Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:	Client-built.exe
Analysis ID:	1576463
MD5:	cbad8ccc75f88cd7c6b5ab3ec70f2e2c
SHA1:	b38fe0e24043d3867de1beac829297650c8b1fda
SHA256:	4e217e2407d26687d8d2f12ad07d7013a5c0c236db79ab72b402e7fe18b0e987
Tags:	exeQuasarRATuser-lontze7
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Client-built.exe (PID: 3168 cmdline: "C:\Users\user\Desktop\Client-built.exe" MD5: CBAD8CCC75F88CD7C6B5AB3EC70F2E2C)

schtasks.exe (PID: 5900 cmdline: "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "104.251.123.245:23600;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "4119a2e0-4ae4-4843-8534-99af91a2475d", "StartupKey": "Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "xXpcBkfPDvg/X7VFnK3kHvMVlrj5o1m5xh/ci3PvXmVdWPJSnv0Z+RmNLDy+OTCe3I4heA35LaOTTkwWtSfLUd1gDzVK+dA63mz9BXDKlcB/ZvHRLvZJ27EtXie2/cRK2SQn2cK2Djdc5Hh6ak6gVPfohPsFXdVV9oLqFqZpXh7aibuQLPYmhM8kMocHZagTmb+vRCXiNS6U9UC6zSh3lK1eRcNUkQuBtQ1r/6RRSKm6PROVEJUPWLSx+RIogsMnMbv9r1oOb3gF+ZRnUY05OKqSNH9r6q3QlSc1NfB+mo9XxtWBGxFC3CHS5P4wlTgLfWdYlrDspu5ELPwHTZExN6bROOqt5MFMxXs3ga9wqfJXhx+R6BCwbXLzDQ64xtN4loXI5FnHCpVaiT4ZVg7JU1fxJfyv1ZeVKgygL8396Gb898ByL3tlNqFmWvWhnjFYKT8/d37d8AOENn3A0ArCw7g5ZIkfQLBJk5mtEsov2+peusXA8r2cIPtvMp1FWW2w97ueyHJb4AHANm5Eq64gCcVcsdsGeVHxYE6qpbhDM1Zn5WWX98YvaelugNqCPs6FB5mzNzaBFUQ/xQInYyBtEufRwtzxXfM2v9h2bcrAMAGwomwETCLpkWsih2vI6jiSapXGZaXfjDHT09uue4jW2VpLSD4oJxgRsXRNyg6H0/w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMqrBgYlb6a1Z/kKnJrAITANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwODEzMjgxOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxpjNNWqXrfwi4V7qk0dxXzMcyxegQRt6bTBQhMHKUElfXRsAPU/Y5+sR5hSz7kcqdd0KrwjVxFYZdjbf334bztDO8V02TS3dGTfh8YmlyNpo6K66xJuhuSMpnGs8DUjnZWU8LIa26mFyJ3PoeDYS0qv+2tZtJKBmQ7ZQ6cMWN+PELML1LPLcD1RxOWmim/Ztu9kPORd+uTeFdMlUAoYGwHVB7PSz1se8/L/wQK94gkRBOTq6Ka2i4nY7deXTR6jqeC+gVlT/F6541dgQWzLUzcwdQgFADrRWRLxHFExUIS8Vtlucp2ZiQjQ7BbFP+uZIJfxcUpixqZueEStrYxwdipkpu6Tfm3xTD1jFrrAWMyVbGsvGxpxAOqebHbGzFCsgpepeUXlvaLlkICiJjOs8QL7vr5Io5M05NennNk0BGsy94m9ARWgInBiMuXmLnvAc4R6UE0ZCXWGLmyeuUqCgFegTSSGSiOTRjMunhgPUlVQTyj2GMHB/jBZPuv1u1oqJam/jKkWABGUmZaZbhgXxnt2F5sm9TmXRWSvcDK8zIh7kaaQjwPHkBsTO25wDWNqWmoGvJnabOWL8dXyjmTSs4czWsQlCbQQS4HBzXVwdBN/fTpB+HqGDzPSuHu9CM7tW/DwbFef0CXVJsFEeYhg8pfwJUWYFumCEckrLEyFhBm8CAwEAAaMyMDAwHQYDVR0OBBYEFNHDNB71FPsp8Jjx7Wn1zElRBXD3MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAHHr6eSKnYCLvtV+/lPKxLT1JBDuF0IV29ncwTBworqLcEyfZ+OfpWNt9oNB++DQ2RfqVkNRkubW862mn4N4PkPzGw2NfKCgamYAruRbnV2iJrI0PnXuKBfpGdWBeh39IIPZZwxwP4pEgQgC3cI11b3/KBJHPcdcgjdoExfZj3yvxaC9HDiMNSUgcW2k3FySwGwbk0Yi3K9QbItVaCzE2kZ8Cjc3fsNUTvpB4x6684TbKu1b7TRGG90PLcw/Xlwq6mY9g9+IEK9JB4c5xOdOT/drkKI3qLQv1+Tbn3rhsPhijAMwx4zyOW0GebzrI+4gjL2bQtpO1xM/NoUXBb7g88/c7Pg7FQkwv6i8Ku7Lp6jojrntz4Fh+l+zQaiqdZEuc0mBJCmUJUj4SOP1Spa7QZB/kE4brofJ3xk6UZqMr22X9Oh9uSUfxmjbl31+CdwCGsH1IPxbKEIarf4zsZRGjHz934gy2Q5ZD/1Zo/Zm6D3k9D3R0YPXUTjGGMG14PMr6o0AEqRoWMRg1XPhy6TRu6wgnDmKQIiig96a8CjwW+7GQBhBf5RTHVwoUjxrtFe78LBuD4F/FL4Oy/BKSHUdCkfk/8sJGAtaUXAn8c7vqJ0O+/iaxUvKmWB0lkl1H8tNAI/ytUwXkLZlDKz8BSV9c3cRd5OyuYGQ/lEf2ue7/r9m"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Client-built.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Client-built.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Client-built.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab81a:$x4: Uninstalling... good bye :-( 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
Client-built.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadcc:$f1: FileZilla\recentservers.xml 0x2aae0c:$f2: FileZilla\sitemanager.xml 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09a:$b1: Chrome\User Data\ 0x2ab0f0:$b1: Chrome\User Data\ 0x2ab3c8:$b2: Mozilla\Firefox\Profiles 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd420:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d6:$b5: YandexBrowser\User Data\ 0x2ab744:$b5: YandexBrowser\User Data\ 0x2ab418:$s4: logins.json 0x2ab14e:$a1: username_value 0x2ab16c:$a2: password_value 0x2ab458:$a3: encryptedUsername 0x2fd364:$a3: encryptedUsername 0x2ab47c:$a4: encryptedPassword 0x2fd382:$a4: encryptedPassword 0x2fd300:$a5: httpRealm
Client-built.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab904:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1323071352.0000000000452000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Client-built.exe PID: 3168	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Client-built.exe.450000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.Client-built.exe.450000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Client-built.exe.450000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab81a:$x4: Uninstalling... good bye :-( 0x2ad00f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.Client-built.exe.450000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadcc:$f1: FileZilla\recentservers.xml 0x2aae0c:$f2: FileZilla\sitemanager.xml 0x2aae4e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab09a:$b1: Chrome\User Data\ 0x2ab0f0:$b1: Chrome\User Data\ 0x2ab3c8:$b2: Mozilla\Firefox\Profiles 0x2ab4c4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd420:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab61c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d6:$b5: YandexBrowser\User Data\ 0x2ab744:$b5: YandexBrowser\User Data\ 0x2ab418:$s4: logins.json 0x2ab14e:$a1: username_value 0x2ab16c:$a2: password_value 0x2ab458:$a3: encryptedUsername 0x2fd364:$a3: encryptedUsername 0x2ab47c:$a4: encryptedPassword 0x2fd382:$a4: encryptedPassword 0x2fd300:$a5: httpRealm
0.0.Client-built.exe.450000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab904:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Sigma Signatures

System Summary

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Client-built.exe", ParentImage: C:\Users\user\Desktop\Client-built.exe, ParentProcessId: 3168, ParentProcessName: Client-built.exe, ProcessCommandLine: "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f, ProcessId: 5900, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Client-built.exe

Avira: detected

Found malware configuration

Source: Client-built.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "104.251.123.245:23600;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "4119a2e0-4ae4-4843-8534-99af91a2475d", "StartupKey": "Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "xXpcBkfPDvg/X7VFnK3kHvMVlrj5o1m5xh/ci3PvXmVdWPJSnv0Z+RmNLDy+OTCe3I4heA35LaOTTkwWtSfLUd1gDzVK+dA63mz9BXDKlcB/ZvHRLvZJ27EtXie2/cRK2SQn2cK2Djdc5Hh6ak6gVPfohPsFXdVV9oLqFqZpXh7aibuQLPYmhM8kMocHZagTmb+vRCXiNS6U9UC6zSh3lK1eRcNUkQuBtQ1r/6RRSKm6PROVEJUPWLSx+RIogsMnMbv9r1oOb3gF+ZRnUY05OKqSNH9r6q3QlSc1NfB+mo9XxtWBGxFC3CHS5P4wlTgLfWdYlrDspu5ELPwHTZExN6bROOqt5MFMxXs3ga9wqfJXhx+R6BCwbXLzDQ64xtN4loXI5FnHCpVaiT4ZVg7JU1fxJfyv1ZeVKgygL8396Gb898ByL3tlNqFmWvWhnjFYKT8/d37d8AOENn3A0ArCw7g5ZIkfQLBJk5mtEsov2+peusXA8r2cIPtvMp1FWW2w97ueyHJb4AHANm5Eq64gCcVcsdsGeVHxYE6qpbhDM1Zn5WWX98YvaelugNqCPs6FB5mzNzaBFUQ/xQInYyBtEufRwtzxXfM2v9h2bcrAMAGwomwETCLpkWsih2vI6jiSapXGZaXfjDHT09uue4jW2VpLSD4oJxgRsXRNyg6H0/w=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMqrBgYlb6a1Z/kKnJrAITANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIwODEzMjgxOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxpjNNWqXrfwi4V7qk0dxXzMcyxegQRt6bTBQhMHKUElfXRsAPU/Y5+sR5hSz7kcqdd0KrwjVxFYZdjbf334bztDO8V02TS3dGTfh8YmlyNpo6K66xJuhuSMpnGs8DUjnZWU8LIa26mFyJ3PoeDYS0qv+2tZtJKBmQ7ZQ6cMWN+PELML1LPLcD1RxOWmim/Ztu9kPORd+uTeFdMlUAoYGwHVB7PSz1se8/L/wQK94gkRBOTq6Ka2i4nY7deXTR6jqeC+gVlT/F6541dgQWzLUzcwdQgFADrRWRLxHFExUIS8Vtlucp2ZiQjQ7BbFP+uZIJfxcUpixqZueEStrYxwdipkpu6Tfm3xTD1jFrrAWMyVbGsvGxpxAOqebHbGzFCsgpepeUXlvaLlkICiJjOs8QL7vr5Io5M05NennNk0BGsy94m9ARWgInBiMuXmLnvAc4R6UE0ZCXWGLmyeuUqCgFegTSSGSiOTRjMunhgPUlVQTyj2GMHB/jBZPuv1u1oqJam/jKkWABGUmZaZbhgXxnt2F5sm9TmXRWSvcDK8zIh7kaaQjwPHkBsTO25wDWNqWmoGvJnabOWL8dXyjmTSs4czWsQlCbQQS4HBzXVwdBN/fTpB+HqGDzPSuHu9CM7tW/DwbFef0CXVJsFEeYhg8pfwJUWYFumCEckrLEyFhBm8CAwEAAaMyMDAwHQYDVR0OBBYEFNHDNB71FPsp8Jjx7Wn1zElRBXD3MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAHHr6eSKnYCLvtV+/lPKxLT1JBDuF0IV29ncwTBworqLcEyfZ+OfpWNt9oNB++DQ2RfqVkNRkubW862mn4N4PkPzGw2NfKCgamYAruRbnV2iJrI0PnXuKBfpGdWBeh39IIPZZwxwP4pEgQgC3cI11b3/KBJHPcdcgjdoExfZj3yvxaC9HDiMNSUgcW2k3FySwGwbk0Yi3K9QbItVaCzE2kZ8Cjc3fsNUTvpB4x6684TbKu1b7TRGG90PLcw/Xlwq6mY9g9+IEK9JB4c5xOdOT/drkKI3qLQv1+Tbn3rhsPhijAMwx4zyOW0GebzrI+4gjL2bQtpO1xM/NoUXBb7g88/c7Pg7FQkwv6i8Ku7Lp6jojrntz4Fh+l+zQaiqdZEuc0mBJCmUJUj4SOP1Spa7QZB/kE4brofJ3xk6UZqMr22X9Oh9uSUfxmjbl31+CdwCGsH1IPxbKEIarf4zsZRGjHz934gy2Q5ZD/1Zo/Zm6D3k9D3R0YPXUTjGGMG14PMr6o0AEqRoWMRg1XPhy6TRu6wgnDmKQIiig96a8CjwW+7GQBhBf5RTHVwoUjxrtFe78LBuD4F/FL4Oy/BKSHUdCkfk/8sJGAtaUXAn8c7vqJ0O+/iaxUvKmWB0lkl1H8tNAI/ytUwXkLZlDKz8BSV9c3cRd5OyuYGQ/lEf2ue7/r9m"}

Multi AV Scanner detection for submitted file

Source: Client-built.exe	Virustotal: Detection: 80%			Perma Link
Source: Client-built.exe	ReversingLabs: Detection: 76%

Yara detected Quasar RAT

Source: Yara match	File source: Client-built.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1323071352.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built.exe PID: 3168, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Client-built.exe

Joe Sandbox ML: detected

Source: Client-built.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client-built.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.251.123.245

Yara detected Generic Downloader

Source: Yara match	File source: Client-built.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49712 -> 104.251.123.245:23600

Source: Joe Sandbox View

ASN Name: 1GSERVERSUS 1GSERVERSUS

Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245
Source: unknown	TCP traffic detected without corresponding DNS query: 104.251.123.245

Source: Client-built.exe, 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Client-built.exe	String found in binary or memory: https://api.ipify.org/
Source: Client-built.exe	String found in binary or memory: https://ipwho.is/
Source: Client-built.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Client-built.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Client-built.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Client-built.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Client-built.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: Client-built.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1323071352.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built.exe PID: 3168, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: Client-built.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Client-built.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Client-built.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC8D41	0_2_00007FF887FC8D41
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC6187	0_2_00007FF887FC6187
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC6243	0_2_00007FF887FC6243
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC54B6	0_2_00007FF887FC54B6
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FCAAAD	0_2_00007FF887FCAAAD
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC9AC4	0_2_00007FF887FC9AC4
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC0DD1	0_2_00007FF887FC0DD1
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC11FA	0_2_00007FF887FC11FA
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC10F2	0_2_00007FF887FC10F2

Source: Client-built.exe, 00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Client-built.exe
Source: Client-built.exe	Binary or memory string: OriginalFilenameClient.exe. vs Client-built.exe

Source: Client-built.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Client-built.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Client-built.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Client-built.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@0/1

Source: C:\Users\user\Desktop\Client-built.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Users\user\Desktop\Client-built.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\4119a2e0-4ae4-4843-8534-99af91a2475d

Source: Client-built.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Client-built.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Client-built.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Client-built.exe	Virustotal: Detection: 80%
Source: Client-built.exe	ReversingLabs: Detection: 76%

Source: Client-built.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: unknown	Process created: C:\Users\user\Desktop\Client-built.exe "C:\Users\user\Desktop\Client-built.exe"
Source: C:\Users\user\Desktop\Client-built.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Client-built.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Client-built.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Client-built.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Client-built.exe

Static file information: File size 3265536 > 1048576

Source: Client-built.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: Client-built.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887D5752B push ebx; iretd	0_2_00007FF887D5756A
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887D5842D push eax; ret	0_2_00007FF887D5846D
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887D52BE5 pushad ; iretd	0_2_00007FF887D52C3D
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887D52B8B pushad ; iretd	0_2_00007FF887D52C3D
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887D5D9F2 push eax; iretd	0_2_00007FF887D5DA11
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC54B6 push ecx; retf	0_2_00007FF887FC59DC
Source: C:\Users\user\Desktop\Client-built.exe	Code function: 0_2_00007FF887FC5948 push ecx; retf	0_2_00007FF887FC59DC

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Client-built.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Client-built.exe

File opened: C:\Users\user\Desktop\Client-built.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe	Memory allocated: 2960000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Memory allocated: 1AAF0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe	Window / User API: threadDelayed 8501			Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Window / User API: threadDelayed 1324			Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe TID: 1700

Thread sleep time: -33204139332677172s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Client-built.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Client-built.exe, 00000000.00000002.3780663557.000000001B67A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Client-built.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\Client-built.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Client-built.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe	Queries volume information: C:\Users\user\Desktop\Client-built.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Client-built.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Client-built.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: Client-built.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1323071352.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built.exe PID: 3168, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: Client-built.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Client-built.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1323071352.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Client-built.exe PID: 3168, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Disable or Modify Tools	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	132 Virtualization/Sandbox Evasion	LSASS Memory	132 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Client-built.exe	81%	Virustotal		Browse
Client-built.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
Client-built.exe	100%	Avira	HEUR/AGEN.1307453
Client-built.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
104.251.123.245	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
104.251.123.245	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	Client-built.exe	false	high
https://stackoverflow.com/q/14436606/23354	Client-built.exe	false	high
https://stackoverflow.com/q/2152978/23354sCannot	Client-built.exe	false	high
https://ipwho.is/	Client-built.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Client-built.exe, 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Client-built.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.251.123.245	unknown	United States		14315	1GSERVERSUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576463
Start date and time:	2024-12-17 07:28:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Client-built.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 9 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:29:47	API Interceptor	13138607x Sleep call for process: Client-built.exe modified
06:29:46	Task Scheduler	Run new task: Startup path: C:\Users\user\AppData\Roaming\SubDir\Client.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	bad.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	Yogi Tea Benefits Open Enrollment.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	http://inspirafinancial.com	Get hash	malicious	Unknown	Browse	13.107.246.63
	Remit_Advice_SMKT_84655.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	13.107.246.63
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	13.107.246.63
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.63
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1GSERVERSUS	jew.sh4.elf	Get hash	malicious	Unknown	Browse	207.32.216.19
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	EICAR	Browse	104.251.123.67
	loader.exe	Get hash	malicious	Xmrig	Browse	142.202.242.43
	sora.arm.elf	Get hash	malicious	Mirai	Browse	207.32.216.26
	PT54FFSL7ET46RASB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, Xmrig, zgRAT	Browse	142.202.242.43
	System.exe	Get hash	malicious	Flesh Stealer, Xmrig	Browse	142.202.242.43
	2BuZaUic3i.exe	Get hash	malicious	RedLine	Browse	207.32.219.79
	EpCrfIUgyF.exe	Get hash	malicious	RedLine	Browse	207.32.219.79
	04cde81ac938706771fa9fe936ee8f79fe7e079973098.exe	Get hash	malicious	RedLine, Xmrig	Browse	142.202.242.45
	Facturation.exe	Get hash	malicious	Doenerium	Browse	104.251.123.67

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.084001555814208
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Client-built.exe
File size:	3'265'536 bytes
MD5:	cbad8ccc75f88cd7c6b5ab3ec70f2e2c
SHA1:	b38fe0e24043d3867de1beac829297650c8b1fda
SHA256:	4e217e2407d26687d8d2f12ad07d7013a5c0c236db79ab72b402e7fe18b0e987
SHA512:	0dec15040dc1b60892ac2330a593891bb5d0e4fdf77075fdacaac9034d53cafebaff4a362236f350ae93cd67ed4a45c1dea8d75b126fc205037780b23322224c
SSDEEP:	49152:KvQt62XlaSFNWPjljiFa2RoUYI1HRJ6bbR3LoGdt5ZTHHB72eh2NT:Kvc62XlaSFNWPjljiFXRoUYI1HRJ6tr
TLSH:	C4E56B143BF85E27E1BBE277E5B0041267F0FC1AB363EB0B6581677A1C53B5098426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x71e3de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e388	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3e4	0x31c400	a98a70168435fd91841c68f1ba37ce5c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	576e09f300aa2216eb4d32ea1fecea5f	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 07:29:47.455650091 CET	49712	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:29:47.592499971 CET	23600	49712	104.251.123.245	192.168.2.9
Dec 17, 2024 07:29:47.592577934 CET	49712	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:29:47.603281021 CET	49712	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:29:47.834940910 CET	23600	49712	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:09.472330093 CET	23600	49712	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:09.472450018 CET	49712	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:09.567001104 CET	49712	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:09.686801910 CET	23600	49712	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:13.123560905 CET	49731	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:13.243397951 CET	23600	49731	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:13.243573904 CET	49731	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:13.244038105 CET	49731	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:13.363684893 CET	23600	49731	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:35.130244017 CET	23600	49731	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:35.130475044 CET	49731	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:35.130990028 CET	49731	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:35.251075983 CET	23600	49731	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:38.811100960 CET	49732	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:38.931003094 CET	23600	49732	104.251.123.245	192.168.2.9
Dec 17, 2024 07:30:38.931144953 CET	49732	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:38.931629896 CET	49732	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:30:39.051423073 CET	23600	49732	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:00.848372936 CET	23600	49732	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:00.848484993 CET	49732	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:00.848764896 CET	49732	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:00.968498945 CET	23600	49732	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:04.357970953 CET	49734	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:04.477749109 CET	23600	49734	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:04.478025913 CET	49734	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:04.478373051 CET	49734	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:04.598753929 CET	23600	49734	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:26.379930019 CET	23600	49734	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:26.380273104 CET	49734	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:26.430622101 CET	49734	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:26.550528049 CET	23600	49734	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:29.969789028 CET	49735	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:30.089713097 CET	23600	49735	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:30.089936018 CET	49735	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:30.090276003 CET	49735	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:30.209914923 CET	23600	49735	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:52.007107973 CET	23600	49735	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:52.007256031 CET	49735	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:52.007622957 CET	49735	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:52.127692938 CET	23600	49735	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:55.748598099 CET	49736	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:55.868549109 CET	23600	49736	104.251.123.245	192.168.2.9
Dec 17, 2024 07:31:55.868669987 CET	49736	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:55.869116068 CET	49736	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:31:55.988935947 CET	23600	49736	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:17.787333965 CET	23600	49736	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:17.787698030 CET	49736	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:17.788897991 CET	49736	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:17.908643961 CET	23600	49736	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:21.491935015 CET	49737	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:21.613423109 CET	23600	49737	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:21.613545895 CET	49737	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:21.613924026 CET	49737	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:21.733671904 CET	23600	49737	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:43.506541967 CET	23600	49737	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:43.510179043 CET	49737	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:43.513014078 CET	49737	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:43.632787943 CET	23600	49737	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:46.998944044 CET	49738	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:47.118817091 CET	23600	49738	104.251.123.245	192.168.2.9
Dec 17, 2024 07:32:47.118902922 CET	49738	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:47.119453907 CET	49738	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:32:47.239152908 CET	23600	49738	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:09.022746086 CET	23600	49738	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:09.022927046 CET	49738	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:09.023395061 CET	49738	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:09.143114090 CET	23600	49738	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:12.576973915 CET	49739	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:12.696845055 CET	23600	49739	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:12.702272892 CET	49739	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:12.703658104 CET	49739	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:12.823417902 CET	23600	49739	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:34.617042065 CET	23600	49739	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:34.617247105 CET	49739	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:34.618249893 CET	49739	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:34.737967014 CET	23600	49739	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:38.343216896 CET	49740	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:38.463231087 CET	23600	49740	104.251.123.245	192.168.2.9
Dec 17, 2024 07:33:38.463367939 CET	49740	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:38.463869095 CET	49740	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:33:38.583730936 CET	23600	49740	104.251.123.245	192.168.2.9
Dec 17, 2024 07:34:00.382946968 CET	23600	49740	104.251.123.245	192.168.2.9
Dec 17, 2024 07:34:00.383019924 CET	49740	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:34:00.383331060 CET	49740	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:34:00.503032923 CET	23600	49740	104.251.123.245	192.168.2.9
Dec 17, 2024 07:34:04.092833042 CET	49741	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:34:04.213402987 CET	23600	49741	104.251.123.245	192.168.2.9
Dec 17, 2024 07:34:04.213526964 CET	49741	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:34:04.214143038 CET	49741	23600	192.168.2.9	104.251.123.245
Dec 17, 2024 07:34:04.333998919 CET	23600	49741	104.251.123.245	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 07:29:42.766943932 CET	1.1.1.1	192.168.2.9	0xcd00	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 07:29:42.766943932 CET	1.1.1.1	192.168.2.9	0xcd00	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:29:43
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\Client-built.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Client-built.exe"
Imagebase:	0x450000
File size:	3'265'536 bytes
MD5 hash:	CBAD8CCC75F88CD7C6B5AB3EC70F2E2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1323382293.0000000000770000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.3778069344.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1323071352.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	01:29:45
Start date:	17/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Startup" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Imagebase:	0x7ff6cff80000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:29:46
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF887FC6243 Relevance: 3.0, Strings: 2, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0#L, xrefs: 00007FF887FC6587
0XL, xrefs: 00007FF887FC62B2

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID: 0#L$0XL
API String ID: 0-892149821
Opcode ID: 11aaf21444399585fa66a496ae058b8f660840c01f4646a29f2c552acb5c783f
Instruction ID: b5a075fc81a587f8217577ed5fdd2919f1fb22c8c7cf0b0637ab28c665e39f45
Opcode Fuzzy Hash: 11aaf21444399585fa66a496ae058b8f660840c01f4646a29f2c552acb5c783f
Instruction Fuzzy Hash: 81023930A58A298FEB98DF19C4857A9B3F2FF99340F1445BAD04ED7695CE34E881CB40

Function 00007FF887FCAAAD Relevance: 2.2, Strings: 1, Instructions: 929
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x0_H, xrefs: 00007FF887FCABD1

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID: x0_H
API String ID: 0-4001381062
Opcode ID: 43810639bd5ed6b26a5d2f2f5b0107ccf2e992063b6857c6d387b7ff66dc2bf3
Instruction ID: fe9638c261bf68398020a15a847b776a3093f91f5a92a75860347581eec46522
Opcode Fuzzy Hash: 43810639bd5ed6b26a5d2f2f5b0107ccf2e992063b6857c6d387b7ff66dc2bf3
Instruction Fuzzy Hash: E8526330648A498FEB98EB2CD458B7977E2FF99340F1445B9E44DC72A6DE38E841C741

Function 00007FF887FC54B6 Relevance: 1.4, Instructions: 1450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e42e1c86b3fdb531ccf689fd10b51266a5f01ad44434674dd5cca1bc71d2629
Instruction ID: 43cb6dcae45906d4693302d709cfb17bca79152d23beaeb9b68142a6fbe88092
Opcode Fuzzy Hash: 1e42e1c86b3fdb531ccf689fd10b51266a5f01ad44434674dd5cca1bc71d2629
Instruction Fuzzy Hash: 78B29070A18A598FDF98DF18C494BAD77F2FFA9340F5441A8D04ED7296CA35E882CB41

Function 00007FF887FC9AC4 Relevance: 1.0, Instructions: 959COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b1982e9f5f00a3f527fa0eadf8ed172097eeafdd7370c68495c5af70029b54
Instruction ID: 0a6c8153d55847b2a0ee2116c016592eb68f9ac802db33dbf6af26d8d9237d68
Opcode Fuzzy Hash: 03b1982e9f5f00a3f527fa0eadf8ed172097eeafdd7370c68495c5af70029b54
Instruction Fuzzy Hash: BD521430B1C9594FEB98EB2CD459AB977E1FF98350B0401B9D44EC72A6DE28EC42C741

Function 00007FF887FC8D41 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3a8cd3633c402645b23ffef77f603689f5d3f4ab066d3c39f6783ece402cfa
Instruction ID: 4dbf86da60c9aa1f02f65eb2e7e6cf3bb5244a1745af451067c6d46cbb44bae6
Opcode Fuzzy Hash: 9a3a8cd3633c402645b23ffef77f603689f5d3f4ab066d3c39f6783ece402cfa
Instruction Fuzzy Hash: 86228C30A58A598FEB98EA2D94957BD77E2FFA8340F14017DD44EC3296DE38E842C741

Function 00007FF887FC6187 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8181df47c7d6ef5de1051a27b2fdd6fcce18f241e718a5094a0b3ef2bcdc01c7
Instruction ID: 088640f495e7b45196e489390e33b17980fd77609dbd49c4212673767ae0fd3a
Opcode Fuzzy Hash: 8181df47c7d6ef5de1051a27b2fdd6fcce18f241e718a5094a0b3ef2bcdc01c7
Instruction Fuzzy Hash: D4E1CE30A1CA5A8FEB98DB29C8456B977F1FF8A340F1445B9D45EC7292CE38E841C741

Function 00007FF887FCE1D9 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ed6c0b9fdbd36d210e99a1b886b4445eb015be0df821d08e306c982688d4fb
Instruction ID: 657a59421abeddceef79b3ae115fbd710046132703bc0f12ca050097667721bc
Opcode Fuzzy Hash: e4ed6c0b9fdbd36d210e99a1b886b4445eb015be0df821d08e306c982688d4fb
Instruction Fuzzy Hash: 15710771E5CA994FD748AB6C94562F97BE0FF98710B0041BED04EC7197DE28A842C781

Function 00007FF887D53525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF887D53607

Memory Dump Source

Source File: 00000000.00000002.3781858218.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d50000_Client-built.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 958916973d33705142a353d2f59f961da9a3e7b49f043a384991cc47fce82854
Instruction ID: 505e43926b3c0462876eec520037dc15787522b7d0b36152951c53d9dd128da8
Opcode Fuzzy Hash: 958916973d33705142a353d2f59f961da9a3e7b49f043a384991cc47fce82854
Instruction Fuzzy Hash: 8641263290DB8C9FDB19DB6888496ED7FF0FF56310F0442AFC04AC7692CA24A809C791

Function 00007FF887D53569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FF887D53607

Memory Dump Source

Source File: 00000000.00000002.3781858218.00007FF887D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887d50000_Client-built.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b2cca23c88342b29aafaf2887214c89a07014493ba4fa48f2bb6eb360646d77d
Instruction ID: 55afb0cf26a637cb862a63d0aca041a6550e000123a4f28c27551ba25671a7b9
Opcode Fuzzy Hash: b2cca23c88342b29aafaf2887214c89a07014493ba4fa48f2bb6eb360646d77d
Instruction Fuzzy Hash: 0431C03190CA9C8FDB59DB98C8496EDBBF0FF65310F04426BD04AD3692DB64A806CB91

Non-executed Functions

Function 00007FF887FC0DD1 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47726dd488ebcab7f354ab5f15f380e7eb79b1e14d4660c6e4d7703d7200e026
Instruction ID: 6b82a16be8162d99e6756596b1f57e028c9e42a982444e0396f548bf05a7471e
Opcode Fuzzy Hash: 47726dd488ebcab7f354ab5f15f380e7eb79b1e14d4660c6e4d7703d7200e026
Instruction Fuzzy Hash: 39325217D0D1E28AE61176BDF4A21EE3F60DF422B970C41B7D1ED49053DD0CA98BC6A6

Function 00007FF887FC10F2 Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bbf7ec3f854d84665498cbbd7bf1d198d2b2d3eeb7840277c872505444a3a4
Instruction ID: 236d9947695e32fa7bb5d3f2320ed19560a9fc01d707379b96d5e166e331047c
Opcode Fuzzy Hash: d2bbf7ec3f854d84665498cbbd7bf1d198d2b2d3eeb7840277c872505444a3a4
Instruction Fuzzy Hash: 36E1511BD0D1E28AE71176FDF4A21EE3F609F422B970841B7E1ED49053DD0C668BC6A6

Function 00007FF887FC11FA Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3783419307.00007FF887FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff887fc0000_Client-built.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50283b5171bd9d5fc91d6669d2bc0c5744c141261e7ef84fa7bdec8ef07a2aa8
Instruction ID: 8ef440a5d3af0739480b35ac7df0600f6fc6703940c4618fc595a8249800a9ce
Opcode Fuzzy Hash: 50283b5171bd9d5fc91d6669d2bc0c5744c141261e7ef84fa7bdec8ef07a2aa8
Instruction Fuzzy Hash: D5C1311BD0D1E28AE61176FDF4A21EE3F609F422B970841B7D1ED49053DD0CA68BC6A6

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Client-built.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
Client-built.exe

Function 00007FF887FC6243 Relevance: 3.0, Strings: 2, Instructions: 507
COMMON

Function 00007FF887FCAAAD Relevance: 2.2, Strings: 1, Instructions: 929
COMMON

Function 00007FF887FCE1D9 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Function 00007FF887D53525 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Function 00007FF887D53569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON