Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe

Overview

General Information

Sample name:1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe
Analysis ID:1578590
MD5:4bb75ccb09135ac25f81d2ed4d523be3
SHA1:993cd8d4d4fdb660b3d6d40b307a4d482f652e63
SHA256:19f7eb5708f6e144e092b9852bc12443769b73dd4f33acb02568fa391901e143
Tags:base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Quasar
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
Machine Learning detection for sample
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeWindows_Trojan_Quasarrat_e52df647unknownunknown
    • 0x40b99:$a1: GetKeyloggerLogsResponse
    • 0x402e5:$a2: DoDownloadAndExecute
    • 0x53f41:$a3: http://api.ipify.org/
    • 0x51a47:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
    • 0x52d95:$a5: " /sc ONLOGON /tr "
    1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x40092:$s1: DoUploadAndExecute
    • 0x402e5:$s2: DoDownloadAndExecute
    • 0x3fe51:$s3: DoShellExecute
    • 0x4029d:$s4: set_Processname
    • 0x5ab3:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x6525:$op3: 00 04 03 69 91 1B 40
    • 0x6d87:$op3: 00 04 03 69 91 1B 40
    1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
    • 0x40b99:$x1: GetKeyloggerLogsResponse
    • 0x40dd9:$s1: DoShellExecuteResponse
    • 0x40742:$s2: GetPasswordsResponse
    • 0x40cac:$s3: GetStartupItemsResponse
    • 0x400a6:$s5: RunHidden
    • 0x400c7:$s5: RunHidden
    • 0x400d5:$s5: RunHidden
    • 0x400e9:$s5: RunHidden
    1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
    • 0x52d5b:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ...
    • 0x52f91:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
    Click to see the 6 entries

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeReversingLabs: Detection: 58%
    Yara detected Quasar RAT
    Source: Yara matchFile source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLE
    Machine Learning detection for sample
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeJoe Sandbox ML: detected
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeString found in binary or memory: http://api.ipify.org/
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeString found in binary or memory: http://freegeoip.net/xml/
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeString found in binary or memory: http://ip-api.com/json/

    E-Banking Fraud

    barindex
    Yara detected Quasar RAT
    Source: Yara matchFile source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLE

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects Vermin Keylogger Author: Florian Roth
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects Patchwork malware Author: Florian Roth
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: QuasarRAT payload Author: ditekSHen
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: No import functions for PE file found
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
    Source: classification engineClassification label: mal68.troj.winEXE@0/0@0/0
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeReversingLabs: Detection: 58%
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exeBinary or memory string: Z8kz+2cvmnXDeJICP8lpVJl4cXt/ke0bTGezljjEaqblO9LmZGwKB6oGMCbwc9Y7CHJefPVGhgfss/zboMyYBg==

    Stealing of Sensitive Information

    barindex
    Yara detected Quasar RAT
    Source: Yara matchFile source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLE

    Remote Access Functionality

    barindex
    Yara detected Quasar RAT
    Source: Yara matchFile source: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe, type: SAMPLE

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential Dumping1
    Security Software Discovery    		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe58%ReversingLabsByteCode-MSIL.Trojan.Generic
    1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0035.t-0009.t-msedge.net
    		13.107.246.63
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://api.ipify.org/1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exefalse
        		high
        http://freegeoip.net/xml/1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exefalse
          		high
          http://ip-api.com/json/1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1578590
            Start date and time:2024-12-19 23:26:20 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 1m 50s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:1
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe
            Detection:MAL
            Classification:mal68.troj.winEXE@0/0@0/0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Unable to launch sample, stop analysis

            Errors

            • No process behavior to analyse as no analysis process or sample was found
            • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.63
            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
            • VT rate limit hit for: 1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
            • 13.107.246.63
            Gioia Faggioli-End Of Year-Bonus.docxGet hashmaliciousUnknownBrowse
            • 13.107.246.63
            dz6dQWx0DD.dllGet hashmaliciousNitolBrowse
            • 13.107.246.63
            Eallentoff_401k_1484013830.htmlGet hashmaliciousHTMLPhisherBrowse
            • 13.107.246.63
            INVOICE-0098.pdf ... .lnk.lnk.d.lnkGet hashmaliciousUnknownBrowse
            • 13.107.246.63
            hnghksdjfhs19De.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
            • 13.107.246.63
            CNUXJvLcgw.lnkGet hashmaliciousRHADAMANTHYSBrowse
            • 13.107.246.63
            LbtytfWpvx.vbsGet hashmaliciousRemcosBrowse
            • 13.107.246.63
            H2PspQWoHE.ps1Get hashmaliciousUnknownBrowse
            • 13.107.246.63
            https://nicholaspackaging.businesslawcloud.com/mTlFMGet hashmaliciousHTMLPhisherBrowse
            • 13.107.246.63

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.469957525748379
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:1734647108deb38ffd55bf4ee0e1256f32366f93320efa5c08106fb229cd97f7a3c54ee7b3565.dat-decoded.exe
            File size:370'659 bytes
            MD5:4bb75ccb09135ac25f81d2ed4d523be3
            SHA1:993cd8d4d4fdb660b3d6d40b307a4d482f652e63
            SHA256:19f7eb5708f6e144e092b9852bc12443769b73dd4f33acb02568fa391901e143
            SHA512:483a559c0192679d3e4cb9cc92ecb557a9cc3f5259d358be3e837ff440ec281a984bba9ac621dd2b03ef20bf7bcc608520cb3dfff4b6046bc54824df4601d64d
            SSDEEP:6144:zjwlMJmfKTwQ60bJA0b3g8fsw544mikD0h66C:z8km2RbG+bUw5tzkD0hFC
            TLSH:8E749D5373A4E93BD2FD9B35E43206159BB4D41BBA16F38B1A6C50B92C333815E843A7
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.bg.................b..........~.... ........@.. ....................................@................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x45817e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x6762EC58 [Wed Dec 18 15:38:00 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:

            Entrypoint Preview

            Instruction
            inc ebx
            add byte ptr [ecx+00h], ah
            outsb
            add byte ptr [esi+00h], ch
            outsd
            add byte ptr [eax+eax+20h], dh
            add byte ptr [ebx+00h], ah
            jc 00007F6E099830A2h
            add byte ptr [ecx+00h], ah
            je 00007F6E099830A2h
            add byte ptr [eax], ah
            add byte ptr [ebx+00h], ch
            add byte ptr [ecx+00h], bh
            cmp al, byte ptr [eax]
            and byte ptr [eax], al
            inc ebp
            add byte ptr [edx+00h], dh
            jc 00007F6E099830A2h
            outsd
            add byte ptr [edx+00h], dh
            and byte ptr [eax], al
            jnbe 00007F6E099830A2h
            jc 00007F6E099830A2h
            imul eax, dword ptr [eax], 00690074h
            outsb
            add byte ptr [edi+00h], ah
            and byte ptr [eax], al
            je 00007F6E099830A2h
            outsd
            add byte ptr [eax], ah
            add byte ptr [eax+eax+68h], dh
            add byte ptr [ebp+00h], ah
            and byte ptr [eax], al
            jc 00007F6E099830A2h
            add byte ptr [edi+00h], ah
            imul eax, dword ptr [eax], 00740073h
            jc 00007F6E099830A2h
            jns 00007F6E099830A2h
            pushad
            inc ebx
            add byte ptr [ecx+00h], ah
            outsb
            add byte ptr [esi+00h], ch
            outsd
            add byte ptr [eax+eax+20h], dh
            add byte ptr [eax+eax+65h], ah
            add byte ptr [eax+eax+65h], ch
            add byte ptr [eax+eax+65h], dh
            add byte ptr [eax], ah
            add byte ptr [ebx+00h], ch
            add byte ptr [ecx+00h], bh
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x581240x57.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000xa00.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x561840x56200715807eb2c96339ea9307ba942f43e18False0.508138493287373data6.460960614033915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x5a0000xa000xa000b01e7b64928cf9d7efec58dd8ab97a2False0.470703125data5.117281606227327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x5c0000xc0x2007ea24b4f80215497e8889f706c52b80eFalse0.67578125data4.939807912117149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Dec 19, 2024 23:27:22.938165903 CET1.1.1.1192.168.2.60x20efNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Dec 19, 2024 23:27:22.938165903 CET1.1.1.1192.168.2.60x20efNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

            Statistics

            No statistics

            System Behavior

            No system behavior

            Disassembly

            No disassembly