 6b9325291f49b99339ef5063755473d9088279d1f8cdc7db7f43972d36790bd5
Opcode Fuzzy Hash: 02b3028b4ad3ed758bda4205a0ad9319691f4d4b7fb2f21b5667ced6303573c2
Instruction Fuzzy Hash: 27314833B1DE490FE7A8976C582667477C1EBA9710F4901BDD08EC32E2D9A9AC018386

Function 00007FFD9BA82AAF Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52e2b4823b6800140f23895ff2a99e9d1e57e2d1dae4f0407813ebf969e9bc
Instruction ID: 92fcf3c827c0d386b76fe6b9f063f2eea4ee8a0dd137991450208dc425f4a6f0
Opcode Fuzzy Hash: 8d52e2b4823b6800140f23895ff2a99e9d1e57e2d1dae4f0407813ebf969e9bc
Instruction Fuzzy Hash: 0621DD22B0AE0E0BE7B997AC04B517856C3DFD829075601BBD41EC76F6ED75ED424340

Function 00007FFD9BA835BA Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa0c4386d8aff4d953ba7000b16c56f3e8059559c8f77006a8f60213f5f7b98
Instruction ID: fc29b8f93ca93b37bb11b510ba7094dd9725921211c9f69631bd4228cd1a5a69
Opcode Fuzzy Hash: 3aa0c4386d8aff4d953ba7000b16c56f3e8059559c8f77006a8f60213f5f7b98
Instruction Fuzzy Hash: F1212B21B1AD0F0BE7B997AC087527956C3DFD815079601BAE40EC37E6ED78ED424340

Function 00007FFD9BA83D9F Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e7f96dbba46fa55d34c9034a981f4b56fd30e866f603be8dc12b8f2b5b0fd5
Instruction ID: 5dcae28c2c7a2e54294cbde9759d2790ebf63bc43e28523e3d4dbf7cef8c2c0e
Opcode Fuzzy Hash: 24e7f96dbba46fa55d34c9034a981f4b56fd30e866f603be8dc12b8f2b5b0fd5
Instruction Fuzzy Hash: 3321C522B1ED4E0BF7B5976C08B517455C3EFD825075A01BAE45EC76E7EC68ED024341

Function 00007FFD9BA83293 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c027fee994e0cd5972931eaa61787d106ce611d3042b2eb575782dc1b128d4c
Instruction ID: fd2cb09b4db8f808798d13b6cde0e4e4e32eead437179345900155a40eab8668
Opcode Fuzzy Hash: 3c027fee994e0cd5972931eaa61787d106ce611d3042b2eb575782dc1b128d4c
Instruction Fuzzy Hash: 9D21E621B0AE0E0BE7B5D7AC08B527456C2DFD8650B9A41FAE41EC76F6ED69ED024340

Function 00007FFD9BA85090 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7dba205657a04d2e4060e557a18101261517335efe0210d8712663842a4cec5
Instruction ID: 13011f1c4aabd855b726d3b86ffe7dae650644ec8df5724d9ed38e813428b0f8
Opcode Fuzzy Hash: f7dba205657a04d2e4060e557a18101261517335efe0210d8712663842a4cec5
Instruction Fuzzy Hash: B8213A21B0AD0F0FE7B5936C08B067565D3EFD8140B9A00BAD41EC76E6ED68FD024381

Function 00007FFD9BA843EE Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb9d4412ac6f7c0e824739cb075a6ec21fabe03fb475cdd99f17a75b10f305e
Instruction ID: 501ac3459063922b2da5f98cfc77818874c40c735970ee3ba96ced9d4f3d008c
Opcode Fuzzy Hash: 2cb9d4412ac6f7c0e824739cb075a6ec21fabe03fb475cdd99f17a75b10f305e
Instruction Fuzzy Hash: 5A21E622B1AD4F0BF7B9976C08B517456C3DFD8540B9A01BE941EC76F6DD69ED020341

