Windows Analysis Report
Money.exe

AI detected suspicious sample

Source: Yara match	File source: Money.exe, type: SAMPLE
Source: Yara match	File source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275530383.00000000006A0000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275112665.0000000000382000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Money.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Money.exe

Joe Sandbox ML: detected

Source: Money.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Money.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.251.123.245

Yara detected Generic Downloader

Source: Yara match	File source: Money.exe, type: SAMPLE
Source: Yara match	File source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 104.251.123.245:23600

Source: Joe Sandbox View

ASN Name: 1GSERVERSUS 1GSERVERSUS

Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245

Source: Money.exe, 00000006.00000002.1307884891.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Money.exe, Client.exe.6.dr	String found in binary or memory: https://api.ipify.org/
Source: Money.exe, Client.exe.6.dr	String found in binary or memory: https://ipwho.is/
Source: Money.exe, Client.exe.6.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Money.exe, Client.exe.6.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Money.exe, Client.exe.6.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Client.exe

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: Money.exe, type: SAMPLE
Source: Yara match	File source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275530383.00000000006A0000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275112665.0000000000382000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Money.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary

Source: Money.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Money.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Money.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B8D41	10_2_00007FFAAC7B8D41
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B6187	10_2_00007FFAAC7B6187
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B41A4	10_2_00007FFAAC7B41A4
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B6243	10_2_00007FFAAC7B6243
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7BAAAD	10_2_00007FFAAC7BAAAD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B9AC3	10_2_00007FFAAC7B9AC3
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B54B6	10_2_00007FFAAC7B54B6

Source: Money.exe, 00000006.00000000.1275530383.00000000006A0000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Money.exe
Source: Money.exe	Binary or memory string: OriginalFilenameClient.exe. vs Money.exe

Source: Money.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Money.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Money.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Money.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/3@0/1

Source: C:\Users\user\Desktop\Money.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\4119a2e0-4ae4-4843-8534-99af91a2475d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03

Source: Money.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Money.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Money.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Money.exe

ReversingLabs: Detection: 73%

Source: Money.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\Money.exe

File read: C:\Users\user\Desktop\Money.exe

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown	Process created: C:\Users\user\Desktop\Money.exe "C:\Users\user\Desktop\Money.exe"
Source: C:\Users\user\Desktop\Money.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Money.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe C:\Users\user\AppData\Roaming\SubDir\Client.exe
Source: C:\Users\user\Desktop\Money.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Section loaded: msasn1.dll	Jump to behavior

Source: Money.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Money.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Money.exe

Static file information: File size 3282432 > 1048576

Source: Money.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: Money.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC54752B push ebx; iretd	10_2_00007FFAAC54756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC54D9F2 push eax; iretd	10_2_00007FFAAC54DA11
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC542B83 pushad ; iretd	10_2_00007FFAAC542C3D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC542BE5 pushad ; iretd	10_2_00007FFAAC542C3D
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B54B6 push ecx; retf	10_2_00007FFAAC7B59DC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Code function: 10_2_00007FFAAC7B5948 push ecx; retf	10_2_00007FFAAC7B59DC

Source: C:\Users\user\Desktop\Money.exe

File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\Money.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Money.exe	File opened: C:\Users\user\Desktop\Money.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Memory allocated: 1A9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1ADB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Memory allocated: 1B060000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 2814			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Window / User API: threadDelayed 7026			Jump to behavior

Source: C:\Users\user\Desktop\Money.exe TID: 1476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1792	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 1792	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6508	Thread sleep count: 2814 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6508	Thread sleep count: 7026 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Money.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Client.exe, 0000000A.00000002.3739591594.000000001B7B3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhi

Source: C:\Users\user\Desktop\Money.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\Money.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Money.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe	Queries volume information: C:\Users\user\Desktop\Money.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Money.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: Money.exe, type: SAMPLE
Source: Yara match	File source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275530383.00000000006A0000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275112665.0000000000382000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Money.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: Money.exe, type: SAMPLE
Source: Yara match	File source: 6.0.Money.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275530383.00000000006A0000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1275112665.0000000000382000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Money.exe PID: 5076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Client.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Money.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
Money.exe	100%	Avira	HEUR/AGEN.1307453
Money.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Roaming\SubDir\Client.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\Client.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
104.251.123.245	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
104.251.123.245	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	Money.exe, Client.exe.6.dr	false	high
https://stackoverflow.com/q/14436606/23354	Money.exe, Client.exe.6.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	Money.exe, Client.exe.6.dr	false	high
https://ipwho.is/	Money.exe, Client.exe.6.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Money.exe, 00000006.00000002.1307884891.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Money.exe, Client.exe.6.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.251.123.245	unknown	United States		14315	1GSERVERSUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576461
Start date and time:	2024-12-17 07:28:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Money.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/3@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 29 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Client.exe, PID 644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Money.exe

Simulations

Behavior and APIs

Time	Type	Description
01:29:12	API Interceptor	10949760x Sleep call for process: Client.exe modified
07:29:11	Task Scheduler	Run new task: Startup path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1GSERVERSUS	jew.sh4.elf	Get hash	malicious	Unknown	Browse	207.32.216.19
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	EICAR	Browse	104.251.123.67
	loader.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	sora.arm.elf	Get hash	malicious	Mirai	Browse	207.32.216.26
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, Xmrig, zgRAT	Browse	142.202.242.43
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	142.202.242.43
	2BuZaUic3i.exe	Get hash	malicious	RedLine	Browse	207.32.219.79
	EpCrfIUgyF.exe	Get hash	malicious	RedLine	Browse	207.32.219.79
	04cde81ac938706771fa9fe936ee8f79fe7e079973098.exe	Get hash	malicious	RedLine, Xmrig	Browse	142.202.242.45
	Facturation.exe	Get hash	malicious	Doenerium	Browse	104.251.123.67

Process:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Money.exe.log

Download File

Process:	C:\Users\user\Desktop\Money.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Roaming\SubDir\Client.exe

Download File

Process:	C:\Users\user\Desktop\Money.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3282432
Entropy (8bit):	6.082370246182561
Encrypted:	false
SSDEEP:	49152:3vFt62XlaSFNWPjljiFa2RoUYIDew65Bxz/oGdVaTHHB72eh2NT:3v362XlaSFNWPjljiFXRoUYIZ6d
MD5:	FC6A9A66FB9A404078FE5C31D73C3BAB
SHA1:	2CFB6B088ED8AB7CA66299D094813CE2D04E5677
SHA-256:	695BC096A65C4BD026B95D5363A4B9C316CEC8FEC3672808E036081397DA6DF8
SHA-512:	5EDD45B69CA36E87AE399EB8260EB47411575A7B8296007B948B8A7C4B8200C0BDA115CD223029BF39095D64A5E1C0DBD381D4B6947A67560E0A9142E18A642F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1..P........1.. ........@.. ........................2...........@...................................1.K.....2.`M...................`2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc...`M....2..N....1.............@..@.reloc.......`2.......2.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.082370246182561
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Money.exe
File size:	3'282'432 bytes
MD5:	fc6a9a66fb9a404078fe5c31d73c3bab
SHA1:	2cfb6b088ed8ab7ca66299d094813ce2d04e5677
SHA256:	695bc096a65c4bd026b95d5363a4b9c316cec8fec3672808e036081397da6df8
SHA512:	5edd45b69ca36e87ae399eb8260eb47411575a7b8296007b948b8a7c4b8200c0bda115cd223029bf39095d64a5e1c0dbd381d4b6947a67560e0a9142e18a642f
SSDEEP:	49152:3vFt62XlaSFNWPjljiFa2RoUYIDew65Bxz/oGdVaTHHB72eh2NT:3v362XlaSFNWPjljiFXRoUYIZ6d
TLSH:	BEE56B0437F85E33E56BD2B3D5B05022A3F1E82AF363EB1B519167BE1C53B5488426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1..P........1.. ........@.. ........................2...........@................................

File Icon


Icon Hash:	cdec7d3a36265e07

Static PE Info

General

Entrypoint:	0x71e3de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e390	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0x4d60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x326000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3e4	0x31c400	47b667c12c6505dab1b9bca6ea63b487	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0x4d60	0x4e00	a5665483d19bae9c34dd90ed4c02985e	False	0.412109375	data	5.748910698884591	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x326000	0xc	0x200	576e09f300aa2216eb4d32ea1fecea5f	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x320130	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.4058219178082192
RT_GROUP_ICON	0x324358	0x14	data	1.1
RT_VERSION	0x32436c	0x31c	data	0.4484924623115578
RT_MANIFEST	0x324688	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text	0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 07:29:12.376014948 CET	49701	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:12.495948076 CET	23600	49701	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:12.496049881 CET	49701	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:12.508028984 CET	49701	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:12.627856970 CET	23600	49701	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:34.409071922 CET	23600	49701	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:34.409245014 CET	49701	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:34.468571901 CET	49701	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:34.588387966 CET	23600	49701	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:37.882384062 CET	49731	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:38.002362013 CET	23600	49731	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:38.002463102 CET	49731	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:38.008614063 CET	49731	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:38.128495932 CET	23600	49731	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:59.927983999 CET	23600	49731	104.251.123.245	192.168.2.7
Dec 17, 2024 07:29:59.928045034 CET	49731	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:29:59.928530931 CET	49731	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:00.052154064 CET	23600	49731	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:03.432708025 CET	49732	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:03.552716017 CET	23600	49732	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:03.552942038 CET	49732	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:03.553683043 CET	49732	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:03.673472881 CET	23600	49732	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:25.456664085 CET	23600	49732	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:25.456749916 CET	49732	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:25.457278967 CET	49732	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:25.577034950 CET	23600	49732	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:29.057918072 CET	49735	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:29.177643061 CET	23600	49735	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:29.177767038 CET	49735	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:29.178270102 CET	49735	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:29.298023939 CET	23600	49735	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:51.082215071 CET	23600	49735	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:51.082338095 CET	49735	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:51.084316015 CET	49735	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:51.204030991 CET	23600	49735	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:54.370539904 CET	49736	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:54.490539074 CET	23600	49736	104.251.123.245	192.168.2.7
Dec 17, 2024 07:30:54.490633965 CET	49736	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:54.491364002 CET	49736	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:30:54.612370014 CET	23600	49736	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:16.379842043 CET	23600	49736	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:16.379910946 CET	49736	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:16.380480051 CET	49736	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:16.500260115 CET	23600	49736	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:20.342763901 CET	49737	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:20.462555885 CET	23600	49737	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:20.462668896 CET	49737	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:20.464245081 CET	49737	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:20.584028006 CET	23600	49737	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:42.349391937 CET	23600	49737	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:42.349826097 CET	49737	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:42.352122068 CET	49737	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:42.472227097 CET	23600	49737	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:45.620939970 CET	49738	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:45.740900040 CET	23600	49738	104.251.123.245	192.168.2.7
Dec 17, 2024 07:31:45.741027117 CET	49738	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:45.741652012 CET	49738	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:31:45.861478090 CET	23600	49738	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:07.677687883 CET	23600	49738	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:07.677762985 CET	49738	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:07.678494930 CET	49738	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:07.798579931 CET	23600	49738	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:11.308506012 CET	49739	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:11.428498983 CET	23600	49739	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:11.428587914 CET	49739	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:11.429117918 CET	49739	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:11.548887968 CET	23600	49739	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:33.353574038 CET	23600	49739	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:33.353862047 CET	49739	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:33.354415894 CET	49739	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:33.476000071 CET	23600	49739	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:36.841615915 CET	49740	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:36.961474895 CET	23600	49740	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:36.961585999 CET	49740	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:36.962021112 CET	49740	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:37.081830978 CET	23600	49740	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:58.866055012 CET	23600	49740	104.251.123.245	192.168.2.7
Dec 17, 2024 07:32:58.866249084 CET	49740	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:58.866605997 CET	49740	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:32:58.986654043 CET	23600	49740	104.251.123.245	192.168.2.7
Dec 17, 2024 07:33:02.403413057 CET	49741	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:02.523370981 CET	23600	49741	104.251.123.245	192.168.2.7
Dec 17, 2024 07:33:02.524353981 CET	49741	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:02.530112982 CET	49741	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:02.649797916 CET	23600	49741	104.251.123.245	192.168.2.7
Dec 17, 2024 07:33:24.461004019 CET	23600	49741	104.251.123.245	192.168.2.7
Dec 17, 2024 07:33:24.462412119 CET	49741	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:24.466176033 CET	49741	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:24.586208105 CET	23600	49741	104.251.123.245	192.168.2.7
Dec 17, 2024 07:33:28.027369022 CET	49742	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:28.147569895 CET	23600	49742	104.251.123.245	192.168.2.7
Dec 17, 2024 07:33:28.147701025 CET	49742	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:28.148139000 CET	49742	23600	192.168.2.7	104.251.123.245
Dec 17, 2024 07:33:28.268121004 CET	23600	49742	104.251.123.245	192.168.2.7

Target ID:	6
Start time:	01:29:06
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\Money.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Money.exe"
Imagebase:	0x380000
File size:	3'282'432 bytes
MD5 hash:	FC6A9A66FB9A404078FE5C31D73C3BAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000000.1275530383.00000000006A0000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000000.1275112665.0000000000382000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	01:29:09
Start date:	17/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff694490000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	01:29:09
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	01:29:09
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Imagebase:	0x800000
File size:	3'282'432 bytes
MD5 hash:	FC6A9A66FB9A404078FE5C31D73C3BAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.3732259265.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	12
Start time:	01:29:10
Start date:	17/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff694490000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	01:29:10
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	01:29:12
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\SubDir\Client.exe
Imagebase:	0xb20000
File size:	3'282'432 bytes
MD5 hash:	FC6A9A66FB9A404078FE5C31D73C3BAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true