Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:Client-built.exe
Analysis ID:1579699
MD5:beb1de229b374cd778107c8268e191ac
SHA1:fb5dcf278195472e206fa484f7005aa485c308ae
SHA256:604b99f997d7de70804667e6e985627485d1a4d1eb694f3c36a34f0a01aef7bd
Tags:exeQuasarRATuser-lontze7
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Quasar RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • Client-built.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\Client-built.exe" MD5: BEB1DE229B374CD778107C8268E191AC)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
{"Host:Port": "R,,JA3V=g)s~", "InstallName": "Xs_V", "MutexName": "j\"Cy", "StartupKey": "4;rQac\"", "Tag": "?JHvg)*i_)1", "ServerSignature": "q{gyhL'y", "ServerCertificate": ">vK&Mh1"}
SourceRuleDescriptionAuthorStrings
Client-built.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    Client-built.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Client-built.exeWindows_Trojan_Quasarrat_e52df647unknownunknown
      • 0x3ec0e:$a1: GetKeyloggerLogsResponse
      • 0x3e36f:$a2: DoDownloadAndExecute
      • 0x50820:$a3: http://api.ipify.org/
      • 0x4e329:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
      • 0x4f677:$a5: " /sc ONLOGON /tr "
      Client-built.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3e12b:$s1: DoUploadAndExecute
      • 0x3e36f:$s2: DoDownloadAndExecute
      • 0x3def0:$s3: DoShellExecute
      • 0x3e327:$s4: set_Processname
      • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x63ae:$op3: 00 04 03 69 91 1B 40
      • 0x6bfe:$op3: 00 04 03 69 91 1B 40
      Client-built.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3ec0e:$x1: GetKeyloggerLogsResponse
      • 0x3ee4e:$s1: DoShellExecuteResponse
      • 0x3e7bd:$s2: GetPasswordsResponse
      • 0x3ed21:$s3: GetStartupItemsResponse
      • 0x3e13f:$s5: RunHidden
      • 0x3e15d:$s5: RunHidden
      • 0x3e16b:$s5: RunHidden
      • 0x3e17f:$s5: RunHidden
      Click to see the 7 entries
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2643899248.0000000002B91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Quasarrat_e52df647unknownunknown
          • 0x3ea0e:$a1: GetKeyloggerLogsResponse
          • 0x3e16f:$a2: DoDownloadAndExecute
          • 0x50620:$a3: http://api.ipify.org/
          • 0x4e129:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
          • 0x4f477:$a5: " /sc ONLOGON /tr "
          00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x3df2b:$s1: DoUploadAndExecute
          • 0x3e16f:$s2: DoDownloadAndExecute
          • 0x3dcf0:$s3: DoShellExecute
          • 0x3e127:$s4: set_Processname
          • 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x5748:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x61ae:$op3: 00 04 03 69 91 1B 40
          • 0x69fe:$op3: 00 04 03 69 91 1B 40
          00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmpQuasardetect Remcos in memoryJPCERT/CC Incident Response Group
          • 0x4ee36:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"]
          • 0x4ea4a:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2}
          • 0x33dc6:$class: Core.MouseKeyHook.WinApi
          Click to see the 1 entries
          SourceRuleDescriptionAuthorStrings
          0.0.Client-built.exe.790000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
            0.0.Client-built.exe.790000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.0.Client-built.exe.790000.0.unpackWindows_Trojan_Quasarrat_e52df647unknownunknown
              • 0x3ec0e:$a1: GetKeyloggerLogsResponse
              • 0x3e36f:$a2: DoDownloadAndExecute
              • 0x50820:$a3: http://api.ipify.org/
              • 0x4e329:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
              • 0x4f677:$a5: " /sc ONLOGON /tr "
              0.0.Client-built.exe.790000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
              • 0x3e12b:$s1: DoUploadAndExecute
              • 0x3e36f:$s2: DoDownloadAndExecute
              • 0x3def0:$s3: DoShellExecute
              • 0x3e327:$s4: set_Processname
              • 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60
              • 0x5948:$op2: 00 17 03 1F 20 17 19 15 28
              • 0x63ae:$op3: 00 04 03 69 91 1B 40
              • 0x6bfe:$op3: 00 04 03 69 91 1B 40
              0.0.Client-built.exe.790000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
              • 0x3ec0e:$x1: GetKeyloggerLogsResponse
              • 0x3ee4e:$s1: DoShellExecuteResponse
              • 0x3e7bd:$s2: GetPasswordsResponse
              • 0x3ed21:$s3: GetStartupItemsResponse
              • 0x3e13f:$s5: RunHidden
              • 0x3e15d:$s5: RunHidden
              • 0x3e16b:$s5: RunHidden
              • 0x3e17f:$s5: RunHidden
              Click to see the 7 entries
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-23T07:49:32.320518+010020363831A Network Trojan was detected192.168.2.849706208.95.112.180TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Client-built.exeAvira: detected
              Source: Client-built.exeMalware Configuration Extractor: Quasar {"Host:Port": "R,,JA3V=g)s~", "InstallName": "Xs_V", "MutexName": "j\"Cy", "StartupKey": "4;rQac\"", "Tag": "?JHvg)*i_)1", "ServerSignature": "q{gyhL'y", "ServerCertificate": ">vK&Mh1"}
              Source: Client-built.exeReversingLabs: Detection: 84%
              Source: Client-built.exeVirustotal: Detection: 85%Perma Link
              Source: Yara matchFile source: Client-built.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2643899248.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7528, type: MEMORYSTR
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: Client-built.exeJoe Sandbox ML: detected
              Source: Client-built.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Client-built.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.8:49706 -> 208.95.112.1:80
              Source: Malware configuration extractorURLs: R,,JA3V=g)s~
              Source: Yara matchFile source: Client-built.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.8:49707 -> 20.107.53.25:25535
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: unknownDNS query: name: ip-api.com
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownTCP traffic detected without corresponding DNS query: 20.107.53.25
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: Client-built.exeString found in binary or memory: http://api.ipify.org/
              Source: Client-built.exeString found in binary or memory: http://freegeoip.net/xml/
              Source: Client-built.exe, 00000000.00000002.2643899248.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, Client-built.exe, 00000000.00000002.2643899248.0000000002BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
              Source: Client-built.exeString found in binary or memory: http://ip-api.com/json/
              Source: Client-built.exe, 00000000.00000002.2643899248.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
              Source: Client-built.exe, 00000000.00000002.2643899248.0000000002BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              E-Banking Fraud

              barindex
              Source: Yara matchFile source: Client-built.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2643899248.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7528, type: MEMORYSTR

              System Summary

              barindex
              Source: Client-built.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects Vermin Keylogger Author: Florian Roth
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects Patchwork malware Author: Florian Roth
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: Client-built.exe, type: SAMPLEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
              Source: Client-built.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: Client-built.exe, type: SAMPLEMatched rule: QuasarRAT payload Author: ditekSHen
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
              Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
              Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
              Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_0100A5500_2_0100A550
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_01009C800_2_01009C80
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_010099380_2_01009938
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_063F75580_2_063F7558
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_063F0BD80_2_063F0BD8
              Source: Client-built.exe, 00000000.00000002.2642803865.0000000000B78000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Client-built.exe
              Source: Client-built.exe, 00000000.00000000.1385931302.00000000007EA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs Client-built.exe
              Source: Client-built.exeBinary or memory string: OriginalFilenameClient.exe" vs Client-built.exe
              Source: Client-built.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Client-built.exe, type: SAMPLEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
              Source: Client-built.exe, type: SAMPLEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Client-built.exe, type: SAMPLEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
              Source: Client-built.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
              Source: Client-built.exe, type: SAMPLEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Client-built.exe, type: SAMPLEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Client-built.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Client-built.exe, type: SAMPLEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
              Source: Client-built.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: Client-built.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
              Source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
              Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
              Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
              Source: Client-built.exe, -----.csBase64 encoded string: 'U9mEqFFePKyJgWfGKrysKk/+Tn++pG5Z8oKyNNY5MLX3+2sDLbRdJdtKhKxVlLQ9olPPgnXL4B9t2SOVzsDcAw==', 'QII64E3A8rYLnZZFKbBwCwgdF335azLTXaW5ZPbiNye6AgEVgWf0kA7NGaaMbBLCqeA7YPXDQ7Qsw/uWTzPVZ6QFbq3l90vLCvBJ2EvL7D8=', 'NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==', 'lPLDE7zFeXRhLfAkD1rXRdS6D0xPUsNEI9OfeLkvdsgwqeWLSZKChwNrZDnxRxS/8S4Y2tZXCbD3OHF94A0StA==', 'MeJmrA3t2wN22zPQbF6LGljI6mma/wzWgXRLBnmpGrKFy09VXX7w9VFzgi3uhSBCiDdNOzJne7PcCT3/WbxjRA==', 'jcoYgrM3u3/A7qdCzvc1ZdbTufnsCqeFrlYe+jaAgekpyJPzH0bVoBVyQgpo6m5bY68y2sKMPSYtt2FpKYm3TN3wVlTaq65V2owIib9nvNo=', 'wwmU4qtPdidTmAlyxmUIVew9SOKdm0uZPPTPnudibvUJNfjBfMwV/Mrcav7Nq+0uvcEZGE6PRErdp5OUSbc64e6ao3eKWgsLDGCthQFJmLs=', 'XXQ4aD8lpjbQwgtg5kYW20+f1v/Glq59QbIRW4jXcoPIGXoR2jILourDb/JGMAlHdvLYSA3acuax+7jiltWs5A=='
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/2
              Source: C:\Users\user\Desktop\Client-built.exeMutant created: NULL
              Source: C:\Users\user\Desktop\Client-built.exeMutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_zQ0poF2lHhCSZKSUZ3
              Source: Client-built.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Client-built.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\Client-built.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Client-built.exeReversingLabs: Detection: 84%
              Source: Client-built.exeVirustotal: Detection: 85%
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: Client-built.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Client-built.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_0100E33B push ebx; retf 0_2_0100E33E
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_010097C8 pushad ; retf 0_2_010097C9
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_063F6FB0 pushfd ; iretd 0_2_063F6FB9
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_063F4D34 push es; retf 0_2_063F4D48
              Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_063F4D49 push es; retf 0_2_063F4D4C

              Hooking and other Techniques for Hiding and Protection

              barindex
              Source: C:\Users\user\Desktop\Client-built.exeFile opened: C:\Users\user\Desktop\Client-built.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exe TID: 7532Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeLast function: Thread delayed
              Source: Client-built.exe, 00000000.00000002.2643125552.0000000000E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\Client-built.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Users\user\Desktop\Client-built.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: Client-built.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2643899248.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7528, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: C:\Users\user\Desktop\Client-built.exeMutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_zQ0poF2lHhCSZKSUZ3Jump to behavior
              Source: Yara matchFile source: Client-built.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.Client-built.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2643899248.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 7528, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
              DLL Side-Loading
              1
              DLL Side-Loading
              2
              Virtualization/Sandbox Evasion
              OS Credential Dumping1
              Security Software Discovery
              Remote Services1
              Archive Collected Data
              1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools
              LSASS Memory2
              Virtualization/Sandbox Evasion
              Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Hidden Files and Directories
              Security Account Manager1
              System Network Configuration Discovery
              SMB/Windows Admin SharesData from Network Shared Drive1
              Remote Access Software
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Obfuscated Files or Information
              NTDS12
              System Information Discovery
              Distributed Component Object ModelInput Capture1
              Ingress Tool Transfer
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading
              LSA SecretsInternet Connection DiscoverySSHKeylogging2
              Non-Application Layer Protocol
              Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain CredentialsWi-Fi DiscoveryVNCGUI Input Capture112
              Application Layer Protocol
              Data Transfer Size LimitsService Stop
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              Client-built.exe84%ReversingLabsByteCode-MSIL.Backdoor.Quasar
              Client-built.exe86%VirustotalBrowse
              Client-built.exe100%AviraHEUR/AGEN.1307418
              Client-built.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              NameIPActiveMaliciousAntivirus DetectionReputation
              ip-api.com
              208.95.112.1
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                http://ip-api.com/json/false
                  high
                  R,,JA3V=g)s~true
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://api.ipify.org/Client-built.exefalse
                      high
                      http://freegeoip.net/xml/Client-built.exefalse
                        high
                        http://schemas.datacontract.org/2004/07/Client-built.exe, 00000000.00000002.2643899248.0000000002C0A000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient-built.exe, 00000000.00000002.2643899248.0000000002BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://ip-api.comClient-built.exe, 00000000.00000002.2643899248.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, Client-built.exe, 00000000.00000002.2643899248.0000000002BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs
                              IPDomainCountryFlagASNASN NameMalicious
                              208.95.112.1
                              ip-api.comUnited States
                              53334TUT-ASUSfalse
                              20.107.53.25
                              unknownUnited States
                              8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1579699
                              Start date and time:2024-12-23 07:48:35 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 27s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Client-built.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@1/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 16
                              • Number of non-executed functions: 3
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 172.202.163.200
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              No simulations
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              208.95.112.1DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                              • ip-api.com/json/?fields=225545
                              main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                              • ip-api.com/json/8.46.123.189?fields=192511
                              main.exeGet hashmaliciousUnknownBrowse
                              • ip-api.com/json/8.46.123.189?fields=192511
                              HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                              • ip-api.com/json/?fields=225545
                              dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              twE44mm07j.exeGet hashmaliciousXWormBrowse
                              • ip-api.com/line/?fields=hosting
                              YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                              • ip-api.com/line/?fields=hosting
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ip-api.comDHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                              • 208.95.112.1
                              main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                              • 208.95.112.1
                              main.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                              • 208.95.112.1
                              dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              twE44mm07j.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                              • 208.95.112.1
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              TUT-ASUSDHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                              • 208.95.112.1
                              main.exeGet hashmaliciousPython Stealer, Discord Token Stealer, PRYSMAX STEALERBrowse
                              • 208.95.112.1
                              main.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                              • 208.95.112.1
                              file.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, XWormBrowse
                              • 208.95.112.1
                              dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              fvbhdyuJYi.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              8DiSW8IPEF.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              twE44mm07j.exeGet hashmaliciousXWormBrowse
                              • 208.95.112.1
                              MICROSOFT-CORP-MSN-AS-BLOCKUSarmv6l.elfGet hashmaliciousUnknownBrowse
                              • 40.112.151.235
                              gVKsiQIHqe.exeGet hashmaliciousVidarBrowse
                              • 204.79.197.219
                              trZG6pItZj.exeGet hashmaliciousVidarBrowse
                              • 204.79.197.219
                              armv4l.elfGet hashmaliciousUnknownBrowse
                              • 20.202.12.183
                              2.elfGet hashmaliciousUnknownBrowse
                              • 20.78.208.111
                              loligang.arm.elfGet hashmaliciousMiraiBrowse
                              • 20.208.252.17
                              loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                              • 20.234.251.100
                              arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 21.152.225.5
                              arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 40.113.41.15
                              arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                              • 21.84.149.231
                              No context
                              No context
                              No created / dropped files found
                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):6.428633025552722
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:Client-built.exe
                              File size:356'352 bytes
                              MD5:beb1de229b374cd778107c8268e191ac
                              SHA1:fb5dcf278195472e206fa484f7005aa485c308ae
                              SHA256:604b99f997d7de70804667e6e985627485d1a4d1eb694f3c36a34f0a01aef7bd
                              SHA512:62bbd4c5688438fb5b9d3610cc2fe2be654f4373a28fc116d6118d20b00c82060ac77d33c11758ef20b84a06a3eaced8a6eb9fe792a3a21207f1b37bb18caff0
                              SSDEEP:6144:IzNHXf500MoXP4PcNINSzpbDGrnxD6JAwV5IO:6d50OCcxzAjR6qwV5IO
                              TLSH:8E748D1373D4D63BD1FD173AE4320A194BB0D417BA16E38B5A5A65F82D133868E843B3
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ZUc.................b............... ........@.. ....................................@................................
                              Icon Hash:00928e8e8686b000
                              Entrypoint:0x4581ce
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x63555AB7 [Sun Oct 23 15:16:07 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x581800x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000xa00.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x561d40x56200a0e78fa06efc41008fc113c5be5adfb1False0.5131077648766328data6.4454137444965856IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x5a0000xa000xa0076cc3230218ab47d3ced751a87f28c1bFalse0.340234375data4.23596538978674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x5c0000xc0x2003e9f7d609fdf085dc36811ecf2c51bd9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0x5a0900x2d4data0.43646408839779005
                              RT_MANIFEST0x5a3740x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277
                              DLLImport
                              mscoree.dll_CorExeMain
                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-23T07:49:32.320518+01002036383ET MALWARE Common RAT Connectivity Check Observed1192.168.2.849706208.95.112.180TCP
                              TimestampSource PortDest PortSource IPDest IP
                              Dec 23, 2024 07:49:31.048646927 CET4970680192.168.2.8208.95.112.1
                              Dec 23, 2024 07:49:31.168162107 CET8049706208.95.112.1192.168.2.8
                              Dec 23, 2024 07:49:31.168241024 CET4970680192.168.2.8208.95.112.1
                              Dec 23, 2024 07:49:31.168694973 CET4970680192.168.2.8208.95.112.1
                              Dec 23, 2024 07:49:31.288161039 CET8049706208.95.112.1192.168.2.8
                              Dec 23, 2024 07:49:32.264566898 CET8049706208.95.112.1192.168.2.8
                              Dec 23, 2024 07:49:32.320518017 CET4970680192.168.2.8208.95.112.1
                              Dec 23, 2024 07:49:32.683785915 CET4970725535192.168.2.820.107.53.25
                              Dec 23, 2024 07:49:32.803438902 CET255354970720.107.53.25192.168.2.8
                              Dec 23, 2024 07:49:32.803658962 CET4970725535192.168.2.820.107.53.25
                              Dec 23, 2024 07:49:54.700037956 CET255354970720.107.53.25192.168.2.8
                              Dec 23, 2024 07:49:54.700171947 CET4970725535192.168.2.820.107.53.25
                              Dec 23, 2024 07:49:54.701953888 CET4970725535192.168.2.820.107.53.25
                              Dec 23, 2024 07:49:54.821408033 CET255354970720.107.53.25192.168.2.8
                              Dec 23, 2024 07:49:59.368439913 CET4971025535192.168.2.820.107.53.25
                              Dec 23, 2024 07:49:59.488253117 CET255354971020.107.53.25192.168.2.8
                              Dec 23, 2024 07:49:59.489830017 CET4971025535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:21.419081926 CET255354971020.107.53.25192.168.2.8
                              Dec 23, 2024 07:50:21.419173002 CET4971025535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:21.419903994 CET4971025535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:21.539449930 CET255354971020.107.53.25192.168.2.8
                              Dec 23, 2024 07:50:26.039855003 CET4971225535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:26.160103083 CET255354971220.107.53.25192.168.2.8
                              Dec 23, 2024 07:50:26.160806894 CET4971225535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:33.454685926 CET8049706208.95.112.1192.168.2.8
                              Dec 23, 2024 07:50:33.454879045 CET4970680192.168.2.8208.95.112.1
                              Dec 23, 2024 07:50:48.075829983 CET255354971220.107.53.25192.168.2.8
                              Dec 23, 2024 07:50:48.076195002 CET4971225535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:48.077281952 CET4971225535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:48.196906090 CET255354971220.107.53.25192.168.2.8
                              Dec 23, 2024 07:50:52.852873087 CET4971325535192.168.2.820.107.53.25
                              Dec 23, 2024 07:50:52.972587109 CET255354971320.107.53.25192.168.2.8
                              Dec 23, 2024 07:50:52.972692966 CET4971325535192.168.2.820.107.53.25
                              Dec 23, 2024 07:51:12.275211096 CET4970680192.168.2.8208.95.112.1
                              Dec 23, 2024 07:51:12.394975901 CET8049706208.95.112.1192.168.2.8
                              Dec 23, 2024 07:51:14.904405117 CET255354971320.107.53.25192.168.2.8
                              Dec 23, 2024 07:51:14.904517889 CET4971325535192.168.2.820.107.53.25
                              Dec 23, 2024 07:51:14.905417919 CET4971325535192.168.2.820.107.53.25
                              Dec 23, 2024 07:51:15.024997950 CET255354971320.107.53.25192.168.2.8
                              Dec 23, 2024 07:51:19.630722046 CET4971425535192.168.2.820.107.53.25
                              Dec 23, 2024 07:51:19.750664949 CET255354971420.107.53.25192.168.2.8
                              Dec 23, 2024 07:51:19.750785112 CET4971425535192.168.2.820.107.53.25
                              TimestampSource PortDest PortSource IPDest IP
                              Dec 23, 2024 07:49:30.621398926 CET5369053192.168.2.81.1.1.1
                              Dec 23, 2024 07:49:30.758325100 CET53536901.1.1.1192.168.2.8
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 23, 2024 07:49:30.621398926 CET192.168.2.81.1.1.10xae31Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 23, 2024 07:49:30.758325100 CET1.1.1.1192.168.2.80xae31No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                              • ip-api.com
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.849706208.95.112.1807528C:\Users\user\Desktop\Client-built.exe
                              TimestampBytes transferredDirectionData
                              Dec 23, 2024 07:49:31.168694973 CET144OUTGET /json/ HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                              Host: ip-api.com
                              Connection: Keep-Alive
                              Dec 23, 2024 07:49:32.264566898 CET483INHTTP/1.1 200 OK
                              Date: Mon, 23 Dec 2024 06:49:31 GMT
                              Content-Type: application/json; charset=utf-8
                              Content-Length: 306
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                              Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Target ID:0
                              Start time:01:49:28
                              Start date:23/12/2024
                              Path:C:\Users\user\Desktop\Client-built.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Client-built.exe"
                              Imagebase:0x790000
                              File size:356'352 bytes
                              MD5 hash:BEB1DE229B374CD778107C8268E191AC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2643899248.0000000002B91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                              • Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000000.1385888862.0000000000792000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                              Reputation:low
                              Has exited:false

                              Reset < >

                                Execution Graph

                                Execution Coverage:9.7%
                                Dynamic/Decrypted Code Coverage:97.7%
                                Signature Coverage:0%
                                Total number of Nodes:130
                                Total number of Limit Nodes:10
                                execution_graph 17843 dbd128 17844 dbd140 17843->17844 17845 dbd19a 17844->17845 17850 63f287b 17844->17850 17855 63f35e8 17844->17855 17861 63f2888 17844->17861 17866 63f35d9 17844->17866 17851 63f2888 17850->17851 17853 63f35d9 2 API calls 17851->17853 17854 63f35e8 2 API calls 17851->17854 17852 63f28cf 17852->17845 17853->17852 17854->17852 17856 63f3615 17855->17856 17857 63f3647 17856->17857 17872 63f3b78 17856->17872 17877 63f3c44 17856->17877 17883 63f3b58 17856->17883 17857->17845 17862 63f28ae 17861->17862 17864 63f35d9 2 API calls 17862->17864 17865 63f35e8 2 API calls 17862->17865 17863 63f28cf 17863->17845 17864->17863 17865->17863 17867 63f3615 17866->17867 17868 63f3647 17867->17868 17869 63f3b78 2 API calls 17867->17869 17870 63f3b58 2 API calls 17867->17870 17871 63f3c44 2 API calls 17867->17871 17868->17845 17869->17868 17870->17868 17871->17868 17873 63f3b8c 17872->17873 17888 63f3c30 17873->17888 17891 63f3c20 17873->17891 17874 63f3c18 17874->17857 17878 63f3c02 17877->17878 17879 63f3c52 17877->17879 17881 63f3c30 2 API calls 17878->17881 17882 63f3c20 2 API calls 17878->17882 17880 63f3c18 17880->17857 17881->17880 17882->17880 17884 63f3b78 17883->17884 17886 63f3c30 2 API calls 17884->17886 17887 63f3c20 2 API calls 17884->17887 17885 63f3c18 17885->17857 17886->17885 17887->17885 17889 63f3c41 17888->17889 17895 63f4df1 17888->17895 17889->17874 17892 63f3c30 17891->17892 17893 63f3c41 17892->17893 17894 63f4df1 2 API calls 17892->17894 17893->17874 17894->17893 17896 63f4dfa 17895->17896 17897 63f4d98 17895->17897 17901 63f4e20 17896->17901 17905 63f4e10 17896->17905 17897->17889 17898 63f4e0a 17898->17889 17902 63f4e62 17901->17902 17904 63f4e69 17901->17904 17903 63f4eba CallWindowProcW 17902->17903 17902->17904 17903->17904 17904->17898 17906 63f4e20 17905->17906 17907 63f4eba CallWindowProcW 17906->17907 17908 63f4e69 17906->17908 17907->17908 17908->17898 17753 63f0238 17755 63f0269 17753->17755 17757 63f0368 17753->17757 17754 63f0275 17755->17754 17762 63f04a1 17755->17762 17766 63f04b0 17755->17766 17756 63f02b4 17769 63f17b0 17756->17769 17773 63f17a0 17756->17773 17763 63f04b0 17762->17763 17777 63f04f3 17763->17777 17764 63f04ba 17764->17756 17768 63f04f3 2 API calls 17766->17768 17767 63f04ba 17767->17756 17768->17767 17771 63f17db 17769->17771 17770 63f188a 17770->17770 17771->17770 17789 63f2673 17771->17789 17774 63f17db 17773->17774 17775 63f188a 17774->17775 17776 63f2673 2 API calls 17774->17776 17776->17775 17778 63f0511 17777->17778 17779 63f0534 17777->17779 17783 63f04f3 GetModuleHandleW 17778->17783 17785 63f06f0 17778->17785 17779->17764 17780 63f051c 17780->17779 17781 63f0738 GetModuleHandleW 17780->17781 17782 63f0765 17781->17782 17782->17764 17783->17780 17786 63f0738 GetModuleHandleW 17785->17786 17787 63f0732 17785->17787 17788 63f0765 17786->17788 17787->17786 17788->17780 17790 63f25fb 17789->17790 17791 63f267a 17789->17791 17790->17770 17795 63f26c4 17791->17795 17799 63f26d0 17791->17799 17796 63f2738 CreateWindowExW 17795->17796 17798 63f27f4 17796->17798 17800 63f2738 CreateWindowExW 17799->17800 17802 63f27f4 17800->17802 17803 1000848 17804 1000852 17803->17804 17808 10021a0 17803->17808 17805 100089e 17804->17805 17813 100af40 17804->17813 17809 10021c5 17808->17809 17819 10022b0 17809->17819 17823 10022a1 17809->17823 17815 100af5d 17813->17815 17814 100b003 17814->17805 17815->17814 17831 100fc20 17815->17831 17835 100fc30 17815->17835 17816 100b0ab 17816->17805 17820 10022d2 17819->17820 17821 10023b4 17820->17821 17827 1001978 17820->17827 17824 10022af 17823->17824 17825 10023b4 17824->17825 17826 1001978 CreateActCtxA 17824->17826 17826->17825 17828 1003340 CreateActCtxA 17827->17828 17830 1003403 17828->17830 17832 100fc3e 17831->17832 17839 100f928 17832->17839 17836 100fc3e 17835->17836 17837 100f928 DeleteFileW 17836->17837 17838 100fc45 17837->17838 17838->17816 17840 100fc58 DeleteFileW 17839->17840 17842 100fc45 17840->17842 17842->17816 17909 63f6fc0 17910 63f6fe8 17909->17910 17913 63f7014 17909->17913 17911 63f6ff1 17910->17911 17914 63f6414 17910->17914 17916 63f641f 17914->17916 17915 63f730b 17915->17913 17916->17915 17918 63f6430 17916->17918 17919 63f7340 OleInitialize 17918->17919 17920 63f73a4 17919->17920 17920->17915
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 886c2e2321f2ed55e82d15ba7e3e4157fb44161a86fe7cd12da9f9f4712666a3
                                • Instruction ID: 6193a814a614d1ee895eca4a35d68dd9d959ec937a52d3e9d0de630486c8a8d6
                                • Opcode Fuzzy Hash: 886c2e2321f2ed55e82d15ba7e3e4157fb44161a86fe7cd12da9f9f4712666a3
                                • Instruction Fuzzy Hash: CEB17170E00209CFEB55DFA9C8857EDBBF2AF88318F148529E459E7295EB749841CB81
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d650ce24f1449e86a9e0e92b7f657835b072a8e9e47216e93f4f684fb5ea0be1
                                • Instruction ID: bffc194c137521af5ed17b27fcbbdaa30114a550362d4d25c5b15dc486f87b77
                                • Opcode Fuzzy Hash: d650ce24f1449e86a9e0e92b7f657835b072a8e9e47216e93f4f684fb5ea0be1
                                • Instruction Fuzzy Hash: 24B15A70F00309CFEB55CFA9C8857AEBBF2BF88710F148529D455A7294EB749941CB81

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 300 63f04f3-63f050f 301 63f053b-63f053f 300->301 302 63f0511 300->302 303 63f0553-63f0594 301->303 304 63f0541-63f054b 301->304 352 63f0517 call 63f04f3 302->352 353 63f0517 call 63f06f0 302->353 310 63f0596-63f059e 303->310 311 63f05a1-63f05af 303->311 304->303 305 63f051c-63f051e 308 63f0534 305->308 309 63f0520 305->309 308->301 356 63f0526 call 63f0798 309->356 357 63f0526 call 63f0788 309->357 310->311 312 63f05d3-63f05d5 311->312 313 63f05b1-63f05b6 311->313 315 63f05d8-63f05df 312->315 316 63f05b8-63f05bf 313->316 317 63f05c1 313->317 314 63f052c-63f052e 314->308 318 63f0670-63f069b 314->318 319 63f05ec-63f05f3 315->319 320 63f05e1-63f05e9 315->320 321 63f05c3-63f05d1 316->321 317->321 335 63f06a2-63f06ec 318->335 322 63f05f5-63f05fd 319->322 323 63f0600-63f0609 319->323 320->319 321->315 322->323 328 63f060b-63f0613 323->328 329 63f0616-63f061b 323->329 328->329 330 63f061d-63f0624 329->330 331 63f0639-63f063d 329->331 330->331 333 63f0626-63f0636 330->333 354 63f0640 call 63f0a58 331->354 355 63f0640 call 63f0a48 331->355 333->331 334 63f0643-63f0646 336 63f0669-63f066f 334->336 337 63f0648-63f0666 334->337 345 63f06ee-63f0730 335->345 337->336 347 63f0738-63f0763 GetModuleHandleW 345->347 348 63f0732-63f0735 345->348 349 63f076c-63f0780 347->349 350 63f0765-63f076b 347->350 348->347 350->349 352->305 353->305 354->334 355->334 356->314 357->314
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 063F0756
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: fa24b54abc4b41d4bba11b14624aae4ee7598fe62aeacf5d1da90445f7f158c1
                                • Instruction ID: bbc768523703baaf72d583c71b9c8d2ec1d4be72d1a2397a1a75052454dc8b40
                                • Opcode Fuzzy Hash: fa24b54abc4b41d4bba11b14624aae4ee7598fe62aeacf5d1da90445f7f158c1
                                • Instruction Fuzzy Hash: B5815870A10B058FD7A8DF29D45475ABBF1FF88200F00892DE59AD7A51D774E949CFA0

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 358 6410048-6410068 359 641006f-6410071 358->359 360 6410073-6410079 359->360 361 6410089-64100bd 359->361 362 641007b 360->362 363 641007d-641007f 360->363 366 64100c0-64100c4 361->366 362->361 363->361 367 64100c6-64100cb 366->367 368 64100cd-64100d2 366->368 369 64100d8-64100db 367->369 368->369 370 64100e1-64100f5 369->370 371 6410db7-6410dc1 369->371 370->366 373 64100f7 370->373 374 64102c0-64102cf 373->374 375 64103a2-64103b1 373->375 376 6410484-6410493 373->376 377 64100fe-641010b 373->377 378 64101de-64101ed 373->378 380 6410d3f-6410d63 374->380 382 64102d5-64102fb 374->382 375->380 381 64103b7-64103dd 375->381 379 6410499-64104bf 376->379 376->380 377->380 384 6410111-6410137 377->384 378->380 383 64101f3-6410219 378->383 407 64104c1-64104c6 379->407 408 64104c8-64104cf 379->408 397 6410f32-6410f37 380->397 398 6410d69-6410d70 380->398 409 64103e6-64103ed 381->409 410 64103df-64103e4 381->410 411 6410304-641030b 382->411 412 64102fd-6410302 382->412 414 6410222-6410229 383->414 415 641021b-6410220 383->415 405 6410140-6410147 384->405 406 6410139-641013e 384->406 398->397 400 6410d76-6410d91 398->400 400->397 432 6410d97-6410d9f 400->432 420 6410149-641016b 405->420 421 641016d-6410191 405->421 419 64101ac-64101d9 406->419 423 6410534-6410561 407->423 424 64104d1-64104f3 408->424 425 64104f5-6410519 408->425 427 6410413-6410437 409->427 428 64103ef-6410411 409->428 426 6410452-641047f 410->426 430 6410331-6410355 411->430 431 641030d-641032f 411->431 429 6410370-641039d 412->429 417 641022b-641024d 414->417 418 641024f-6410273 414->418 416 641028e-64102bb 415->416 416->366 417->416 470 6410275-641027b 418->470 471 641028b 418->471 419->366 420->419 472 6410193-6410199 421->472 473 64101a9 421->473 423->366 424->423 464 6410531 425->464 465 641051b-6410521 425->465 426->366 466 6410439-641043f 427->466 467 641044f 427->467 428->426 429->366 468 6410357-641035d 430->468 469 641036d 430->469 431->429 432->397 446 6410da5-6410dae 432->446 446->371 464->423 474 6410523 465->474 475 6410525-6410527 465->475 476 6410441 466->476 477 6410443-6410445 466->477 467->426 478 6410361-6410363 468->478 479 641035f 468->479 469->429 480 641027d 470->480 481 641027f-6410281 470->481 471->416 482 641019b 472->482 483 641019d-641019f 472->483 473->419 474->464 475->464 476->467 477->467 478->469 479->469 480->471 481->471 482->473 483->473
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645733785.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6410000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID: ?
                                • API String ID: 0-1684325040
                                • Opcode ID: ea2c694ba4bebf35103f18389b181083c2f30cadf884b531946f9c3226f51099
                                • Instruction ID: 3c0f4f773f2f2ebd731828bae22cc4219e7d765846384c720f69eaa2b606bb95
                                • Opcode Fuzzy Hash: ea2c694ba4bebf35103f18389b181083c2f30cadf884b531946f9c3226f51099
                                • Instruction Fuzzy Hash: E6F18C30B002089FEB59DBA5D944B6EBBB2FF85B00F14805AE4068F395CF759D82DB91

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 484 63f26c4-63f2736 485 63f2738-63f273e 484->485 486 63f2741-63f2748 484->486 485->486 487 63f274a-63f2750 486->487 488 63f2753-63f27f2 CreateWindowExW 486->488 487->488 490 63f27fb-63f2833 488->490 491 63f27f4-63f27fa 488->491 495 63f2835-63f2838 490->495 496 63f2840 490->496 491->490 495->496 497 63f2841 496->497 497->497
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063F27E2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 2b3daac4d872fbf47c6ef18c27421a2010ba410ec1c2b73c2497323c4f5eac94
                                • Instruction ID: edb6b6eedeae59873fad5945b853d7dc8084a57da1c74200821e27d2460bddcf
                                • Opcode Fuzzy Hash: 2b3daac4d872fbf47c6ef18c27421a2010ba410ec1c2b73c2497323c4f5eac94
                                • Instruction Fuzzy Hash: 0951D0B5D10349DFDB14CFA9C880ADEBBF6BF88310F24812AE818AB250D7759945CF90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 498 63f26d0-63f2736 499 63f2738-63f273e 498->499 500 63f2741-63f2748 498->500 499->500 501 63f274a-63f2750 500->501 502 63f2753-63f27f2 CreateWindowExW 500->502 501->502 504 63f27fb-63f2833 502->504 505 63f27f4-63f27fa 502->505 509 63f2835-63f2838 504->509 510 63f2840 504->510 505->504 509->510 511 63f2841 510->511 511->511
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 063F27E2
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 5910b20ed64f3c82b38b2ac7c9bf7cb4fbd3f71db4e86eebfc0d20e26234f762
                                • Instruction ID: 9562cd4e218859372adc2068b118a1d53c196a5700cc2eb016e6bbd43cdf262e
                                • Opcode Fuzzy Hash: 5910b20ed64f3c82b38b2ac7c9bf7cb4fbd3f71db4e86eebfc0d20e26234f762
                                • Instruction Fuzzy Hash: AD41CFB1D10349DFDB14DF9AC884ADEBBB5FF88310F24812AE918AB250D7759945CF90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 512 1003334-1003339 513 100333b-100335d 512->513 514 100335f 512->514 513->514 515 1003360-1003401 CreateActCtxA 514->515 517 1003403-1003409 515->517 518 100340a-1003464 515->518 517->518 525 1003473-1003477 518->525 526 1003466-1003469 518->526 527 1003488 525->527 528 1003479-1003485 525->528 526->525 530 1003489 527->530 528->527 530->530
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 010033F1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: a3bead4e6900ae1dc954e3bbe81fed73c04203239698fea54029dd89ff1ff1dc
                                • Instruction ID: 9f00a09e1b046e490d467e97442441ea8628756e501f15883205e1f480627fca
                                • Opcode Fuzzy Hash: a3bead4e6900ae1dc954e3bbe81fed73c04203239698fea54029dd89ff1ff1dc
                                • Instruction Fuzzy Hash: E74125B1C00319CFEB26DFA9C844BDDBBB1BF89704F20805AD448AB251CB756945CF90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 531 1001978-1003401 CreateActCtxA 534 1003403-1003409 531->534 535 100340a-1003464 531->535 534->535 542 1003473-1003477 535->542 543 1003466-1003469 535->543 544 1003488 542->544 545 1003479-1003485 542->545 543->542 547 1003489 544->547 545->544 547->547
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 010033F1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 13b4e889a5adfeec91b8ddd245a36f9116815043ad37bbe870195190ea505f67
                                • Instruction ID: b5018d2ef659917e6c1f4465337a5541be2302922a4f5fd21a11b28f0c63d726
                                • Opcode Fuzzy Hash: 13b4e889a5adfeec91b8ddd245a36f9116815043ad37bbe870195190ea505f67
                                • Instruction Fuzzy Hash: 6241E1B0D00719CFEB25DFAAC84479EBBF1BF89704F20806AD448AB251DB756945CF90

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 548 63f4e20-63f4e5c 549 63f4f0c-63f4f2c 548->549 550 63f4e62-63f4e67 548->550 556 63f4f2f-63f4f3c 549->556 551 63f4eba-63f4ef2 CallWindowProcW 550->551 552 63f4e69-63f4ea0 550->552 553 63f4efb-63f4f0a 551->553 554 63f4ef4-63f4efa 551->554 558 63f4ea9-63f4eb8 552->558 559 63f4ea2-63f4ea8 552->559 553->556 554->553 558->556 559->558
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 063F4EE1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: e76521e6e99ae00b1c15c2fef038ed59d9ba1ea7074606b5e73780d40754a686
                                • Instruction ID: 1fe07edc26a08ed270b0ced067e9d2e8e8bd2523debe4a18fbc1a01d750e6ec3
                                • Opcode Fuzzy Hash: e76521e6e99ae00b1c15c2fef038ed59d9ba1ea7074606b5e73780d40754a686
                                • Instruction Fuzzy Hash: B64116B5910309CFDB54DF99C848AABBBF5FB88314F24C459E519AB322D774A841CFA0

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 562 100f928-100fca2 565 100fca4-100fca7 562->565 566 100fcaa-100fcd5 DeleteFileW 562->566 565->566 567 100fcd7-100fcdd 566->567 568 100fcde-100fd06 566->568 567->568
                                APIs
                                • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0100FC45), ref: 0100FCC8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 869e4f02bc7a56560c56e033d7dcb1e8e8230bb7c7d3080c7fd4245a204e8235
                                • Instruction ID: 1cb25fd65738826d68c9e83916ac6f829bed218b0540e6b3cac539602b726ce5
                                • Opcode Fuzzy Hash: 869e4f02bc7a56560c56e033d7dcb1e8e8230bb7c7d3080c7fd4245a204e8235
                                • Instruction Fuzzy Hash: 212149B1C0065E9BDB24DF9AC545B9EFBF4EB48620F108129D958A7380D338A944CFA1

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 571 100fc53-100fca2 574 100fca4-100fca7 571->574 575 100fcaa-100fcd5 DeleteFileW 571->575 574->575 576 100fcd7-100fcdd 575->576 577 100fcde-100fd06 575->577 576->577
                                APIs
                                • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0100FC45), ref: 0100FCC8
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 56c769c143c6528ad7f8ad20136bc27d4f997e89ac919aef00d694ee50e7fa09
                                • Instruction ID: e179fc6864f821e98d187945524379632f05aaca4e3c0cfbef23a2eca8a6074d
                                • Opcode Fuzzy Hash: 56c769c143c6528ad7f8ad20136bc27d4f997e89ac919aef00d694ee50e7fa09
                                • Instruction Fuzzy Hash: EB2138B1C0065E9BDB24DF9AC545B9EFBF4EF48720F14812AD858A7340D738A944CFA5

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 580 63f7338-63f733d 581 63f7340-63f73a2 OleInitialize 580->581 582 63f73ab-63f73c8 581->582 583 63f73a4-63f73aa 581->583 583->582
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 063F7395
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 8d4f7ad456f72ade40171efed3496e0c946fed5d3df659c8dd63c4614ded9f7a
                                • Instruction ID: af02bce082a1bb2bb7b98e8bbee123c286010c302bfc0a7ab009af3a81c17f3e
                                • Opcode Fuzzy Hash: 8d4f7ad456f72ade40171efed3496e0c946fed5d3df659c8dd63c4614ded9f7a
                                • Instruction Fuzzy Hash: 621145B58003498FCB20DFAAD845BCEFBF8EB48324F24841AE558A7340C378A544CFA1

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 586 63f06f0-63f0730 587 63f0738-63f0763 GetModuleHandleW 586->587 588 63f0732-63f0735 586->588 589 63f076c-63f0780 587->589 590 63f0765-63f076b 587->590 588->587 590->589
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 063F0756
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 96d3aee01940f9013865f6d549363ac12987833a39865ea134cfb05058619a12
                                • Instruction ID: 67616e0ef38ebfa5cb730ac89e347727e1c4601e990d933dd0f7ea0cb2cca061
                                • Opcode Fuzzy Hash: 96d3aee01940f9013865f6d549363ac12987833a39865ea134cfb05058619a12
                                • Instruction Fuzzy Hash: 931113B5C003498FDB14DF9AC844BDEFBF4AB88220F10845AD519B7200C375A549CFA1

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 592 63f6430-63f73a2 OleInitialize 594 63f73ab-63f73c8 592->594 595 63f73a4-63f73aa 592->595 595->594
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 063F7395
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 982ac46b8ca5037e1c0245aad50462a760734d04b9752d552ba9fe2b92046d92
                                • Instruction ID: 7ba3033a0b8fa8bd41f23d632cbbb2b075f2897a09eb37800ce977589332772b
                                • Opcode Fuzzy Hash: 982ac46b8ca5037e1c0245aad50462a760734d04b9752d552ba9fe2b92046d92
                                • Instruction Fuzzy Hash: 661148B58103488FDB20DF9AD844B9EFBF8EB48220F10841AD518A7700C374A944CFE5
                                Memory Dump Source
                                • Source File: 00000000.00000002.2642985984.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dbd000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2e0203f8354f4eeb345a0aa79765774463ad9465089d4c34bbfb55395e2ebaa
                                • Instruction ID: f13e61c7d108fdb60e0d025efa7ad46aba8ee97bff66ac7ff60134a56d76212f
                                • Opcode Fuzzy Hash: c2e0203f8354f4eeb345a0aa79765774463ad9465089d4c34bbfb55395e2ebaa
                                • Instruction Fuzzy Hash: 492122B1604344DFEB04DF18D9C4B26BB66FB84314F24C56DD84A4B286D33AD846CB71
                                Memory Dump Source
                                • Source File: 00000000.00000002.2642985984.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_dbd000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                • Instruction ID: d37bdbdcf270688c3d81d8e320a008765a789f5e8cd38ae3a849e9634be127d5
                                • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                • Instruction Fuzzy Hash: 6211BE75504284CFCB01CF14D5C4B15BB62FB44324F28C6ADDC4A4B656D33AD80ACB61
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 228ee51622971f69fdfd4f41eda680caf930e17f479b687481f2fc2cf086d161
                                • Instruction ID: bec31bdf09caee799955a8b56b6a30649097a2261fae7c6c5d74c50997bdc908
                                • Opcode Fuzzy Hash: 228ee51622971f69fdfd4f41eda680caf930e17f479b687481f2fc2cf086d161
                                • Instruction Fuzzy Hash: AD5216B1510B0ACFD724CF28F88C1997BB1FB81318F904719D6696B2A9D7B4658BCF84
                                Memory Dump Source
                                • Source File: 00000000.00000002.2645691952.00000000063F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_63f0000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 86a9e26945bcd8a00f4de6b49ecdb84ab8549989027e5323e998efb950ca1fb5
                                • Instruction ID: c33dcc009ce96362af00e159d4b1febe7599fad3d72d37b12cd2a5b5f1e9cafb
                                • Opcode Fuzzy Hash: 86a9e26945bcd8a00f4de6b49ecdb84ab8549989027e5323e998efb950ca1fb5
                                • Instruction Fuzzy Hash: 6FF12830E103098FEB54DFA9D944B9DBBF1BF88304F158169E509AB3A5DB70E949CB90
                                Memory Dump Source
                                • Source File: 00000000.00000002.2643357622.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1000000_Client-built.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a2ae1d858b61735c6046634a9044988fe74c0b835e75554bd1a9258f7b2be33
                                • Instruction ID: 5386d9728e4bddded8824bf10f235e01b03f2636425d256a522c192914740f78
                                • Opcode Fuzzy Hash: 8a2ae1d858b61735c6046634a9044988fe74c0b835e75554bd1a9258f7b2be33
                                • Instruction Fuzzy Hash: 3B918170E00209CFEF55DFA9C9817DDBBF2BF88718F148129E449A7295EB749885CB81