Function 00007FFD9BA839C2 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7633f58e2d794943b88c14f30ad4cc0145b74d3720f55c7c59ba32202d2e399
Instruction ID: 0a8180d919dd7bc78902448dd4022d754cc6aadb548a8e53472e5e14bc8580ef
Opcode Fuzzy Hash: b7633f58e2d794943b88c14f30ad4cc0145b74d3720f55c7c59ba32202d2e399
Instruction Fuzzy Hash: 7A21F821B0AE0E0BE7B9A7AC04B4278A6C3DFD815075A01BBD41EC36EBDD69ED424340

Function 00007FFD9BA8292E Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e7ac6f66ec081a7e5e0ff6e061c8f2bc9163fcbf0acd8a83d2f1da7b4c064f
Instruction ID: fc29e89e07d54de443e3a63c5b26d9e0e3f9041802411c14dd3c0e9b8d91f69f
Opcode Fuzzy Hash: b2e7ac6f66ec081a7e5e0ff6e061c8f2bc9163fcbf0acd8a83d2f1da7b4c064f
Instruction Fuzzy Hash: EC21FB21B1AE0E0BF7B9A7AC04B527866C3DFD815079A01BAD41EC36E7DC69ED024340

Function 00007FFD9BA8555F Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae903a38aedace64f070d7a6bede4c626b2c92f7984c8128e777116ace93b02e
Instruction ID: bef706a9cfc9b1c1b942e46dec47a64d3987de610983df8820cbed1f29c3b8af
Opcode Fuzzy Hash: ae903a38aedace64f070d7a6bede4c626b2c92f7984c8128e777116ace93b02e
Instruction Fuzzy Hash: D0210A21B1AD0E0FE7B9A36C08B527865D3EFC811079A01BAD41EC37E6DD68ED024341

Function 00007FFD9BA83762 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86a9bccf96aa3a7e31ffc790c7143c6fdba1c9d6bd4ac3aeb9fdf9cf57ff6de
Instruction ID: 00654e7d79b1653af34a37102e4804c90bc1a3e2c32b172f8be140f2f181ef6b
Opcode Fuzzy Hash: e86a9bccf96aa3a7e31ffc790c7143c6fdba1c9d6bd4ac3aeb9fdf9cf57ff6de
Instruction Fuzzy Hash: 2F212521B0AE4E0BE7B5E7AC04B417865C3EFD824079A01BAE41EC37E7EC68ED024300

Function 00007FFD9BA83CF1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd91e74b9643753aa8e6657639c36962eab6ddad634479c2c39cda95b91cf7a0
Instruction ID: b6e6db695118591ce2fc2f00e98e5c361cb781ff0bdde8e5dc53bc54332a596d
Opcode Fuzzy Hash: dd91e74b9643753aa8e6657639c36962eab6ddad634479c2c39cda95b91cf7a0
Instruction Fuzzy Hash: 7D210A31B1AE0E0FE7B6A76C04B5278A5C3DFD811075A05BAD41EC76E6DD79ED424340

Function 00007FFD9BA84E48 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8af5519d9fd6464b2ca2c6137069d31fe1b750b9b76e1b8058f48744c3b887
Instruction ID: bae4c8e084136525b2fd7c443ed8f5087cb8a0d24092344edd95fdb108d4c7e6
Opcode Fuzzy Hash: bd8af5519d9fd6464b2ca2c6137069d31fe1b750b9b76e1b8058f48744c3b887
Instruction Fuzzy Hash: 8821C821B1AE0F0BE7B5A7AC04B527865C3DF98150B5A41BED41EC36FAED69ED024341

Function 00007FFD9BA826DA Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903e6975372d1b7c5ab45debc41c5557b2c291e3befbb0ae54bf8f5756b65174
Instruction ID: 3a47f3fca57aee3532864327309dfc29a29948db19baa10be007e2d5fd6813cc
Opcode Fuzzy Hash: 903e6975372d1b7c5ab45debc41c5557b2c291e3befbb0ae54bf8f5756b65174
Instruction Fuzzy Hash: 8D21F921B1AE4E0BE3B997AC08B527965C3DFC8110B9601BAD41EC37E6DC68ED464341

Function 00007FFD9BA83B82 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d8f44a1c98483ee013d6090ad39cbbe8cf9a548d38962deb7a2bc9ae43c6d5
Instruction ID: 70a6e1aa5ebc03db52426f76d28510cec09d47e32f2dacf311239d7e762cd3f0
Opcode Fuzzy Hash: 76d8f44a1c98483ee013d6090ad39cbbe8cf9a548d38962deb7a2bc9ae43c6d5
Instruction Fuzzy Hash: E411B631B1AE4E0BE7B6A76C04B5178A6C2DF9811079A01FAE45EC76E6ED79ED024300

Function 00007FFD9BA8597E Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42722d2ace909495cf0d0428fb1dbc73d0121d28d9c55d92315050b34310d5fc
Instruction ID: af38c4ed6f11aa84e1b4b6bc69c9072d9db5c0fc21bb01066f595f1bc0f777d4
Opcode Fuzzy Hash: 42722d2ace909495cf0d0428fb1dbc73d0121d28d9c55d92315050b34310d5fc
Instruction Fuzzy Hash: 7611C821B0AD4E0BF7B5A76C08B4238A6D2DF8811179A01FED81EC76E7ED79ED424341

Function 00007FFD9BA85330 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd6b56dd5f4786e3247e40515fb0179376a88c93c1e7c196a51787c2c5b9622
Instruction ID: 6e8377be0d5569905d146d95fdf5111ec989c3edeae03b8331a01b82300cb0c1
Opcode Fuzzy Hash: cbd6b56dd5f4786e3247e40515fb0179376a88c93c1e7c196a51787c2c5b9622
Instruction Fuzzy Hash: C311EE2171AE4F0FE7B9936C08B4238A5D2EF98110B5A01FAD41EC36E6DDB5ED024340

Function 00007FFD9BA85268 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bcc04c62a4ce79e893152f9f94f7a80fcf335eb03db9f6419de2a3bd65071d
Instruction ID: dcaf980402077cfe5a255bb5ea112ffa783b090f68b88da675fe9ac4d4ebb6ee
Opcode Fuzzy Hash: 58bcc04c62a4ce79e893152f9f94f7a80fcf335eb03db9f6419de2a3bd65071d
Instruction Fuzzy Hash: 9E11EB21B0AE4F0BF7B5936C08B4134A5D3DF8811079A01FAD85EC76E6ED79ED014301

Function 00007FFD9BA80EE1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4217447486.00007FFD9BA80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9ba80000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
Instruction ID: ac86aa4c3ca49a3ac405db1cc639a06322038360f68a396fb1989c6e2627eba5
Opcode Fuzzy Hash: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
Instruction Fuzzy Hash: FDD0C92172A91A07F22426CC68623F8B285DB88711F511137E429C66E6C8DFBEC242C2

Non-executed Functions

Function 00007FFD9B701867 Relevance: 2.0, Strings: 1, Instructions: 763COMMON

Download Yara Rule

Strings

&N_^, xrefs: 00007FFD9B701E01

Memory Dump Source

Source File: 00000003.00000002.4214219422.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b6f0000_Client.jbxd

Similarity

API ID:
String ID: &N_^
API String ID: 0-1877586524
Opcode ID: 665147d5402a7b456ee1110dc6d1561174e8044e24b7025b122c3fea6bad997d
Instruction ID: e98e336fadf568b84694c690b7a41ab6f0a6d32eb3e5abc1aae1d557a9ec9d84
Opcode Fuzzy Hash: 665147d5402a7b456ee1110dc6d1561174e8044e24b7025b122c3fea6bad997d
Instruction Fuzzy Hash: 6B227F16B0D1A30AE30677BC78B29EA7FA0CF4227974C41F7D1ED8D0D79C0D244A82A6

Function 00007FFD9B6FF1F2 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4214219422.00007FFD9B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b6f0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f649c12657db36e1625a39495238a8e5e75b9b252a87d7026386d37b8ec167bf
Instruction ID: 0bd2ca51c7429e4a8ca198cb475bee7c09eb08c427a759ecb03e4fdfbd23c700
Opcode Fuzzy Hash: f649c12657db36e1625a39495238a8e5e75b9b252a87d7026386d37b8ec167bf
Instruction Fuzzy Hash: 17310517B0E1A316F717B3BC74F29E63BA09F5223974841F7D19D4D0E79C0D688A4296

Analysis Process: Client.exePID: 7648, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B6E0BBD Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

;P_I, xrefs: 00007FFD9B6E0C04

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID: ;P_I
API String ID: 0-1492203171
Opcode ID: c8027c639ac42e95765c5c2856fe9e68aa941424236e69520b6d042d98d1e779
Instruction ID: 042d41740322127183079c3dd4b9fb9d8fc04134846d634a32635680e0d52d9a
Opcode Fuzzy Hash: c8027c639ac42e95765c5c2856fe9e68aa941424236e69520b6d042d98d1e779
Instruction Fuzzy Hash: 1D914B6170E6C64FF328D7AC54A65A53BE2FF41704B9440FAE49C8B2DBD8297C01C782

Function 00007FFD9B6E15FA Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

.P_^, xrefs: 00007FFD9B6E1601

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID: .P_^
API String ID: 0-3169129673
Opcode ID: e51a8a1159bae67e6483f0b5cab2c677c2192b4ac84982d7c8c37d4093aed74c
Instruction ID: b8249c2fd22a31a8a3e9dba1ac21f73e4c61e6f7a33800d4399375e05852d3fe
Opcode Fuzzy Hash: e51a8a1159bae67e6483f0b5cab2c677c2192b4ac84982d7c8c37d4093aed74c
Instruction Fuzzy Hash: 6931E526B0D59A0FE316B7ACA8B55E63BE5DF4533070D01F7D0ACCA1A3CD082D4A87A5

Function 00007FFD9B6E20FA Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67555e7f5496df74f86cf1cb06e2373e0ff8b4b8417c2d0678e9d879b628693
Instruction ID: c19f1f095fd7f79c5e6936724559fda6cb1cef9cc0b0cc4e36a5b427f5f31416
Opcode Fuzzy Hash: f67555e7f5496df74f86cf1cb06e2373e0ff8b4b8417c2d0678e9d879b628693
Instruction Fuzzy Hash: C0A1F962B0998E4FEBA5EBA884A16F837D2FF94300F0501B5E41DCB1E7DD28BD128741

Function 00007FFD9B6E2DC8 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ae5978f1d86cd339ca6d51ae6e250334f2880f7c7282f4414f41b393d303c0
Instruction ID: dc14b6bfa5033c426eacf8e41d0e8b967e9a64b12daf12ba6acc16fbefdcbe6f
Opcode Fuzzy Hash: 24ae5978f1d86cd339ca6d51ae6e250334f2880f7c7282f4414f41b393d303c0
Instruction Fuzzy Hash: 8471A571B1990D4FEBA9EBA884657BCB3E2EF98310F454179D01ED72D6CE28BC128740

Function 00007FFD9B6E24A2 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc4be133383238947cae4dd49fdc5bdc75abfcd1c47d7fe179754679b17f299
Instruction ID: 5f5b5bd4e4a426d30d3c28a1143c3da9b91fdd0173230907a3006535bbc519ef
Opcode Fuzzy Hash: acc4be133383238947cae4dd49fdc5bdc75abfcd1c47d7fe179754679b17f299
Instruction Fuzzy Hash: 45519111B0D99F0BEB99F3A845B16E927D3EB85350B8540B6E01DCB2EBDD1CAD528381

Function 00007FFD9B6E2110 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b38c9a57fb9f6ddb1ccaa02750636247132844d16e2eac0e8c00a6fa6d90286
Instruction ID: b14211db54449e58bf1ac94a33b7d4699de570b0d9447d98d71a96beaa917ece
Opcode Fuzzy Hash: 0b38c9a57fb9f6ddb1ccaa02750636247132844d16e2eac0e8c00a6fa6d90286
Instruction Fuzzy Hash: 43411822B0D58E0FEBA5EBA88471AF937A2EF55300F0501B6E05DCB1E7DE18B9118351

Function 00007FFD9B6E2729 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6455bfe64c059035b28d30092c48d473bba66b155206c1e6239193c6bf68fd
Instruction ID: 1f7f2767cfce8691e1a18201ec6f63050057ce97316e7efd8d13c62ca669b46f
Opcode Fuzzy Hash: af6455bfe64c059035b28d30092c48d473bba66b155206c1e6239193c6bf68fd
Instruction Fuzzy Hash: 0C416E22B1DA490FEB5897AC94667B977D1FF98314F00017EE05EC32D6CD287C028792

Function 00007FFD9B6E0872 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914a0531edefa9b0a7dd68c98744376749d1629e5845324eb5714518f202fd8f
Instruction ID: 2ea39be96e9953696d98812455cc05cb1fc31e00118156b45a821ee0d0b1b1a0
Opcode Fuzzy Hash: 914a0531edefa9b0a7dd68c98744376749d1629e5845324eb5714518f202fd8f
Instruction Fuzzy Hash: 0F413792F1EACA4FF755A7B8487A5A5BB90FF61740B4901FAC0A88B0D7DD187814C3D1

Function 00007FFD9B6E269D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9c978120de9311a9d29fbc1100f9f923688994fc2b3d4a2b1f16215ecf9736
Instruction ID: 2e6fe285595119c2823c32fa19f942b9ca00c71e0a433634f5896c93e555808c
Opcode Fuzzy Hash: ae9c978120de9311a9d29fbc1100f9f923688994fc2b3d4a2b1f16215ecf9736
Instruction Fuzzy Hash: AA212762F0E58E0FEB55ABA844761FD7BE2EF95200F4501B6E01DCB1E7DE2879158381

Function 00007FFD9B6E196D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e6d426b2f25e1591d7dd0b9f9c75f73b410f33f26823501fecd9c9e88a2b1
Instruction ID: fe1825506f505cfcf4606714d5eb9ab7a7868e988259c193b430a9ba52e85d93
Opcode Fuzzy Hash: 0c0e6d426b2f25e1591d7dd0b9f9c75f73b410f33f26823501fecd9c9e88a2b1
Instruction Fuzzy Hash: AA215731A0E58A4FDB55DF68C0E59A57791EF51310B1942FAC068CF1ABD928FD96C380

Function 00007FFD9B6E1BF5 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c096f92dd8b6f826b448915c5e6c83798ddb74fa7743de5784d4a56f7394ca1
Instruction ID: 1f71414093da34ebf4e35d6cc1b414ff663b17585f6899d740007c6653dd62b5
Opcode Fuzzy Hash: 4c096f92dd8b6f826b448915c5e6c83798ddb74fa7743de5784d4a56f7394ca1
Instruction Fuzzy Hash: B931563061958A4BF34CEB5C84E56E53BE2BB84308FD081E5D45D837CACA3D6C45DB92

Function 00007FFD9B6E32DD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cf28a40bf7b6bb0de62e5feaed1657c41223463ec827e6ca292e3ac4496080
Instruction ID: f7bad95c85e9b261b38407aab06cd589cb73a18f447dc3d8fa9a55c570bcdc4b
Opcode Fuzzy Hash: 07cf28a40bf7b6bb0de62e5feaed1657c41223463ec827e6ca292e3ac4496080
Instruction Fuzzy Hash: FC21C131F19A5D4FD799FB6888A99A973E1FF98305B4500BAE01DC72A6DE28E810C741

Function 00007FFD9B6E3491 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6142c3c4af493b57635be67d8ec307d5e588e1f2d1b3daefbccfb123bbba3c54
Instruction ID: a23c292665c543436535f63471a6b2bbbc7c97766d8ac214d839ab21095d84b9
Opcode Fuzzy Hash: 6142c3c4af493b57635be67d8ec307d5e588e1f2d1b3daefbccfb123bbba3c54
Instruction Fuzzy Hash: 9411C422B0EA490FE352E7785C998F17BD1DF9122570541BFE45CC71A3CD0CA9868351

Function 00007FFD9B6E28D5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccc0b8097e5078c81cf197d0f873a4862957a73486251140efb440bf6e5f402
Instruction ID: 1ec26f66405275e0e568fa23fb49a1edfbb5f7fab7473c0b47b553d684576fe8
Opcode Fuzzy Hash: 0ccc0b8097e5078c81cf197d0f873a4862957a73486251140efb440bf6e5f402
Instruction Fuzzy Hash: 1911C220A0EACD0FE347E37858A8AA53FE1AF86214B0A41E7E098CF0B3D9585955C352

Function 00007FFD9B6E0DA9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4159ba361cb803b0004f0fbe73a089c0bf482cd5b828880a1a75449d3d091c
Instruction ID: abd19d34ce0d900a737308a76ab9df20dbb210b0fec2d2369e35bc3e23f9cabf
Opcode Fuzzy Hash: ca4159ba361cb803b0004f0fbe73a089c0bf482cd5b828880a1a75449d3d091c
Instruction Fuzzy Hash: 2301BD23B2ED8E0FEBA9A36C14A69F523D2EF94310B4402B7E01EC21D6ED087D4243C1

Function 00007FFD9B6E1E58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef172bb84fe4a0ed82c222c54646334e67588639022e95d8487cf4d0e19e065f
Instruction ID: 14a2480c66ef424a7d384da1149b8920c1cc7299dac7eb8abeecfb00bced032b
Opcode Fuzzy Hash: ef172bb84fe4a0ed82c222c54646334e67588639022e95d8487cf4d0e19e065f
Instruction Fuzzy Hash: E9F0F022B0881D0FA754F2AE58E8EFA27D5DB9C22970400B7E01CC72A7DC08A8828391

Function 00007FFD9B6E1E70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65161b31c60b3028fa13757c99184ffb2438aa8bea018e9f3bbb810a2bdf6a4a
Instruction ID: 2e9999a3ca03feb9031c8385267434c5f0963ce5246272ef9ea02f55987e8c77
Opcode Fuzzy Hash: 65161b31c60b3028fa13757c99184ffb2438aa8bea018e9f3bbb810a2bdf6a4a
Instruction Fuzzy Hash: 3DE02221F18C0D0FABA8F6AE44D8F7922C2EBAC21171100B2E41CC72AACC18AC818381

Function 00007FFD9B6E094D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1809498044.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6e0000_Client.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c96b1e68565c853279491de502493675c8e66f39a9247cba4b2530f93fa31c8
Instruction ID: 1940f53a9f8167f91c260cd9a0d1038fc8c584ea0a129572754abe934862d2a4
Opcode Fuzzy Hash: 0c96b1e68565c853279491de502493675c8e66f39a9247cba4b2530f93fa31c8
Instruction Fuzzy Hash: 71E08623F2E95E47E7D5727831271FC21819F54651B41147AE91DDA2DBEC1D6E4203C0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report skibidi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\skibidi.exe.log

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
skibidi.exe

Function 00007FFD9B6F3525 Relevance: 1.7, APIs: 1, Instructions: 158
fileCOMMON

Function 00007FFD9B6F3650 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 00007FFD9B6F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Function 00007FFD9B969FD0 Relevance: 1.1, Instructions: 1064
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre