Edit tour

Windows Analysis Report
qSD738Weui.exe

Overview

General Information

Sample name:	qSD738Weui.exe renamed because original name is a hash value
Original sample name:	3de40ead93a0a5496ece6e2654e98a6bcc8726ed49140fa1617e7826c2677d2c.exe
Analysis ID:	1582625
MD5:	30318dd92dbd04bb0f1db21a3338fbae
SHA1:	91020c6dd24df7f12474b3beef76c856f1bc7da0
SHA256:	3de40ead93a0a5496ece6e2654e98a6bcc8726ed49140fa1617e7826c2677d2c
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

qSD738Weui.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\qSD738Weui.exe" MD5: 30318DD92DBD04BB0F1DB21A3338FBAE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "69.197.148.207:443;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "9cc5b719-be0e-4bb6-89bb-6071f352b863", "StartupKey": "Quasar Client Startup", "Tag": "System", "LogDirectoryName": "Logs", "ServerSignature": "DbKoQt3Pwc03RESaBll0neltiPGHDch86wvoI358+MZseq8jmWRhd1sGthJ15DxKpxd/vMkhWkVlBhmf6K7l4NJfeNcysip85E7dwiEWXL1SVoN6lQJ1U3pnKjeMjf7HpeoyRaocDrKRV0xPf50h2+IH35epJ6x9W+POdbqNrb/Avnzq9EEygkUAmORZGJohzQwwczAC0hQlZ6Y9eS9i684HNd5YvyIhEbcoEZp+YPSLRNGKjLAKw7IkTHBKNbcwGdNmpA6F+qovnXcLH4JcXB5BXAIPzqPEX68DcNxjy/7363eHZzpwnzFYaQmK4D1I52BQb51FzZTEGRYWc40oNzaYIbl5z+7yK8t8TKmjxHvhDCspg6Pw2J6Xlef2xro2ZCGOtppes5L96aipIM2NgxAZzjcJu2H/NZpvsTQUgPPJOpak62LhSU6zA+1gQlE33JJYjMO7+32kGiqsiLyT0GuCd85qhD4/87kb77hHB8cAhqB9NrRgBdag6UPjk/GBIg4v9QbgULqk+s8hs9klpw5vnbgqbMN8slAwBXvZomwrbhp6Wa+p4wccZpNaGxtcF9IK75UxlUlrhGXQ7v8JkMgPeuQG+ant8K8DGC4uwDowYf0p1pbhYWjTsNLH1L8k0Oaxp+6ofkmO45gSoAaHWpcesg1O1TvjUDvEXrHZYGM=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIMxaYufX1zr2LRfPEahoTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQxNjA4NDA0M1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv8hJw38orl6Mg4+jJHbOeV7bQVEH5W7QduOWZ7Ht41OTR/mqEmGdrRkkQP7Ll2D/dx5DbXEDqZDHWhV/aG5H1MpFDkMolKY8Yy+IP56z+qy0V44k2jO26FszWB68PWY0wfEzWTWvkG93bykCuy5jcad8pPF2xPozt2EuNgDkiRtMe1AqukRkpnQl9sSVPPwjomyDDf10cbHO1oEJoeQUm3C8bC9o8jEq5JurmfiKP4GoATW6Kb2sGyPYfoE9N1nVERq7FlRPmfPVH0L3Lhk+85jnEPPBscqQgdc7sL2sTpB7j4osn613lgVLKeAiPrKAlheEbRuhsCiuCJsGlnYcxPkCyUhRz8ImsDqyHBtn7VpWeQw6gjMcCC9qTcoWYzDcNe/rtkzml4u6fev5OQAFJDkdWRmEXEVjCx/BiXieGzP+A1eYsnFxPU9mJpSvfVSYZTcYk6rB8/OAyJyHRJC97CdJkX8wgFQx5ca8mcUxfBUHjAgo75H+k9rxd16Lysb/4C32L6GtsSVI5ykKFqyHhehuDrBbx2qbVOHqPMUlqATxuQXcMEdSgfGeFbGxhDw2pIuZNJCb+npe4CZwMMSMKQ/cI2YVYPDfjjpxF95lWtQ2CYfAZBjinANwyx6f8Rho6UnRscql72ZJa2Ax+FcDv4Tr/Dd6RGsqdcuKT9hZhvMCAwEAAaMyMDAwHQYDVR0OBBYEFAlQjt6dV/AFfTt+rYbIdB8TvslgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABHwxChWEIQ3qA2wWLvuOV6lad+MBXblD82pXCJ29raUuzgb2vgQxv0pwjNUvcY4TSsQzsrxhAAT5EVj5jpPUusjSDPDLCGoTcIbKul8nlwZx6AqEe7hkHowi5hLtSFHGgvUIRfVndvLkJOkGYmrBve/ld5oqY+CuPkX39CkNTHAsQGCKuQ3+SFI2tjtI/adHTW/oXDz4/lfMR1Z/QrB/ZnMWaew+JWNh3QpyltZQqcIV+w0HQdQG4/MXuLzqm3FaE5piD8Ac3Vws5aoizifyBpGp48xHOkCGhVwEChKPDJYfL89WbV6CWx4OQRmEK8VOOvCbkLSelQEsZCoICGZz/aQCkuuuekHg3SoGT91o5KyNd6vAR1LbX7p/1B31tLNy5iAEeX5MjKtOhHcWRL69MO0r+neak+u4JXzZG2Ba72bYTU8pdnEPLSuwEXYQrKp+TCD1iqjXW6BPLIdd3Qvhpm10CaWCu/Zwyh7C3shYdwIyveSI4GcqcaDy1Pa/jIf1dtD5O0RwsA5x7pV0REw5XDw+UhW3QRr/N4QPdi65HAxJfRiwwS4ERAz07YqJV9rYb7fGc+mLRGOf8FS4G9r9cu8mukTnRZ0Nzld+y3Vs13oGRXF1pLYH8teGZeCMswBMc/nBZoJb6HRMGN/aW6kTHh/lQpfn8DcaxQaMgBVuT+k"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
qSD738Weui.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
qSD738Weui.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
qSD738Weui.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4d:$x1: Quasar.Common.Messages 0x29f276:$x1: Quasar.Common.Messages 0x2ab7ee:$x4: Uninstalling... good bye :-( 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
qSD738Weui.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada0:$f1: FileZilla\recentservers.xml 0x2aade0:$f2: FileZilla\sitemanager.xml 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab06e:$b1: Chrome\User Data\ 0x2ab0c4:$b1: Chrome\User Data\ 0x2ab39c:$b2: Mozilla\Firefox\Profiles 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd41c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data 0x2ab6aa:$b5: YandexBrowser\User Data\ 0x2ab718:$b5: YandexBrowser\User Data\ 0x2ab3ec:$s4: logins.json 0x2ab122:$a1: username_value 0x2ab140:$a2: password_value 0x2ab42c:$a3: encryptedUsername 0x2fd360:$a3: encryptedUsername 0x2ab450:$a4: encryptedPassword 0x2fd37e:$a4: encryptedPassword 0x2fd2fc:$a5: httpRealm
qSD738Weui.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8d8:$s3: Process already elevated. 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords 0x278d08:$s5: GetKeyloggerLogsDirectory 0x29e9d5:$s5: GetKeyloggerLogsDirectory 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords 0x2fea4a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.1678400692.0000000000252000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: qSD738Weui.exe PID: 7484	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.qSD738Weui.exe.250000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.qSD738Weui.exe.250000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.qSD738Weui.exe.250000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4d:$x1: Quasar.Common.Messages 0x29f276:$x1: Quasar.Common.Messages 0x2ab7ee:$x4: Uninstalling... good bye :-( 0x2acfe3:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.qSD738Weui.exe.250000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aada0:$f1: FileZilla\recentservers.xml 0x2aade0:$f2: FileZilla\sitemanager.xml 0x2aae22:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab06e:$b1: Chrome\User Data\ 0x2ab0c4:$b1: Chrome\User Data\ 0x2ab39c:$b2: Mozilla\Firefox\Profiles 0x2ab498:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd41c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab5f0:$b4: Opera Software\Opera Stable\Login Data 0x2ab6aa:$b5: YandexBrowser\User Data\ 0x2ab718:$b5: YandexBrowser\User Data\ 0x2ab3ec:$s4: logins.json 0x2ab122:$a1: username_value 0x2ab140:$a2: password_value 0x2ab42c:$a3: encryptedUsername 0x2fd360:$a3: encryptedUsername 0x2ab450:$a4: encryptedPassword 0x2fd37e:$a4: encryptedPassword 0x2fd2fc:$a5: httpRealm
0.0.qSD738Weui.exe.250000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab8d8:$s3: Process already elevated. 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords 0x278d08:$s5: GetKeyloggerLogsDirectory 0x29e9d5:$s5: GetKeyloggerLogsDirectory 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords 0x2fea4a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qSD738Weui.exe

Avira: detected

Found malware configuration

Source: qSD738Weui.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "69.197.148.207:443;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "9cc5b719-be0e-4bb6-89bb-6071f352b863", "StartupKey": "Quasar Client Startup", "Tag": "System", "LogDirectoryName": "Logs", "ServerSignature": "DbKoQt3Pwc03RESaBll0neltiPGHDch86wvoI358+MZseq8jmWRhd1sGthJ15DxKpxd/vMkhWkVlBhmf6K7l4NJfeNcysip85E7dwiEWXL1SVoN6lQJ1U3pnKjeMjf7HpeoyRaocDrKRV0xPf50h2+IH35epJ6x9W+POdbqNrb/Avnzq9EEygkUAmORZGJohzQwwczAC0hQlZ6Y9eS9i684HNd5YvyIhEbcoEZp+YPSLRNGKjLAKw7IkTHBKNbcwGdNmpA6F+qovnXcLH4JcXB5BXAIPzqPEX68DcNxjy/7363eHZzpwnzFYaQmK4D1I52BQb51FzZTEGRYWc40oNzaYIbl5z+7yK8t8TKmjxHvhDCspg6Pw2J6Xlef2xro2ZCGOtppes5L96aipIM2NgxAZzjcJu2H/NZpvsTQUgPPJOpak62LhSU6zA+1gQlE33JJYjMO7+32kGiqsiLyT0GuCd85qhD4/87kb77hHB8cAhqB9NrRgBdag6UPjk/GBIg4v9QbgULqk+s8hs9klpw5vnbgqbMN8slAwBXvZomwrbhp6Wa+p4wccZpNaGxtcF9IK75UxlUlrhGXQ7v8JkMgPeuQG+ant8K8DGC4uwDowYf0p1pbhYWjTsNLH1L8k0Oaxp+6ofkmO45gSoAaHWpcesg1O1TvjUDvEXrHZYGM=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIMxaYufX1zr2LRfPEahoTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQxNjA4NDA0M1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv8hJw38orl6Mg4+jJHbOeV7bQVEH5W7QduOWZ7Ht41OTR/mqEmGdrRkkQP7Ll2D/dx5DbXEDqZDHWhV/aG5H1MpFDkMolKY8Yy+IP56z+qy0V44k2jO26FszWB68PWY0wfEzWTWvkG93bykCuy5jcad8pPF2xPozt2EuNgDkiRtMe1AqukRkpnQl9sSVPPwjomyDDf10cbHO1oEJoeQUm3C8bC9o8jEq5JurmfiKP4GoATW6Kb2sGyPYfoE9N1nVERq7FlRPmfPVH0L3Lhk+85jnEPPBscqQgdc7sL2sTpB7j4osn613lgVLKeAiPrKAlheEbRuhsCiuCJsGlnYcxPkCyUhRz8ImsDqyHBtn7VpWeQw6gjMcCC9qTcoWYzDcNe/rtkzml4u6fev5OQAFJDkdWRmEXEVjCx/BiXieGzP+A1eYsnFxPU9mJpSvfVSYZTcYk6rB8/OAyJyHRJC97CdJkX8wgFQx5ca8mcUxfBUHjAgo75H+k9rxd16Lysb/4C32L6GtsSVI5ykKFqyHhehuDrBbx2qbVOHqPMUlqATxuQXcMEdSgfGeFbGxhDw2pIuZNJCb+npe4CZwMMSMKQ/cI2YVYPDfjjpxF95lWtQ2CYfAZBjinANwyx6f8Rho6UnRscql72ZJa2Ax+FcDv4Tr/Dd6RGsqdcuKT9hZhvMCAwEAAaMyMDAwHQYDVR0OBBYEFAlQjt6dV/AFfTt+rYbIdB8TvslgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBABHwxChWEIQ3qA2wWLvuOV6lad+MBXblD82pXCJ29raUuzgb2vgQxv0pwjNUvcY4TSsQzsrxhAAT5EVj5jpPUusjSDPDLCGoTcIbKul8nlwZx6AqEe7hkHowi5hLtSFHGgvUIRfVndvLkJOkGYmrBve/ld5oqY+CuPkX39CkNTHAsQGCKuQ3+SFI2tjtI/adHTW/oXDz4/lfMR1Z/QrB/ZnMWaew+JWNh3QpyltZQqcIV+w0HQdQG4/MXuLzqm3FaE5piD8Ac3Vws5aoizifyBpGp48xHOkCGhVwEChKPDJYfL89WbV6CWx4OQRmEK8VOOvCbkLSelQEsZCoICGZz/aQCkuuuekHg3SoGT91o5KyNd6vAR1LbX7p/1B31tLNy5iAEeX5MjKtOhHcWRL69MO0r+neak+u4JXzZG2Ba72bYTU8pdnEPLSuwEXYQrKp+TCD1iqjXW6BPLIdd3Qvhpm10CaWCu/Zwyh7C3shYdwIyveSI4GcqcaDy1Pa/jIf1dtD5O0RwsA5x7pV0REw5XDw+UhW3QRr/N4QPdi65HAxJfRiwwS4ERAz07YqJV9rYb7fGc+mLRGOf8FS4G9r9cu8mukTnRZ0Nzld+y3Vs13oGRXF1pLYH8teGZeCMswBMc/nBZoJb6HRMGN/aW6kTHh/lQpfn8DcaxQaMgBVuT+k"}

Multi AV Scanner detection for submitted file

Source: qSD738Weui.exe	ReversingLabs: Detection: 73%
Source: qSD738Weui.exe	Virustotal: Detection: 73%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: qSD738Weui.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1678400692.0000000000252000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qSD738Weui.exe PID: 7484, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: qSD738Weui.exe

Joe Sandbox ML: detected

Source: qSD738Weui.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: qSD738Weui.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 69.197.148.207

Yara detected Generic Downloader

Source: Yara match	File source: qSD738Weui.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

ASN Name: WIIUS WIIUS

Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207
Source: unknown	TCP traffic detected without corresponding DNS query: 69.197.148.207

Source: qSD738Weui.exe, 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: qSD738Weui.exe	String found in binary or memory: https://api.ipify.org/
Source: qSD738Weui.exe	String found in binary or memory: https://ipwho.is/
Source: qSD738Weui.exe	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: qSD738Weui.exe	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: qSD738Weui.exe	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\qSD738Weui.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\qSD738Weui.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: qSD738Weui.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1678400692.0000000000252000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qSD738Weui.exe PID: 7484, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: qSD738Weui.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: qSD738Weui.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: qSD738Weui.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9BA6AFDD	0_2_00007FFD9BA6AFDD
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9BA69BD1	0_2_00007FFD9BA69BD1
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9BA655D6	0_2_00007FFD9BA655D6
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9BA69271	0_2_00007FFD9BA69271
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9BA6621F	0_2_00007FFD9BA6621F

Source: qSD738Weui.exe, 00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs qSD738Weui.exe
Source: qSD738Weui.exe	Binary or memory string: OriginalFilenameClient.exe. vs qSD738Weui.exe

Source: qSD738Weui.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: qSD738Weui.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: qSD738Weui.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: qSD738Weui.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\qSD738Weui.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\qSD738Weui.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\9cc5b719-be0e-4bb6-89bb-6071f352b863

Source: qSD738Weui.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: qSD738Weui.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\qSD738Weui.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qSD738Weui.exe	ReversingLabs: Detection: 73%
Source: qSD738Weui.exe	Virustotal: Detection: 73%

Source: qSD738Weui.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: qSD738Weui.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: qSD738Weui.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: qSD738Weui.exe

Static file information: File size 3265536 > 1048576

Source: qSD738Weui.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400

Source: qSD738Weui.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9B7FD7D3 push eax; iretd	0_2_00007FFD9B7FD7D9
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9B7F7563 push ebx; iretd	0_2_00007FFD9B7F756A
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9B7F7963 push ebx; retf	0_2_00007FFD9B7F796A
Source: C:\Users\user\Desktop\qSD738Weui.exe	Code function: 0_2_00007FFD9BA6336E push eax; ret	0_2_00007FFD9BA6340C

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\qSD738Weui.exe

File opened: C:\Users\user\Desktop\qSD738Weui.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe	Memory allocated: DB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Memory allocated: 1A6E0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe	Window / User API: threadDelayed 8286			Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Window / User API: threadDelayed 1567			Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe TID: 7572

Thread sleep time: -23980767295822402s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\qSD738Weui.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: qSD738Weui.exe, 00000000.00000002.4150186261.000000001B3FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
Source: qSD738Weui.exe, 00000000.00000002.4150186261.000000001B3FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\qSD738Weui.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\qSD738Weui.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\qSD738Weui.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe	Queries volume information: C:\Users\user\Desktop\qSD738Weui.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qSD738Weui.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qSD738Weui.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: qSD738Weui.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1678400692.0000000000252000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qSD738Weui.exe PID: 7484, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: qSD738Weui.exe, type: SAMPLE
Source: Yara match	File source: 0.0.qSD738Weui.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1678400692.0000000000252000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qSD738Weui.exe PID: 7484, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	132 Virtualization/Sandbox Evasion	LSASS Memory	132 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qSD738Weui.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
qSD738Weui.exe	74%	Virustotal		Browse
qSD738Weui.exe	100%	Avira	HEUR/AGEN.1307453
qSD738Weui.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
69.197.148.207	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
69.197.148.207	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	qSD738Weui.exe	false	high
https://stackoverflow.com/q/14436606/23354	qSD738Weui.exe	false	high
https://stackoverflow.com/q/2152978/23354sCannot	qSD738Weui.exe	false	high
https://ipwho.is/	qSD738Weui.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	qSD738Weui.exe, 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	qSD738Weui.exe	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.197.148.207	unknown	United States		32097	WIIUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582625
Start date and time:	2024-12-31 06:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qSD738Weui.exe renamed because original name is a hash value
Original Sample Name:	3de40ead93a0a5496ece6e2654e98a6bcc8726ed49140fa1617e7826c2677d2c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 8 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:13:01	API Interceptor	12373038x Sleep call for process: qSD738Weui.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WIIUS	https://aiihsr.com/FloridaCU	Get hash	malicious	Unknown	Browse	173.208.207.172
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	173.208.249.155
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	173.208.191.42
	mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	69.197.135.107
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	69.197.241.147
	nabppc.elf	Get hash	malicious	Unknown	Browse	173.208.211.170
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	173.208.128.129
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	204.12.226.228
	m68k.elf	Get hash	malicious	Mirai	Browse	173.208.146.198
	http://pub-21beea42d44e4f0e83b5336b9ac3900a.r2.dev/woosf.html	Get hash	malicious	Unknown	Browse	173.208.194.98

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.082925278010668
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	qSD738Weui.exe
File size:	3'265'536 bytes
MD5:	30318dd92dbd04bb0f1db21a3338fbae
SHA1:	91020c6dd24df7f12474b3beef76c856f1bc7da0
SHA256:	3de40ead93a0a5496ece6e2654e98a6bcc8726ed49140fa1617e7826c2677d2c
SHA512:	bd1a89712e110406d667f413d640ed93ace4718829c2283eff142c2b613e8924b15359da5c3b88ab04a1709e4804ed0a41f9b2be78d048f8ea3b605c78644b7f
SSDEEP:	49152:evfI22SsaNYfdPBldt698dBcjHQz7zXWoGd8THHB72eh2NT:evw22SsaNYfdPBldt6+dBcjHQz7zm
TLSH:	3EE56B0437F85E72E16BD7B3E5B0501263F1F82AF363EB0B5181A77A5C93B5488426A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x71e3de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e384	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xa93	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c3e4	0x31c400	9df2c9c12a04a9722ff0df4f2d7e805e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xa93	0xc00	cdeae95ac72e9e58017d2bcc89d2fbea	False	0.36328125	data	4.653972105845318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	576e09f300aa2216eb4d32ea1fecea5f	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x31c	data			0.4484924623115578
RT_MANIFEST	0x3203bc	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 06:13:01.241765976 CET	49730	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:01.241833925 CET	443	49730	69.197.148.207	192.168.2.4
Dec 31, 2024 06:13:01.241911888 CET	49730	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:01.251348972 CET	49730	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:01.251368046 CET	443	49730	69.197.148.207	192.168.2.4
Dec 31, 2024 06:13:26.259110928 CET	49730	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:26.259133101 CET	443	49730	69.197.148.207	192.168.2.4
Dec 31, 2024 06:13:43.994745016 CET	443	49730	69.197.148.207	192.168.2.4
Dec 31, 2024 06:13:43.994829893 CET	49730	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:44.012280941 CET	49730	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:44.012298107 CET	443	49730	69.197.148.207	192.168.2.4
Dec 31, 2024 06:13:47.275228024 CET	49737	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:47.275247097 CET	443	49737	69.197.148.207	192.168.2.4
Dec 31, 2024 06:13:47.275332928 CET	49737	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:47.275636911 CET	49737	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:13:47.275650024 CET	443	49737	69.197.148.207	192.168.2.4
Dec 31, 2024 06:14:12.290421009 CET	49737	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:12.290429115 CET	443	49737	69.197.148.207	192.168.2.4
Dec 31, 2024 06:14:29.995861053 CET	443	49737	69.197.148.207	192.168.2.4
Dec 31, 2024 06:14:29.996027946 CET	49737	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:29.996332884 CET	49737	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:29.996340036 CET	443	49737	69.197.148.207	192.168.2.4
Dec 31, 2024 06:14:33.681525946 CET	49979	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:33.681546926 CET	443	49979	69.197.148.207	192.168.2.4
Dec 31, 2024 06:14:33.681677103 CET	49979	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:33.681915045 CET	49979	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:33.681930065 CET	443	49979	69.197.148.207	192.168.2.4
Dec 31, 2024 06:14:58.696739912 CET	49979	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:14:58.696754932 CET	443	49979	69.197.148.207	192.168.2.4
Dec 31, 2024 06:15:16.455358028 CET	443	49979	69.197.148.207	192.168.2.4
Dec 31, 2024 06:15:16.459243059 CET	49979	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:15:16.462019920 CET	49979	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:15:16.462038040 CET	443	49979	69.197.148.207	192.168.2.4
Dec 31, 2024 06:15:20.025357962 CET	50006	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:15:20.025434971 CET	443	50006	69.197.148.207	192.168.2.4
Dec 31, 2024 06:15:20.025513887 CET	50006	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:15:20.025841951 CET	50006	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:15:20.025865078 CET	443	50006	69.197.148.207	192.168.2.4
Dec 31, 2024 06:15:45.042125940 CET	50006	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:15:45.042159081 CET	443	50006	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:02.780563116 CET	443	50006	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:02.782584906 CET	50006	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:02.788216114 CET	50006	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:02.788234949 CET	443	50006	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:06.400703907 CET	50007	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:06.400744915 CET	443	50007	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:06.404340982 CET	50007	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:06.408252954 CET	50007	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:06.408265114 CET	443	50007	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:31.418745995 CET	50007	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:31.418768883 CET	443	50007	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:49.180989981 CET	443	50007	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:49.186836958 CET	50007	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:49.192817926 CET	50007	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:49.192832947 CET	443	50007	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:52.932457924 CET	50008	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:52.932492018 CET	443	50008	69.197.148.207	192.168.2.4
Dec 31, 2024 06:16:52.932641029 CET	50008	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:52.932853937 CET	50008	443	192.168.2.4	69.197.148.207
Dec 31, 2024 06:16:52.932866096 CET	443	50008	69.197.148.207	192.168.2.4

Target ID:	0
Start time:	00:12:57
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\qSD738Weui.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qSD738Weui.exe"
Imagebase:	0x250000
File size:	3'265'536 bytes
MD5 hash:	30318DD92DBD04BB0F1DB21A3338FBAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1678697636.0000000000570000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4147955993.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1678400692.0000000000252000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BA655D6 Relevance: 2.1, Instructions: 2125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152255297.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_qSD738Weui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95df8fd9320eec1ef2518be48dc921aea677fc564e79c422675b54ed7628ad65
Instruction ID: 15c6fe122a08896b5ac8272c34bd32f5e33104efaf84b1724d0a4d78512a7691
Opcode Fuzzy Hash: 95df8fd9320eec1ef2518be48dc921aea677fc564e79c422675b54ed7628ad65
Instruction Fuzzy Hash: 2FF2A270A19A0D8FDFA8DF58C8A4BA977E1FF58300F1541A9D44ED72A6DE34E981CB40

Function 00007FFD9BA69BD1 Relevance: 1.5, Instructions: 1477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4152255297.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_qSD738Weui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173b9ae4e7e75d4a727b72f80e5f5ff7de2a758cfb4fcccc9b797fde08dca5b7
Instruction ID: 28bd29d60c2443e601669fcfa5f2e4601ca29f26bc4d2d7c0e31fc1a7b248537
Opcode Fuzzy Hash: 173b9ae4e7e75d4a727b72f80e5f5ff7de2a758cfb4fcccc9b797fde08dca5b7
Instruction Fuzzy Hash: 7E922A7171D90D8FEBA8EB6CD465A7937D1EF99310F0500BAE44EC72E6DE28AC428741

Function 00007FFD9BA6AFDD Relevance: .9, Instructions: 860
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4152255297.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_qSD738Weui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e7623a545b1d479f77927fe9110c2d107d9122f922b5855c73ed83e17e57d
Instruction ID: 3fe7a5d2dec3b62eb232a4f33703ddfc025465205cb54a920c06d37322a9bfa5
Opcode Fuzzy Hash: 8a6e7623a545b1d479f77927fe9110c2d107d9122f922b5855c73ed83e17e57d
Instruction Fuzzy Hash: D4527F70B08A098FEBA8EB2CC465B7977E1FF99300F5545B9E44DC72A6DE34E8418B41

Function 00007FFD9BA69271 Relevance: .7, Instructions: 680
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4152255297.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_qSD738Weui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d0d2370ae7b2525f074d0c391dc623b15b1da0e85acd97f8e0413afef4ccab
Instruction ID: 1815350d804d046906db0997aa754194e85e635c503b18e9b4c6e0cff1e67552
Opcode Fuzzy Hash: 11d0d2370ae7b2525f074d0c391dc623b15b1da0e85acd97f8e0413afef4ccab
Instruction Fuzzy Hash: 2F228170B19A098FEBA8DB5884A57B977E2FF98300F15417DD44EC32E2DE74E9428741

Function 00007FFD9BA6621F Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4152255297.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_qSD738Weui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d323af7764d92661c34453c7b32daa0601d8c60babc8e11defdd68f18763bda
Instruction ID: 74bd55cea88ee816f75c862362ba8262dad85aa1063a124a11f4eb61f435f5a3
Opcode Fuzzy Hash: 9d323af7764d92661c34453c7b32daa0601d8c60babc8e11defdd68f18763bda
Instruction Fuzzy Hash: 78025B70E18A1D8FEBA8DF68C4957B977E1FF98301F1541B9D44ED32A5CA34B9818B40

Function 00007FFD9BA6E6F9 Relevance: 1.8, APIs: 1, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4152255297.00007FFD9BA60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba60000_qSD738Weui.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609541e0c0e4dcec9f7faaac58400e559fc0ea1be4df7855e4874ae7fa9ff659
Instruction ID: ccb49a1470ab24490508f854da5a1c436eada64aa885a5a5d9c396d7a652712f
Opcode Fuzzy Hash: 609541e0c0e4dcec9f7faaac58400e559fc0ea1be4df7855e4874ae7fa9ff659
Instruction Fuzzy Hash: 3F712571B1DF5D4FDB68EB6C98665B97BE1EF58310B0441BBE04AC3292DE24AC4287C1

Function 00007FFD9B7F3525 Relevance: 1.6, APIs: 1, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B7F3607

Memory Dump Source

Source File: 00000000.00000002.4151037672.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_qSD738Weui.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5e1468098f0a9bcb839ba81b8b167c07a0486310b6c4b4f8ca21983def83a757
Instruction ID: 180e054b4db822d64278881901431df71148c53d066a1058e4f6d03e6488502f
Opcode Fuzzy Hash: 5e1468098f0a9bcb839ba81b8b167c07a0486310b6c4b4f8ca21983def83a757
Instruction Fuzzy Hash: 17311231A0DB5C8FDB19DB688859AE9BFF0EF56311F0542AFD049D71A2CB24A805CB91

Function 00007FFD9B7F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B7F3607

Memory Dump Source

Source File: 00000000.00000002.4151037672.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7f0000_qSD738Weui.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5e564423322cca063fe9cad08e0c0ee8b40cd2f212ffb159114bbf6e946b3b38
Instruction ID: 6bfe2fc9beb589e15d6fc27b5c800ad40abafea20845118d622c6b12a59dd301
Opcode Fuzzy Hash: 5e564423322cca063fe9cad08e0c0ee8b40cd2f212ffb159114bbf6e946b3b38
Instruction Fuzzy Hash: 0731E131A0DB5C8FDB19DB588859AE9BBF0FF65321F04426BD049D32A2CB74A8458B91

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qSD738Weui.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
qSD738Weui.exe

Function 00007FFD9BA69BD1 Relevance: 1.5, Instructions: 1477
COMMON

Function 00007FFD9BA6AFDD Relevance: .9, Instructions: 860
COMMON

Function 00007FFD9BA69271 Relevance: .7, Instructions: 680
COMMON

Function 00007FFD9BA6E6F9 Relevance: 1.8, APIs: 1, Instructions: 278
COMMON

Function 00007FFD9B7F3525 Relevance: 1.6, APIs: 1, Instructions: 116
fileCOMMON

Function 00007FFD9B7F3569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON