Windows Analysis Report
wUSt04rfJ0.exe

Overview

General Information

Sample name: wUSt04rfJ0.exe
renamed because original name is a hash value
Original sample name: 87b488fc8f9760bc9182c32ef76be93c.exe
Analysis ID: 1580465
MD5: 87b488fc8f9760bc9182c32ef76be93c
SHA1: 16c3c1c53963cfedb800515b70e27ca2b7dd79fd
SHA256: 457e291dc62946ab2dc1cb558ffca2e90e5ebbd4a27013c5a23930339aedb978
Tags: exeQuasarRATRATuser-abuse_ch
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Quasar
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Quasar RAT, QuasarRAT Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wUSt04rfJ0.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\System32\SubDir\Client.exe Avira: detection malicious, Label: HEUR/AGEN.1307453
Found malware configuration
Source: wUSt04rfJ0.exe Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "43.138.147.74:4782;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "4b095ece-017a-46f8-874b-d1266394fa10", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "SLY8FRW0tXeaPgqaf9SkUic9Zx6b8Xd4mrxIID83zGoHDeZuQXEstPb4ajE1EfBc1lVoJEU/jZIYKi59Ye8ztLFs061H9IjQxRoVSzR4oyRaJe2eEsqBfPNFwnxag1zDsRHAmZZsnB51NPUCITo/13eD0VGdrc+2aecOf9BZP7nSew981KlAxDx9AqrfeeQkTZ/gJdS2dni757ZyiP0xZF6JCDEevNZXz4aOlG9PviI1vrCS1k7MMYxElvDjh/iOE3r1aRtCFPm10me5rn5bjfDJXVvPDHXVbRuRKdqowlMRaw9cAK0h8O8VKIewNipYRaSRYGnBivEn6yibbbLEQG+Rts0v5bFqIIgnqxPtJdeyteleLqwDCvyJlY4I06Nee/bZ2IbziMtLLP2CHVdjLL6FAttN1P0mZMLjQGfMsVu96/nzU3yyKG5q3i2I6pAP/c4qeJnaDaSCdXeF6qxXjXuDdUeMOCVD//SVYeNJrOlGoccGH+5wiiIQUjLYjN9yFjfMLCJoHqFrT2RPdeUeTwBvVeotIepljzX8GF8OU/w+LQeIXE3YGNCFno43T4lEXIl40EwxG8Z130RFVEI8vBv731FojXkxHeyZGKEZ3R0VAGUl8wuTqXP7noX1jYPqsflj8hexHd6zDYCY4zwbeAg2Tj3A5N6L5PUAFBev6Ns=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMjUUqH2Alkgj6YxbPxN7TANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIxNjAyMTAyOVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAi40xpvzEk985YOpDfNu2mnZQ0jDHJ2sbkOStKxkJatyEfD4vI7dxrEDFwSfqgMPcEun6IcClh1P8vTgy3nJ9LfDHFMFxEmQ8J1XHnHtIR4LoiDxZSTWz4iaJbRumwxNqcEmL0mB0AEbB6xoaahkK0nbOBAhiRLBjP0dGXVhB+Uu+kfe9ImwSaQzDYhJTJE4SiJXgrGUzBdkwZaBdwv2toUD3BEPbYFYUC3OK5p5csegN1ymJuAjDXVCPccTRJaoouMZ9OZdeaqUWVG/iQ8wB1e7dAyqJzexfGgIKQQ429JfCy4w3r3vJpwD2utNW7mOBwh2iaXHW57+OUK1ijJ/MrF1KXQ1gB0akBz2Xk6Sph/n7G2WxIPGgOwdPED+vl3RQRNfzN9RgfxzexML9lUYaOAp1Isx7ARkd8dR9sqc8CntTftY+za6R9b+clXlCfg88rWkUh67kMwOyLtJcfYuLkpqpFo8F7O3bukjnAkBXByhTwvk2TIMAoq5Rtu0FcjHsqdSzVRYscvwoF3eZ66LNIAUjubIHok3yd8kiHHGy7l4GzalRH4iv+czyhMxbPW5L55e53h3D/2eHtSM0fIYWoRJoWIswyM0L6RJ/WxG/0HfNsB62BelqUXHslXun9DrIZFKBQ5x3h/p4nLQ343VLSD39C8wXWpK3tilpUa2raWcCAwEAAaMyMDAwHQYDVR0OBBYEFIe//4uhDpaSAPnxGdItJGKuvOTIMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACCSNPmM886pOW78ePc2anr27lE8o8fVY0kKOSl1wDwv4DcHW0C5aXMeNvw58hJ2OzBxuBZ/+a43gcQouMqUztub798n9Atrdnc1abCyYl50TvYlQqcJJEtoiazZKP7JZtyXFsk2GOVfD9nf9V5pyd3lSThj0SxA+yasczQSV3C0FkHarn9CaYOYvJOk2UOgiG6HsnQgPAToVGOrmsAK+P8x9yMCbCJHAZ/jGEyFEHS+ml7HiqYK678xwTIShqgQo6aIFJwga33zgLzXwwxySBDhOvblNkPLYxsRLAFBQ9iBW4bdDnmWyTuokzXyV4e15VpejO59hFNpNb4rF0a4ZCdNK7MTUnkIulziyFzQa/qOj8po0JUI0jmaiPXTEuxlrZ+9wZlxVqq21OqStmWC/GBBSCG/YyVrt6j4IulEjL2VMtV7vSo52MTGexI/EqtISLuKCl4AsLIpTyl+qt6lqE8C3LzfKZCpz0p1xB1UU9kv52WrHeeYoW/ZxSnHDeQfQ6/K+NyKMwgtPnQlKErU8rgh3wO4YpIfOl5UbCuBxvoUZdI4rWl/9a3PLzyyN6w4bBmLclwuk6wgezIT6R+A4pqCBWzJYud8Ftebk3ZtnlYKSyZGkeLoxGTlj+S/NYFG1630oPBORpJ0nOGDPVjBl7MVjh3TdlMx9khDFrgF9VnU"}
Multi AV Scanner detection for dropped file
Source: C:\Windows\System32\SubDir\Client.exe ReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: wUSt04rfJ0.exe ReversingLabs: Detection: 76%
Yara detected Quasar RAT
Source: Yara match File source: wUSt04rfJ0.exe, type: SAMPLE
Source: Yara match File source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1664703539.0000000000D40000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700864870.0000002C9A079000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1682021700.0000006DD9BC9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718959014.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1695273404.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1664340206.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1692050770.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wUSt04rfJ0.exe PID: 6228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 6328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\System32\SubDir\Client.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: wUSt04rfJ0.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: wUSt04rfJ0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: wUSt04rfJ0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 43.138.147.74:4782 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 43.138.147.74:4782 -> 192.168.2.4:49730
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 43.138.147.74
Yara detected Generic Downloader
Source: Yara match File source: wUSt04rfJ0.exe, type: SAMPLE
Source: Yara match File source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 43.138.147.74:4782
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 108.181.61.49 108.181.61.49
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LILLY-ASUS LILLY-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipwho.is
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown TCP traffic detected without corresponding DNS query: 43.138.147.74
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ipwho.is
Source: Client.exe, 00000003.00000002.2918043161.000000001B622000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Client.exe, 00000003.00000002.2911724947.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Client.exe, 00000003.00000002.2912584091.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipwho.is
Source: Client.exe, 00000003.00000002.2912584091.0000000003040000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: wUSt04rfJ0.exe, 00000000.00000002.1692050770.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000003.00000002.2912584091.0000000002C49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wUSt04rfJ0.exe, Client.exe.0.dr String found in binary or memory: https://api.ipify.org/
Source: Client.exe, 00000003.00000002.2912584091.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipwho.is
Source: wUSt04rfJ0.exe, Client.exe.0.dr String found in binary or memory: https://ipwho.is/
Source: wUSt04rfJ0.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: wUSt04rfJ0.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: wUSt04rfJ0.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\System32\SubDir\Client.exe Windows user hook set: 0 keyboard low level C:\Windows\system32\SubDir\Client.exe Jump to behavior

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: wUSt04rfJ0.exe, type: SAMPLE
Source: Yara match File source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1664703539.0000000000D40000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700864870.0000002C9A079000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1682021700.0000006DD9BC9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718959014.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1695273404.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1664340206.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1692050770.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wUSt04rfJ0.exe PID: 6228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 6328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: wUSt04rfJ0.exe, type: SAMPLE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: wUSt04rfJ0.exe, type: SAMPLE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: wUSt04rfJ0.exe, type: SAMPLE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: Detects Quasar infostealer Author: ditekshen
Creates files inside the system directory
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File created: C:\Windows\system32\SubDir Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File created: C:\Windows\system32\SubDir\Client.exe Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA77C16 3_2_00007FFD9BA77C16
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA7EB29 3_2_00007FFD9BA7EB29
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA69271 3_2_00007FFD9BA69271
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA7CAD5 3_2_00007FFD9BA7CAD5
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA78A0F 3_2_00007FFD9BA78A0F
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA6AFDD 3_2_00007FFD9BA6AFDD
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA7B851 3_2_00007FFD9BA7B851
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA69FD0 3_2_00007FFD9BA69FD0
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA655D6 3_2_00007FFD9BA655D6
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA6621F 3_2_00007FFD9BA6621F
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB82321 3_2_00007FFD9BB82321
Sample file is different than original file name gathered from version info
Source: wUSt04rfJ0.exe, 00000000.00000000.1664703539.0000000000D40000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe. vs wUSt04rfJ0.exe
Source: wUSt04rfJ0.exe, 00000000.00000002.1695273404.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs wUSt04rfJ0.exe
Source: wUSt04rfJ0.exe Binary or memory string: OriginalFilenameClient.exe. vs wUSt04rfJ0.exe
Uses 32bit PE files
Source: wUSt04rfJ0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: wUSt04rfJ0.exe, type: SAMPLE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: wUSt04rfJ0.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: wUSt04rfJ0.exe, type: SAMPLE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/5@1/2
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wUSt04rfJ0.exe.log Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Mutant created: NULL
Source: C:\Windows\System32\SubDir\Client.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\4b095ece-017a-46f8-874b-d1266394fa10
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_03
Source: wUSt04rfJ0.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wUSt04rfJ0.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wUSt04rfJ0.exe ReversingLabs: Detection: 76%
Source: wUSt04rfJ0.exe String found in binary or memory: HasSubValue3Conflicting item/add type
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File read: C:\Users\user\Desktop\wUSt04rfJ0.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\wUSt04rfJ0.exe "C:\Users\user\Desktop\wUSt04rfJ0.exe"
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe"
Source: unknown Process created: C:\Windows\System32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe
Source: C:\Windows\System32\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe" Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: wUSt04rfJ0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: wUSt04rfJ0.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: wUSt04rfJ0.exe Static file information: File size 3266048 > 1048576
Source: wUSt04rfJ0.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
Source: wUSt04rfJ0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Code function: 0_2_00007FFD9B7C00AD pushad ; iretd 0_2_00007FFD9B7C00C1
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B6DEECF push ebx; ret 3_2_00007FFD9B6DEEDA
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B6DEF45 push ebx; ret 3_2_00007FFD9B6DEF46
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B6DD2A5 pushad ; iretd 3_2_00007FFD9B6DD2A6
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B7F2BE5 pushad ; iretd 3_2_00007FFD9B7F2C3D
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B7F2BB0 pushad ; iretd 3_2_00007FFD9B7F2C3D
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B7F00AD pushad ; iretd 3_2_00007FFD9B7F00C1
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BA6336E push eax; ret 3_2_00007FFD9BA6340C
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9BB82321 push edx; retf 5F1Eh 3_2_00007FFD9BB85A3B
Source: C:\Windows\System32\SubDir\Client.exe Code function: 4_2_00007FFD9B7F00AD pushad ; iretd 4_2_00007FFD9B7F00C1

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Executable created and started: C:\Windows\system32\SubDir\Client.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File created: C:\Windows\System32\SubDir\Client.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File created: C:\Windows\System32\SubDir\Client.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File opened: C:\Users\user\Desktop\wUSt04rfJ0.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe File opened: C:\Windows\system32\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe File opened: C:\Windows\system32\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Memory allocated: 1580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Memory allocated: 1B060000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: 10E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: 1AC10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Memory allocated: 1A7B0000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\SubDir\Client.exe Code function: 3_2_00007FFD9B7FF1F2 str ax 3_2_00007FFD9B7FF1F2
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\SubDir\Client.exe Window / User API: threadDelayed 2028 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Window / User API: threadDelayed 7759 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe TID: 6392 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6956 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 6956 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 4348 Thread sleep count: 2028 > 30 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 4348 Thread sleep count: 7759 > 30 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 3732 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe TID: 1448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\SubDir\Client.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Client.exe, 00000003.00000002.2918978789.000000001B964000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000003.00000002.2918043161.000000001B622000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000003.00000002.2918978789.000000001B9FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Enables debug privileges
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Process created: C:\Windows\System32\SubDir\Client.exe "C:\Windows\system32\SubDir\Client.exe" Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Queries volume information: C:\Users\user\Desktop\wUSt04rfJ0.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\System32\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\SubDir\Client.exe Queries volume information: C:\Windows\System32\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wUSt04rfJ0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: wUSt04rfJ0.exe, type: SAMPLE
Source: Yara match File source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1664703539.0000000000D40000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700864870.0000002C9A079000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1682021700.0000006DD9BC9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718959014.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1695273404.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1664340206.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1692050770.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wUSt04rfJ0.exe PID: 6228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 6328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Quasar RAT
Source: Yara match File source: wUSt04rfJ0.exe, type: SAMPLE
Source: Yara match File source: 0.0.wUSt04rfJ0.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1664703539.0000000000D40000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E630000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000003040000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2912584091.0000000002C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700864870.0000002C9A079000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683183819.000002358E638000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1683288087.000002358E8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1682021700.0000006DD9BC9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1701012331.0000014C2ACF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1700972758.0000014C2ACC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1718959014.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1695273404.000000001BBC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1664340206.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1692050770.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wUSt04rfJ0.exe PID: 6228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 6328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4208, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 5296, type: MEMORYSTR
Source: Yara match File source: C:\Windows\System32\SubDir\Client.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580465 Sample: wUSt04rfJ0.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 31 ipwho.is 2->31 33 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->33 35 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->35 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 9 wUSt04rfJ0.exe 5 2->9         started        13 Client.exe 3 2->13         started        signatures3 process4 file5 27 C:\Windows\System32\SubDir\Client.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\...\wUSt04rfJ0.exe.log, CSV 9->29 dropped 57 Drops executables to the windows directory (C:\Windows) and starts them 9->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 9->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->61 15 Client.exe 14 2 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 37 43.138.147.74, 4782, 49730 LILLY-ASUS Japan 15->37 39 ipwho.is 108.181.61.49, 443, 49732 ASN852CA Canada 15->39 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Machine Learning detection for dropped file 15->45 47 2 other signatures 15->47 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
43.138.147.74
 unknown Japan 4249 LILLY-ASUS true
108.181.61.49
 ipwho.is Canada
852 ASN852CA false

Contacted Domains

Name IP Active
ipwho.is 108.181.61.49 true
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.58.101 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
43.138.147.74 true
  • Avira URL Cloud: safe
 unknown
https://ipwho.is/ false
    		high