Edit tour

Windows Analysis Report
RtU8kXPnKr.exe

Overview

General Information

Sample name:	RtU8kXPnKr.exe renamed because original name is a hash value
Original sample name:	720eea739bd033b804b98c0190b06d864dd61053aab14cb19d1c56d390686313.exe
Analysis ID:	1582627
MD5:	9ea49e8b67bf4eb173682c84c4a4f472
SHA1:	7e328600053285468f4dd7c302cdc00d3a75ae89
SHA256:	720eea739bd033b804b98c0190b06d864dd61053aab14cb19d1c56d390686313
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Quasar RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for sample

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

RtU8kXPnKr.exe (PID: 504 cmdline: "C:\Users\user\Desktop\RtU8kXPnKr.exe" MD5: 9EA49E8B67BF4EB173682C84C4A4F472)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.2.0.0", "Host:Port": "180.100.217.219:8092;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "QSR_MUTEX_miqqcB3y3GjXPlDBqC", "StartupKey": "Quasar Client Startup", "Tag": "System", "LogDirectoryName": "Logs"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
RtU8kXPnKr.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
RtU8kXPnKr.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
RtU8kXPnKr.exe	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x32b36:$a1: GetKeyloggerLogsResponse 0x38eb3:$a2: DoDownloadAndExecute 0x3e66c:$a3: http://api.ipify.org/ 0x3d1d3:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
RtU8kXPnKr.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3338a:$s1: DoUploadAndExecute 0x38eb3:$s2: DoDownloadAndExecute 0x33158:$s3: DoShellExecute 0x33582:$s4: set_Processname 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60 0xf580:$op2: 00 17 03 1F 20 17 19 15 28 0xffed:$op3: 00 04 03 69 91 1B 40 0x1084c:$op3: 00 04 03 69 91 1B 40
RtU8kXPnKr.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x32b36:$x1: GetKeyloggerLogsResponse 0x32dc7:$s1: DoShellExecuteResponse 0x2cb00:$s2: GetPasswordsResponse 0x32c9a:$s3: GetStartupItemsResponse 0x28e98:$s4: <GetGenReader>b__7 0x3339e:$s5: RunHidden 0x333bc:$s5: RunHidden 0x333ca:$s5: RunHidden 0x333de:$s5: RunHidden
RtU8kXPnKr.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x32b36:$x3: GetKeyloggerLogsResponse 0x330ce:$x4: GetKeyloggerLogs 0x3339d:$s1: <RunHidden>k__BackingField 0x32d4f:$s2: set_SystemInfos 0x333c6:$s3: set_RunHidden 0x32fcc:$s4: set_RemotePath 0x423f8:$s6: Client.exe 0x42460:$s6: Client.exe 0x38565:$s7: xClient.Core.ReverseProxy.Packets
RtU8kXPnKr.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x251d2:$x4: xClient.Properties.Resources.resources 0x250c1:$s4: Client.exe 0x333c6:$s7: set_RunHidden
RtU8kXPnKr.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x345ea:$x4: get_encryptedPassword 0x38eb3:$x5: DoDownloadAndExecute
RtU8kXPnKr.exe	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3c543:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x3d18e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x3127e:$class: Core.MouseKeyHook.WinApi
RtU8kXPnKr.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3c407:$f1: FileZilla\recentservers.xml 0x3c447:$f2: FileZilla\sitemanager.xml 0x3c47b:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x3ca25:$b1: Chrome\User Data\ 0x3ca89:$b1: Chrome\User Data\ 0x3ce20:$b2: Mozilla\Firefox\Profiles 0x3d4dd:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x418d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3d56d:$b4: Opera Software\Opera Stable\Login Data 0x3d61d:$b5: YandexBrowser\User Data\ 0x3d68f:$b5: YandexBrowser\User Data\ 0x3cbd0:$s4: logins.json 0x3cc1c:$s4: logins.json 0x3cf0e:$s4: logins.json 0x3d2c1:$a1: username_value 0x3d2df:$a2: password_value 0x345c2:$a3: encryptedUsername 0x345d8:$a3: encryptedUsername 0x3470b:$a3: encryptedUsername 0x345ee:$a4: encryptedPassword 0x34604:$a4: encryptedPassword
RtU8kXPnKr.exe	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x32b36:$s1: GetKeyloggerLogsResponse 0x330ce:$s2: GetKeyloggerLogs 0x3e879:$s3: />Log created on 0x3d18e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x3d1d3:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x2ff94:$s7: <virtualKeyCode> 0x30166:$s7: <virtualKeyCode> 0x3339d:$s8: <RunHidden>k__BackingField 0x3014c:$s9: <keyboardHookStruct> 0x3bad1:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x32936:$a1: GetKeyloggerLogsResponse 0x38cb3:$a2: DoDownloadAndExecute 0x3e46c:$a3: http://api.ipify.org/ 0x3cfd3:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3318a:$s1: DoUploadAndExecute 0x38cb3:$s2: DoDownloadAndExecute 0x32f58:$s3: DoShellExecute 0x33382:$s4: set_Processname 0xf45c:$op1: 04 1E FE 02 04 16 FE 01 60 0xf380:$op2: 00 17 03 1F 20 17 19 15 28 0xfded:$op3: 00 04 03 69 91 1B 40 0x1064c:$op3: 00 04 03 69 91 1B 40
00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3c343:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x3cf8e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x3107e:$class: Core.MouseKeyHook.WinApi
Process Memory Space: RtU8kXPnKr.exe PID: 504	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x32b36:$a1: GetKeyloggerLogsResponse 0x38eb3:$a2: DoDownloadAndExecute 0x3e66c:$a3: http://api.ipify.org/ 0x3d1d3:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7}
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3338a:$s1: DoUploadAndExecute 0x38eb3:$s2: DoDownloadAndExecute 0x33158:$s3: DoShellExecute 0x33582:$s4: set_Processname 0xf65c:$op1: 04 1E FE 02 04 16 FE 01 60 0xf580:$op2: 00 17 03 1F 20 17 19 15 28 0xffed:$op3: 00 04 03 69 91 1B 40 0x1084c:$op3: 00 04 03 69 91 1B 40
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x32b36:$x1: GetKeyloggerLogsResponse 0x32dc7:$s1: DoShellExecuteResponse 0x2cb00:$s2: GetPasswordsResponse 0x32c9a:$s3: GetStartupItemsResponse 0x28e98:$s4: <GetGenReader>b__7 0x3339e:$s5: RunHidden 0x333bc:$s5: RunHidden 0x333ca:$s5: RunHidden 0x333de:$s5: RunHidden
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x32b36:$x3: GetKeyloggerLogsResponse 0x330ce:$x4: GetKeyloggerLogs 0x3339d:$s1: <RunHidden>k__BackingField 0x32d4f:$s2: set_SystemInfos 0x333c6:$s3: set_RunHidden 0x32fcc:$s4: set_RemotePath 0x423f8:$s6: Client.exe 0x42460:$s6: Client.exe 0x38565:$s7: xClient.Core.ReverseProxy.Packets
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251d2:$x4: xClient.Properties.Resources.resources 0x250c1:$s4: Client.exe 0x333c6:$s7: set_RunHidden
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x345ea:$x4: get_encryptedPassword 0x38eb3:$x5: DoDownloadAndExecute
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x3c543:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x3d18e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x3127e:$class: Core.MouseKeyHook.WinApi
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3c407:$f1: FileZilla\recentservers.xml 0x3c447:$f2: FileZilla\sitemanager.xml 0x3c47b:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x3ca25:$b1: Chrome\User Data\ 0x3ca89:$b1: Chrome\User Data\ 0x3ce20:$b2: Mozilla\Firefox\Profiles 0x3d4dd:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x418d8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x3d56d:$b4: Opera Software\Opera Stable\Login Data 0x3d61d:$b5: YandexBrowser\User Data\ 0x3d68f:$b5: YandexBrowser\User Data\ 0x3cbd0:$s4: logins.json 0x3cc1c:$s4: logins.json 0x3cf0e:$s4: logins.json 0x3d2c1:$a1: username_value 0x3d2df:$a2: password_value 0x345c2:$a3: encryptedUsername 0x345d8:$a3: encryptedUsername 0x3470b:$a3: encryptedUsername 0x345ee:$a4: encryptedPassword 0x34604:$a4: encryptedPassword
0.0.RtU8kXPnKr.exe.fb0000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x32b36:$s1: GetKeyloggerLogsResponse 0x330ce:$s2: GetKeyloggerLogs 0x3e879:$s3: />Log created on 0x3d18e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x3d1d3:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x2ff94:$s7: <virtualKeyCode> 0x30166:$s7: <virtualKeyCode> 0x3339d:$s8: <RunHidden>k__BackingField 0x3014c:$s9: <keyboardHookStruct> 0x3bad1:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 6 entries

Suricata Signatures

ETPRO MALWARE W32/Quasar RAT Connectivity Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T06:13:54.138624+0100	2814031	1	A Network Trojan was detected	192.168.2.6	49708	88.198.193.213	80	TCP

ETPRO MALWARE W32/Quasar RAT Connectivity Check 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T06:13:56.888680+0100	2814030	1	A Network Trojan was detected	192.168.2.6	49712	3.33.130.190	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RtU8kXPnKr.exe

Avira: detected

Found malware configuration

Source: RtU8kXPnKr.exe

Malware Configuration Extractor: Quasar {"Version": "1.2.0.0", "Host:Port": "180.100.217.219:8092;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "QSR_MUTEX_miqqcB3y3GjXPlDBqC", "StartupKey": "Quasar Client Startup", "Tag": "System", "LogDirectoryName": "Logs"}

Multi AV Scanner detection for submitted file

Source: RtU8kXPnKr.exe	ReversingLabs: Detection: 78%
Source: RtU8kXPnKr.exe	Virustotal: Detection: 73%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RtU8kXPnKr.exe

Joe Sandbox ML: detected

Source: RtU8kXPnKr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.6:49710 version: TLS 1.0

Source: RtU8kXPnKr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2814031 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check : 192.168.2.6:49708 -> 88.198.193.213:80
Source: Network traffic	Suricata IDS: 2814030 - Severity 1 - ETPRO MALWARE W32/Quasar RAT Connectivity Check 2 : 192.168.2.6:49712 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 180.100.217.219

Yara detected Generic Downloader

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49714 -> 180.100.217.219:8092

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 88.198.193.213 88.198.193.213

Source: Joe Sandbox View

ASN Name: CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: freegeoip.net
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 88.198.193.213:443 -> 192.168.2.6:49710 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219
Source: unknown	TCP traffic detected without corresponding DNS query: 180.100.217.219

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: telize.com
Source: global traffic	DNS traffic detected: DNS query: www.telize.com
Source: global traffic	DNS traffic detected: DNS query: freegeoip.net
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: RtU8kXPnKr.exe	String found in binary or memory: http://api.ipify.org/3
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.net
Source: RtU8kXPnKr.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://telize.com
Source: RtU8kXPnKr.exe	String found in binary or memory: http://telize.com/geoip
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003384000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.telize.com
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.telize.com
Source: RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.telize.com/geoip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\RtU8kXPnKr.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_0317A288	0_2_0317A288
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_031799B8	0_2_031799B8
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_03179670	0_2_03179670
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06E4E2D0	0_2_06E4E2D0
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06EF69F8	0_2_06EF69F8
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06EF0040	0_2_06EF0040
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_06EF0006	0_2_06EF0006

Source: RtU8kXPnKr.exe, 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe4 vs RtU8kXPnKr.exe
Source: RtU8kXPnKr.exe, 00000000.00000002.4559545450.0000000006E19000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RtU8kXPnKr.exe
Source: RtU8kXPnKr.exe	Binary or memory string: OriginalFilenameClient.exe4 vs RtU8kXPnKr.exe

Source: RtU8kXPnKr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: RtU8kXPnKr.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: RtU8kXPnKr.exe, ----.cs

Base64 encoded string: 'OQHreK390wg9S1emghPyaWNxW+rNmoL7DPKLQW+ZoPtaD4ifpl8iq1aqdl7w0X4R'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@4/4

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

File created: C:\Users\user\AppData\Roaming\Logs

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_miqqcB3y3GjXPlDBqC

Source: RtU8kXPnKr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RtU8kXPnKr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RtU8kXPnKr.exe	ReversingLabs: Detection: 78%
Source: RtU8kXPnKr.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: RtU8kXPnKr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RtU8kXPnKr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_0317A7BD pushfd ; iretd	0_2_0317A7D2
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_03177068 pushad ; ret	0_2_03177069
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Code function: 0_2_0317709B pushad ; ret	0_2_03177069

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

File opened: C:\Users\user\Desktop\RtU8kXPnKr.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Window / User API: threadDelayed 7840			Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Window / User API: threadDelayed 1977			Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2264	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2264	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2100	Thread sleep count: 7840 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe TID: 2100	Thread sleep count: 1977 > 30	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RtU8kXPnKr.exe, 00000000.00000002.4557322515.000000000168E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Code function: 0_2_0317DF18 LdrInitializeThunk,

0_2_0317DF18

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Users\user\Desktop\RtU8kXPnKr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RtU8kXPnKr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Users\user\Desktop\RtU8kXPnKr.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_miqqcB3y3GjXPlDBqC

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: RtU8kXPnKr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RtU8kXPnKr.exe.fb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RtU8kXPnKr.exe PID: 504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RtU8kXPnKr.exe	79%	ReversingLabs	ByteCode-MSIL.Spyware.Tinclex
RtU8kXPnKr.exe	74%	Virustotal		Browse
RtU8kXPnKr.exe	100%	Avira	HEUR/AGEN.1305744
RtU8kXPnKr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
180.100.217.219	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
telize.com	88.198.193.213	true	false	high
www.telize.com	88.198.193.213	true	false	high
api.ipify.org	104.26.12.205	true	false	high
freegeoip.net	3.33.130.190	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false		high
http://freegeoip.net/xml/	false		high
180.100.217.219	true	Avira URL Cloud: safe	unknown
http://telize.com/geoip	false		high
https://www.telize.com/geoip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.telize.com	RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003384000.00000004.00000800.00020000.00000000.sdmp	false	high
http://freegeoip.net	RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003354000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.telize.com	RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033A0000.00000004.00000800.00020000.00000000.sdmp, RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.ipify.org/3	RtU8kXPnKr.exe	false	high
http://api.ipify.org	RtU8kXPnKr.exe, 00000000.00000002.4558083257.00000000033F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://telize.com	RtU8kXPnKr.exe, 00000000.00000002.4558083257.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RtU8kXPnKr.exe, 00000000.00000002.4558083257.000000000336D000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
88.198.193.213	telize.com	Germany	24940	HETZNER-ASDE	false
180.100.217.219	unknown	China	23650	CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba	true
3.33.130.190	freegeoip.net	United States	8987	AMAZONEXPANSIONGB	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582627
Start date and time:	2024-12-31 06:13:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RtU8kXPnKr.exe renamed because original name is a hash value
Original Sample Name:	720eea739bd033b804b98c0190b06d864dd61053aab14cb19d1c56d390686313.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 26 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:13:56	API Interceptor	11163044x Sleep call for process: RtU8kXPnKr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
88.198.193.213	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	telize.com/geoip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
telize.com	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
freegeoip.net	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	3.33.130.190
	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	15.197.148.33
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	15.197.148.33
	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	15.197.148.33
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	15.197.148.33
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	3.33.130.190
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	15.197.148.33
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	3.33.130.190
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	15.197.148.33
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	3.33.130.190
api.ipify.org	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	Jx6bD8nM4qW9sL3v.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.13.205
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	104.26.12.205
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	tg.exe	Get hash	malicious	Babadeda	Browse	172.67.74.152
www.telize.com	fptlVDDPkS.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	zE7Ken4cFt.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	88.198.193.213
	30EAFDB7C2C580890C4FB2A7101DB1D22C88BD723603F.exe	Get hash	malicious	Quasar	Browse	88.198.193.213
	XIiRHEaA9R.exe	Get hash	malicious	Quasar	Browse	88.198.193.213
	svchost.exe	Get hash	malicious	Quasar	Browse	88.198.193.213
	conn.exe	Get hash	malicious	Quasar	Browse	88.198.193.213

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	104.18.27.193
	http://parrottalks.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	104.17.208.240
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	Loader.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	https://bs32c.golfercaps.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Set-up.exe	Get hash	malicious	LummaC, GO Backdoor, LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.177.88
	X-mas_2.3.2.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	ReploidReplic.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba	botx.ppc.elf	Get hash	malicious	Mirai	Browse	180.97.87.220
	armv4l.elf	Get hash	malicious	Unknown	Browse	121.227.76.84
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	121.227.129.166
	arm5.elf	Get hash	malicious	Unknown	Browse	121.227.17.219
	ZOOM#U89c6#U9891#U4f1a#U8bae_b0138065277.exe	Get hash	malicious	Unknown	Browse	221.229.117.58
	armv6l.elf	Get hash	malicious	Unknown	Browse	61.155.199.181
	nshkmpsl.elf	Get hash	malicious	Mirai	Browse	121.227.129.196
	nshkarm.elf	Get hash	malicious	Mirai	Browse	121.227.76.80
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	121.227.129.156
	I3FtIOCni3.dll	Get hash	malicious	GhostRat	Browse	118.184.169.48
AMAZONEXPANSIONGB	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	52.223.13.41
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	52.223.40.198
	telnet.sh4.elf	Get hash	malicious	Unknown	Browse	52.223.138.114
	armv7l.elf	Get hash	malicious	Unknown	Browse	96.127.3.82
	jklspc.elf	Get hash	malicious	Unknown	Browse	3.47.75.42
	nabarm.elf	Get hash	malicious	Unknown	Browse	3.37.62.206
	https://qulatrics.com/	Get hash	malicious	Unknown	Browse	3.33.148.61
	https://qulatrics.com/	Get hash	malicious	Unknown	Browse	3.33.148.61
	rQuotation.exe	Get hash	malicious	FormBook	Browse	52.223.13.41
HETZNER-ASDE	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	116.203.14.4
	botx.ppc.elf	Get hash	malicious	Mirai	Browse	49.13.202.247
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	116.203.14.4
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	5.9.64.57
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	136.243.250.139
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	116.203.8.178
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	144.79.90.49
	0A7XTINw3R.exe	Get hash	malicious	Unknown	Browse	178.63.67.153
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse	116.203.8.178
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	116.203.8.178

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	88.198.193.213
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	88.198.193.213
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	88.198.193.213
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	88.198.193.213
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	88.198.193.213
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	88.198.193.213
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	88.198.193.213
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	88.198.193.213
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	88.198.193.213
	HUBED342024.exe	Get hash	malicious	MassLogger RAT	Browse	88.198.193.213

Process:	C:\Users\user\Desktop\RtU8kXPnKr.exe
File Type:	data
Category:	modified
Size (bytes):	192
Entropy (8bit):	6.949342188131024
Encrypted:	false
SSDEEP:	3:I3xtYvKtsOAKjS8YgTFFOdE4+QksCg1uDgAuX/PlLdHXyfHCubqHjNy5:IBt91AKj/YwUyt3yX5EqKqHhg
MD5:	9657A9F457A3CD17FA543CCA37CD3685
SHA1:	54E8EF677D4407A1C4EC61078D1B21A13C280346
SHA-256:	CF820D6DE2687A780388D5FEA9F12CF190920E51DAA0B957BFF419D0BC0D46F6
SHA-512:	BCC1094D28DA590F3A0035CDB1AC22B315F3BAB97A3F0419E7B179816103FE997408488E5061E7934B766E5E05B572DC698621929C62A5DE19F173FA09909AA0
Malicious:	false
Reputation:	low
Preview:	.J.....7..aX...V....{ .....I.O..Hk...b.&..X ../..$a.=......!JT......2..+e.9/....@.W.:_.5)BV6.@.:..2......mC..c.p%.........p.y./.wr.]...Q..w......b>8qz.....`^..pn.X...'.O9.......J.*..X

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.386930181702224
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	RtU8kXPnKr.exe
File size:	273'920 bytes
MD5:	9ea49e8b67bf4eb173682c84c4a4f472
SHA1:	7e328600053285468f4dd7c302cdc00d3a75ae89
SHA256:	720eea739bd033b804b98c0190b06d864dd61053aab14cb19d1c56d390686313
SHA512:	298dd6e8be7d4c8d8f917ab7194cf9449f4b7f2b3d839ea9843ab83c147d869737a6ba13b4da68620739ce7b2d12bfd7f5acb04c7711434e645e1b3699f05765
SSDEEP:	6144:4aaXMzUmOZoqPp01j0JxZmYbjAHm/6AGA3+rsPpP:TachqhZPmDGSAGA3+gPZ
TLSH:	DE448E5563DC871FD3EE17BEF46001019BB9DA27F51AE78B4A8895F82C033618E526E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................. ...........?... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x443fbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C7DDBB [Fri Aug 23 00:54:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
cmp byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push 00800000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-60000000h], dl
inc eax
add al, 00h
inc esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43f64	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0xa00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41fc4	0x42000	5c6d4197de4300a76516f533deaf3145	False	0.5191465435606061	data	6.405487528319331	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x44000	0xa00	0xa00	9322137053408db1e893f1bb3db1ff8f	False	0.358984375	data	4.494437383231915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46000	0xc	0x200	8c85247994e1d8605a7642a4eb19168a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x440a0	0x244	data			0.47413793103448276
RT_MANIFEST	0x442e8	0x562	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43178519593613934

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T06:13:54.138624+0100	2814031	ETPRO MALWARE W32/Quasar RAT Connectivity Check	1	192.168.2.6	49708	88.198.193.213	80	TCP
2024-12-31T06:13:56.888680+0100	2814030	ETPRO MALWARE W32/Quasar RAT Connectivity Check 2	1	192.168.2.6	49712	3.33.130.190	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 06:13:53.418811083 CET	49708	80	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:53.423655033 CET	80	49708	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:53.423723936 CET	49708	80	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:53.424022913 CET	49708	80	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:53.429456949 CET	80	49708	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.092328072 CET	80	49708	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.111804962 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:54.111835957 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.111947060 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:54.120605946 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:54.120620012 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.138623953 CET	49708	80	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:54.777615070 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.777689934 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:54.816020966 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:54.816036940 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.816385031 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:54.857364893 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.191518068 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.239336014 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:55.383562088 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:55.383620977 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:55.383672953 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.395804882 CET	49710	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.395824909 CET	443	49710	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:55.396172047 CET	49711	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.396229029 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:55.396291971 CET	49711	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.396627903 CET	49711	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:55.396644115 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:56.062104940 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:56.065129995 CET	49711	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:56.065172911 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:56.356945038 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:56.356986046 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:56.357074022 CET	49711	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:56.357639074 CET	49711	443	192.168.2.6	88.198.193.213
Dec 31, 2024 06:13:56.357649088 CET	443	49711	88.198.193.213	192.168.2.6
Dec 31, 2024 06:13:56.372396946 CET	49712	80	192.168.2.6	3.33.130.190
Dec 31, 2024 06:13:56.377161980 CET	80	49712	3.33.130.190	192.168.2.6
Dec 31, 2024 06:13:56.379956961 CET	49712	80	192.168.2.6	3.33.130.190
Dec 31, 2024 06:13:56.380074024 CET	49712	80	192.168.2.6	3.33.130.190
Dec 31, 2024 06:13:56.384795904 CET	80	49712	3.33.130.190	192.168.2.6
Dec 31, 2024 06:13:56.839040995 CET	80	49712	3.33.130.190	192.168.2.6
Dec 31, 2024 06:13:56.848844051 CET	49713	80	192.168.2.6	104.26.12.205
Dec 31, 2024 06:13:56.853676081 CET	80	49713	104.26.12.205	192.168.2.6
Dec 31, 2024 06:13:56.853766918 CET	49713	80	192.168.2.6	104.26.12.205
Dec 31, 2024 06:13:56.853837967 CET	49713	80	192.168.2.6	104.26.12.205
Dec 31, 2024 06:13:56.858702898 CET	80	49713	104.26.12.205	192.168.2.6
Dec 31, 2024 06:13:56.888679981 CET	49712	80	192.168.2.6	3.33.130.190
Dec 31, 2024 06:13:57.339898109 CET	80	49713	104.26.12.205	192.168.2.6
Dec 31, 2024 06:13:57.388645887 CET	49713	80	192.168.2.6	104.26.12.205
Dec 31, 2024 06:13:57.610061884 CET	49714	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:13:57.614984035 CET	8092	49714	180.100.217.219	192.168.2.6
Dec 31, 2024 06:13:57.615068913 CET	49714	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:13:59.648046970 CET	8092	49714	180.100.217.219	192.168.2.6
Dec 31, 2024 06:13:59.648106098 CET	49714	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:13:59.650274992 CET	49714	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:13:59.655046940 CET	8092	49714	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:01.836710930 CET	80	49712	3.33.130.190	192.168.2.6
Dec 31, 2024 06:14:01.836797953 CET	49712	80	192.168.2.6	3.33.130.190
Dec 31, 2024 06:14:01.841996908 CET	49708	80	192.168.2.6	88.198.193.213
Dec 31, 2024 06:14:01.842164993 CET	49712	80	192.168.2.6	3.33.130.190
Dec 31, 2024 06:14:01.842216969 CET	49713	80	192.168.2.6	104.26.12.205
Dec 31, 2024 06:14:01.847053051 CET	80	49712	3.33.130.190	192.168.2.6
Dec 31, 2024 06:14:01.847065926 CET	80	49708	88.198.193.213	192.168.2.6
Dec 31, 2024 06:14:01.847124100 CET	49708	80	192.168.2.6	88.198.193.213
Dec 31, 2024 06:14:01.847393036 CET	80	49713	104.26.12.205	192.168.2.6
Dec 31, 2024 06:14:01.847443104 CET	49713	80	192.168.2.6	104.26.12.205
Dec 31, 2024 06:14:04.138923883 CET	49727	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:04.143759966 CET	8092	49727	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:04.143836975 CET	49727	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:06.180828094 CET	8092	49727	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:06.180994034 CET	49727	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:06.181241035 CET	49727	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:06.186079979 CET	8092	49727	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:10.625047922 CET	49766	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:10.629914045 CET	8092	49766	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:10.629980087 CET	49766	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:12.696211100 CET	8092	49766	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:12.696276903 CET	49766	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:12.696453094 CET	49766	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:12.701266050 CET	8092	49766	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:17.326404095 CET	49810	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:17.331252098 CET	8092	49810	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:17.331335068 CET	49810	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:19.353456020 CET	8092	49810	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:19.353543997 CET	49810	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:19.354118109 CET	49810	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:19.358901024 CET	8092	49810	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:23.748497963 CET	49853	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:23.753380060 CET	8092	49853	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:23.753452063 CET	49853	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:25.825393915 CET	8092	49853	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:25.825483084 CET	49853	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:25.825794935 CET	49853	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:25.830535889 CET	8092	49853	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:29.951570034 CET	49894	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:29.956419945 CET	8092	49894	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:29.956502914 CET	49894	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:31.999727964 CET	8092	49894	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:32.000005007 CET	49894	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:32.000154018 CET	49894	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:32.004960060 CET	8092	49894	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:36.529697895 CET	49932	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:36.534604073 CET	8092	49932	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:36.534712076 CET	49932	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:38.585573912 CET	8092	49932	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:38.585633993 CET	49932	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:38.586298943 CET	49932	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:38.591049910 CET	8092	49932	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:43.144289970 CET	51756	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:43.149199963 CET	8092	51756	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:43.149301052 CET	51756	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:56.949778080 CET	8092	51756	180.100.217.219	192.168.2.6
Dec 31, 2024 06:14:56.949863911 CET	51756	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:56.950602055 CET	51756	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:14:56.955354929 CET	8092	51756	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:02.201503992 CET	51776	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:02.206338882 CET	8092	51776	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:02.206454039 CET	51776	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:04.202708960 CET	8092	51776	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:04.202814102 CET	51776	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:04.203090906 CET	51776	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:04.207833052 CET	8092	51776	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:08.639241934 CET	51777	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:08.644134998 CET	8092	51777	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:08.644241095 CET	51777	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:10.690483093 CET	8092	51777	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:10.690582991 CET	51777	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:10.690764904 CET	51777	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:10.695522070 CET	8092	51777	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:15.186106920 CET	51779	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:15.191037893 CET	8092	51779	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:15.191116095 CET	51779	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:17.194932938 CET	8092	51779	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:17.195048094 CET	51779	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:17.195753098 CET	51779	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:17.200565100 CET	8092	51779	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:21.732923985 CET	51780	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:21.737910032 CET	8092	51780	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:21.737987995 CET	51780	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:40.858017921 CET	8092	51780	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:40.858196974 CET	51780	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:40.862457037 CET	51780	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:40.867199898 CET	8092	51780	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:45.814070940 CET	51781	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:45.819149971 CET	8092	51781	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:45.822690010 CET	51781	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:47.881731033 CET	8092	51781	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:47.881877899 CET	51781	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:47.882345915 CET	51781	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:47.887581110 CET	8092	51781	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:52.123584986 CET	51782	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:52.128628016 CET	8092	51782	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:52.128703117 CET	51782	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:54.130661011 CET	8092	51782	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:54.130743027 CET	51782	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:54.130898952 CET	51782	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:54.135675907 CET	8092	51782	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:58.451678038 CET	51783	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:15:58.456675053 CET	8092	51783	180.100.217.219	192.168.2.6
Dec 31, 2024 06:15:58.456794024 CET	51783	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:00.524173975 CET	8092	51783	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:00.526458979 CET	51783	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:00.529719114 CET	51783	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:00.534482956 CET	8092	51783	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:04.951858044 CET	51785	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:04.957258940 CET	8092	51785	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:04.957694054 CET	51785	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:07.017967939 CET	8092	51785	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:07.018032074 CET	51785	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:07.018323898 CET	51785	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:07.023109913 CET	8092	51785	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:11.186284065 CET	51786	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:11.191374063 CET	8092	51786	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:11.191492081 CET	51786	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:13.218331099 CET	8092	51786	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:13.218391895 CET	51786	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:13.218605042 CET	51786	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:13.223329067 CET	8092	51786	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:17.577004910 CET	51787	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:17.582339048 CET	8092	51787	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:17.582426071 CET	51787	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:19.649240971 CET	8092	51787	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:19.649295092 CET	51787	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:19.649847031 CET	51787	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:19.655441999 CET	8092	51787	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:24.108510017 CET	51788	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:24.113543034 CET	8092	51788	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:24.116605043 CET	51788	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:26.155138016 CET	8092	51788	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:26.156650066 CET	51788	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:26.156752110 CET	51788	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:26.161597967 CET	8092	51788	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:30.749281883 CET	51789	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:30.754301071 CET	8092	51789	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:30.754556894 CET	51789	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:32.789660931 CET	8092	51789	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:32.789742947 CET	51789	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:32.789889097 CET	51789	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:32.794635057 CET	8092	51789	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:37.358637094 CET	51790	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:37.363591909 CET	8092	51790	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:37.363754988 CET	51790	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:39.357294083 CET	8092	51790	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:39.357369900 CET	51790	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:39.362457037 CET	51790	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:39.367191076 CET	8092	51790	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:43.936706066 CET	51791	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:43.941696882 CET	8092	51791	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:43.941776991 CET	51791	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:46.005147934 CET	8092	51791	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:46.005284071 CET	51791	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:46.005487919 CET	51791	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:46.010199070 CET	8092	51791	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:50.624274015 CET	51792	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:50.629214048 CET	8092	51792	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:50.629343987 CET	51792	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:52.619708061 CET	8092	51792	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:52.621365070 CET	51792	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:52.621443987 CET	51792	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:52.626167059 CET	8092	51792	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:56.954967022 CET	51793	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:56.960062027 CET	8092	51793	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:56.961031914 CET	51793	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:58.992733955 CET	8092	51793	180.100.217.219	192.168.2.6
Dec 31, 2024 06:16:58.995050907 CET	51793	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:59.006957054 CET	51793	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:16:59.012058020 CET	8092	51793	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:03.281012058 CET	51794	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:03.285994053 CET	8092	51794	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:03.286057949 CET	51794	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:05.299489021 CET	8092	51794	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:05.299546957 CET	51794	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:05.299793959 CET	51794	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:05.304588079 CET	8092	51794	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:09.718456984 CET	51795	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:09.723360062 CET	8092	51795	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:09.723433971 CET	51795	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:11.840533972 CET	8092	51795	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:11.840647936 CET	51795	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:11.840770960 CET	51795	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:11.845542908 CET	8092	51795	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:16.297190905 CET	51796	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:16.302243948 CET	8092	51796	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:16.305423021 CET	51796	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:18.342557907 CET	8092	51796	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:18.342756987 CET	51796	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:18.351234913 CET	51796	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:18.356092930 CET	8092	51796	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:23.015448093 CET	51797	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:23.020440102 CET	8092	51797	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:23.020564079 CET	51797	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:25.078434944 CET	8092	51797	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:25.081414938 CET	51797	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:25.083743095 CET	51797	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:25.088608980 CET	8092	51797	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:29.392707109 CET	51798	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:29.397680998 CET	8092	51798	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:29.397758007 CET	51798	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:31.392505884 CET	8092	51798	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:31.392559052 CET	51798	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:31.392745972 CET	51798	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:31.397488117 CET	8092	51798	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:35.906264067 CET	51799	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:35.911300898 CET	8092	51799	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:35.911417961 CET	51799	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:43.255238056 CET	8092	51799	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:43.255332947 CET	51799	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:43.255845070 CET	51799	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:43.260701895 CET	8092	51799	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:47.375798941 CET	51800	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:47.380701065 CET	8092	51800	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:47.380778074 CET	51800	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:54.710037947 CET	8092	51800	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:54.710275888 CET	51800	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:54.710330963 CET	51800	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:54.715142012 CET	8092	51800	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:58.781462908 CET	51802	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:17:58.786559105 CET	8092	51802	180.100.217.219	192.168.2.6
Dec 31, 2024 06:17:58.787849903 CET	51802	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:18:00.809113979 CET	8092	51802	180.100.217.219	192.168.2.6
Dec 31, 2024 06:18:00.809700966 CET	51802	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:18:00.813723087 CET	51802	8092	192.168.2.6	180.100.217.219
Dec 31, 2024 06:18:00.818603992 CET	8092	51802	180.100.217.219	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 06:13:53.378285885 CET	64496	53	192.168.2.6	1.1.1.1
Dec 31, 2024 06:13:53.414516926 CET	53	64496	1.1.1.1	192.168.2.6
Dec 31, 2024 06:13:54.094851971 CET	55950	53	192.168.2.6	1.1.1.1
Dec 31, 2024 06:13:54.111141920 CET	53	55950	1.1.1.1	192.168.2.6
Dec 31, 2024 06:13:56.361639977 CET	50360	53	192.168.2.6	1.1.1.1
Dec 31, 2024 06:13:56.369880915 CET	53	50360	1.1.1.1	192.168.2.6
Dec 31, 2024 06:13:56.841665030 CET	56584	53	192.168.2.6	1.1.1.1
Dec 31, 2024 06:13:56.848181963 CET	53	56584	1.1.1.1	192.168.2.6
Dec 31, 2024 06:14:36.864541054 CET	53	54932	162.159.36.2	192.168.2.6
Dec 31, 2024 06:14:37.365524054 CET	53	53373	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 06:13:53.378285885 CET	192.168.2.6	1.1.1.1	0x9d19	Standard query (0)	telize.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:54.094851971 CET	192.168.2.6	1.1.1.1	0x895	Standard query (0)	www.telize.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.361639977 CET	192.168.2.6	1.1.1.1	0xb769	Standard query (0)	freegeoip.net	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.841665030 CET	192.168.2.6	1.1.1.1	0x15c9	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 06:13:53.414516926 CET	1.1.1.1	192.168.2.6	0x9d19	No error (0)	telize.com	88.198.193.213	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:54.111141920 CET	1.1.1.1	192.168.2.6	0x895	No error (0)	www.telize.com	88.198.193.213	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.369880915 CET	1.1.1.1	192.168.2.6	0xb769	No error (0)	freegeoip.net	3.33.130.190	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.369880915 CET	1.1.1.1	192.168.2.6	0xb769	No error (0)	freegeoip.net	15.197.148.33	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.848181963 CET	1.1.1.1	192.168.2.6	0x15c9	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.848181963 CET	1.1.1.1	192.168.2.6	0x15c9	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 31, 2024 06:13:56.848181963 CET	1.1.1.1	192.168.2.6	0x15c9	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.telize.com

telize.com

freegeoip.net

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	88.198.193.213	80	504	C:\Users\user\Desktop\RtU8kXPnKr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 06:13:53.424022913 CET	144	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: telize.com Connection: Keep-Alive
Dec 31, 2024 06:13:54.092328072 CET	403	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 31 Dec 2024 05:13:54 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: https://www.telize.com/geoip Strict-Transport-Security: max-age=63072000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	3.33.130.190	80	504	C:\Users\user\Desktop\RtU8kXPnKr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 06:13:56.380074024 CET	146	OUT	GET /xml/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net Connection: Keep-Alive
Dec 31, 2024 06:13:56.839040995 CET	216	IN	HTTP/1.1 200 OK content-type: text/html date: Tue, 31 Dec 2024 05:13:56 GMT content-length: 114 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49713	104.26.12.205	80	504	C:\Users\user\Desktop\RtU8kXPnKr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 06:13:56.853837967 CET	142	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: api.ipify.org Connection: Keep-Alive
Dec 31, 2024 06:13:57.339898109 CET	430	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 05:13:57 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8fa7c88508fe0f81-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1482&rtt_var=741&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=142&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	88.198.193.213	443	504	C:\Users\user\Desktop\RtU8kXPnKr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 05:13:55 UTC	148	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49711	88.198.193.213	443	504	C:\Users\user\Desktop\RtU8kXPnKr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 05:13:56 UTC	148	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Target ID:	0
Start time:	00:13:52
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\RtU8kXPnKr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RtU8kXPnKr.exe"
Imagebase:	0xfb0000
File size:	273'920 bytes
MD5 hash:	9EA49E8B67BF4EB173682C84C4A4F472
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.4558083257.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000000.00000000.2097498649.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	98.7%
Signature Coverage:	3.5%
Total number of Nodes:	229
Total number of Limit Nodes:	21

Executed Functions

Function 06EF69F8 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68230d6dff5d2cf6aa8d8f2ab81e284615d9881212ba8759a44d2780c3825490
Instruction ID: 3bb3e800cbead4265c01203d432d12324b0e66156202a9c8e88f27d3ad70eb78
Opcode Fuzzy Hash: 68230d6dff5d2cf6aa8d8f2ab81e284615d9881212ba8759a44d2780c3825490
Instruction Fuzzy Hash: FAF18A31A10309CFEB54DFA9C848B9DBBF2FF88308F159569E509AF255DB70A945CB80

Function 0317DF18 Relevance: 1.8, APIs: 1, Instructions: 311
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0317E055

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ce12fa23c84d9a2d51794c3d263f48d2d583179a59d68cf620f04d3ac62e9a8
Instruction ID: 02feeeb901d07ac577d5f4812398827977dce75ad248c0cb57c7a80872811c2f
Opcode Fuzzy Hash: 5ce12fa23c84d9a2d51794c3d263f48d2d583179a59d68cf620f04d3ac62e9a8
Instruction Fuzzy Hash: C4C15874700211CFDB58DF29D958A69B7F2EF8C310B1A81A9E806DB361DB35EC81CB90

Function 031799B8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V[n, xrefs: 03179C6F

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID: \V[n
API String ID: 0-1005319620
Opcode ID: 1586b460e6e66e1d21f00a145cc0c9d2c6e60171941a3c4dd97e4c5a66ebc108
Instruction ID: 4ee187d05f8ec684cf0a11eadfb489146418ad86109d0c6a165b299cebfd396b
Opcode Fuzzy Hash: 1586b460e6e66e1d21f00a145cc0c9d2c6e60171941a3c4dd97e4c5a66ebc108
Instruction Fuzzy Hash: 2DB11B70E00209CFDF14DFA9C895BDDBBF2AF8D714F188129D815AB294EB749849CB91

Function 0317A288 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a32fa93f37747387ff30f66ddcc18470fdbffaf750892096971f9986de8f5e
Instruction ID: ace5639148acac047b21de1438354829f5893f69b21f45adfc09264a679d2198
Opcode Fuzzy Hash: 59a32fa93f37747387ff30f66ddcc18470fdbffaf750892096971f9986de8f5e
Instruction Fuzzy Hash: 75B12C70E00209CFDB14CFA9D89579DBBF2AF88754F188129D815AB354EB759845CB81

Function 06E45083 Relevance: 6.4, APIs: 4, Instructions: 403
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06E4547E
GetCurrentThread.KERNEL32 ref: 06E454BB
GetCurrentProcess.KERNEL32 ref: 06E454F8
GetCurrentThreadId.KERNEL32 ref: 06E45551

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7d1551fc0d953f0ef03b0277d309f9864e75f64247cc22d374f78439fde1140c
Instruction ID: d62c801c8412676d812a0a2a56a9fe83127897bf96c7a222ee52ef3d770ce1f9
Opcode Fuzzy Hash: 7d1551fc0d953f0ef03b0277d309f9864e75f64247cc22d374f78439fde1140c
Instruction Fuzzy Hash: 7902C57A500604EFDB45DF99D948E99BBB2FF4C314F168098E609AB272C732E861DF50

Function 06E44DB8 Relevance: 6.4, APIs: 4, Instructions: 360
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06E4547E
GetCurrentThread.KERNEL32 ref: 06E454BB
GetCurrentProcess.KERNEL32 ref: 06E454F8
GetCurrentThreadId.KERNEL32 ref: 06E45551

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: affba3da332f9086caf39814c751a11e98a2887509983dbba8dd2e6129148e9f
Instruction ID: e5d103cf920ddd7d5aeeb6a6e76968c4fd15c8b08e29ba3106994032552d8988
Opcode Fuzzy Hash: affba3da332f9086caf39814c751a11e98a2887509983dbba8dd2e6129148e9f
Instruction Fuzzy Hash: 4CF13479A00204DFDB45DFA9D948E99BBB2FF48314F158098E609AB272DB31D891DF60

Function 06E453E9 Relevance: 6.1, APIs: 4, Instructions: 141
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06E4547E
GetCurrentThread.KERNEL32 ref: 06E454BB
GetCurrentProcess.KERNEL32 ref: 06E454F8
GetCurrentThreadId.KERNEL32 ref: 06E45551

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 528d102a770361a18ddd497a6188a6aa9899ed79ce723d776c5b5217d02fea74
Instruction ID: d03d0901d82654eaa0df56bf6ae66943f5c33fa2f82eeb8460a1652518b1ba5b
Opcode Fuzzy Hash: 528d102a770361a18ddd497a6188a6aa9899ed79ce723d776c5b5217d02fea74
Instruction Fuzzy Hash: B15197B0900B49CFDB54EFAAE948BEEBBF1AF88315F248059D009AB360D7345945CF65

Function 06E4399C Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06E4547E
GetCurrentThread.KERNEL32 ref: 06E454BB
GetCurrentProcess.KERNEL32 ref: 06E454F8
GetCurrentThreadId.KERNEL32 ref: 06E45551

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: af935ac37a78b852285ce5200b4bd21c4071c55312b33b379de709bd922f9ce7
Instruction ID: 14f67f46bba76973677135ef00d9d09ff0978639bf0d21bbf644677bde6e431b
Opcode Fuzzy Hash: af935ac37a78b852285ce5200b4bd21c4071c55312b33b379de709bd922f9ce7
Instruction Fuzzy Hash: D25186B0900709CFDB44EFAEE948BAEBBF1EF88315F208059D00AAB290D7345945CF65

Function 06E4F499 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E4F6FE

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4d952841f3404e535ddb01e6b4fcb33cb09df3da2508337fb1d8c17a462e1f01
Instruction ID: 6238280cb2e70a71ed6df1107b885a1359a849b403b7c0fa19cb45c846b009ee
Opcode Fuzzy Hash: 4d952841f3404e535ddb01e6b4fcb33cb09df3da2508337fb1d8c17a462e1f01
Instruction Fuzzy Hash: 0A813370A00B058FD764EF7AE55575ABBF5FF88604F008A2DE48AD7A50DB34E845CB90

Function 06EF1CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EF1E02

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e1890ac3261d541d847d34588b1035cbf0f76c613b2b61ae97d16399e5e34040
Instruction ID: 469c784a4c5899880404b96bf1d90b284e932418d694e0e618ccee650bd0a7bd
Opcode Fuzzy Hash: e1890ac3261d541d847d34588b1035cbf0f76c613b2b61ae97d16399e5e34040
Instruction Fuzzy Hash: FA51CEB5C1030DDFDB14CF99C984ADEBBB5BF48310F24822AE919AB210D7759945CF90

Function 06EF1CF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06EF1E02

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7b91b3d3c8b670ffc6aae675a9ea831ab29915a460cebe0f36181fabf3394778
Instruction ID: 35ca9fd6c25aa125b9afba5de3f6b84abb6674148e937d8059031f47ae5365a6
Opcode Fuzzy Hash: 7b91b3d3c8b670ffc6aae675a9ea831ab29915a460cebe0f36181fabf3394778
Instruction Fuzzy Hash: 0E41AFB1D1030DDFDB14CF9AC984ADEBBB5BF48310F64822AE919AB210D775A945CF90

Function 03173334 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031733F1

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dbe34e2864eeeb23552bdd87d552b333e01ac693301e8c51f8b2481565f82ec6
Instruction ID: ca5271c590ab2abfa3577f55b4e70caf8f3209a887b349cbca4082067231439a
Opcode Fuzzy Hash: dbe34e2864eeeb23552bdd87d552b333e01ac693301e8c51f8b2481565f82ec6
Instruction Fuzzy Hash: 79411FB5C0071DCFDB24CFA9C844B9DBBB1BF48304F24856AD419AB251DB716946CF90

Function 06EF129C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06EF4371

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 255205079ff02d9b480f8d910d64eac62a6b479e6c0526318daa9ceb81a3fc18
Instruction ID: a9d87bffe8d823fa5f23a6b45bd42ed2c84de0a9c197b2a94d249c3f1848e33c
Opcode Fuzzy Hash: 255205079ff02d9b480f8d910d64eac62a6b479e6c0526318daa9ceb81a3fc18
Instruction Fuzzy Hash: 064127B4910309CFDB54DF99C888AABBBF5FF88314F248459D519AB362D334A941CBA0

Function 03171978 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031733F1

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 98a887d72566d112c138402c42a0314921db05e3ff1dd55497a4a32f931a9349
Instruction ID: b0b7206dd85ca51a92de48f54d33c0125e295253efcaf28de395b924b8847994
Opcode Fuzzy Hash: 98a887d72566d112c138402c42a0314921db05e3ff1dd55497a4a32f931a9349
Instruction Fuzzy Hash: A1412FB4C0071DCBDB24DFA9C844B9EFBB1BF48304F24846AD419AB251DBB1A985CF90

Function 06E41DAC Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,06E42155,00000000,00000000), ref: 06E42648

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c3d6f3d1d9adfcf4d497b179a79b15adf7be1b22925c6dc736717f6a07a95624
Instruction ID: e96c23b5a3d2eb0c0f8f6f2119400a9ae5fb7116f5c4c98240895bd152ef8e1c
Opcode Fuzzy Hash: c3d6f3d1d9adfcf4d497b179a79b15adf7be1b22925c6dc736717f6a07a95624
Instruction Fuzzy Hash: 1F2124B0D00319DFCB50EFA9D898BDEBBF5FB48310F10841AE509A7250D775AA00CBA0

Function 06E425B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,06E42155,00000000,00000000), ref: 06E42648

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: bc1364163cb79b773a8ce41d76012e4966b9581923de1c19da00b06bc9e59f7a
Instruction ID: 38540b512733ad0af9f2f9c7dc61acc3f88008848b2556eff59182c6ad83ac33
Opcode Fuzzy Hash: bc1364163cb79b773a8ce41d76012e4966b9581923de1c19da00b06bc9e59f7a
Instruction Fuzzy Hash: 6B2124B0D003099FCB50EFA9D894ADEFBF1BF88310F10842AE519A7250D775AA04CBA0

Function 06EF677F Relevance: 1.6, APIs: 1, Instructions: 66
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06EF6835

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d124505c5e60fc7995ca3956495bbb347f3dc8b94c9374f1ec4df5f2bf1a2744
Instruction ID: ec049868e1fa82bfc556fb685b25bc9e563dabcd926dddf0133031ae4de9a426
Opcode Fuzzy Hash: d124505c5e60fc7995ca3956495bbb347f3dc8b94c9374f1ec4df5f2bf1a2744
Instruction Fuzzy Hash: 3A21BE71C203888FCB60DFA9D5457DABBF4EF08718F14885ED60AA7691D3B9A844CF94

Function 06E45641 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E456CF

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9183e1a53264e6cdb61f7e1ef9b2031c967beb85a0ff1e87e207a26e764ff17f
Instruction ID: 859fa66d16cb58a6fa5b5c50b0840020855a949e7076797f06eaa42e364eb859
Opcode Fuzzy Hash: 9183e1a53264e6cdb61f7e1ef9b2031c967beb85a0ff1e87e207a26e764ff17f
Instruction Fuzzy Hash: C72103B5D00308AFDB10CFAAD984ADEBBF5FB48310F14801AE914A3310D378A944CFA4

Function 06E45648 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E456CF

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 32bf7022932d8ff24f35df81831d12cbc9dfed99264a40c21ad3f4001a4e4ef0
Instruction ID: 6cb0ba2bd000a8a952d8ac6f398f50692bf2be7579ab6cc997ed840f6bb358e6
Opcode Fuzzy Hash: 32bf7022932d8ff24f35df81831d12cbc9dfed99264a40c21ad3f4001a4e4ef0
Instruction Fuzzy Hash: 7221E3B5D003089FDB10DFAAD984ADEBBF4EB48310F14845AE914A7250D374A954CFA4

Function 0317DCFC Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0317E6BD), ref: 0317E740

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ee6e7bfa02d4c65923c2fd61c3b40fe8478a16db3c414a00f55c10683d1adba1
Instruction ID: 15af78e7313cb20eee702793829cd42a41799dfbb41f3507cfd200f491d64ff0
Opcode Fuzzy Hash: ee6e7bfa02d4c65923c2fd61c3b40fe8478a16db3c414a00f55c10683d1adba1
Instruction Fuzzy Hash: 302144B1C0065A9BCB24DF9AD4447EEFBF4BB48720F19816AD919B7240D338A944CFE4

Function 0317E6C8 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0317E6BD), ref: 0317E740

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 34f201a806b23b1f48ab5c3d2f3f1fa26f64fe2657bcce04be4adb42d963d3e5
Instruction ID: ac5ab072b5341af0e5861f4526b893e8577930b9978dccee2a95bf78c7ee2bed
Opcode Fuzzy Hash: 34f201a806b23b1f48ab5c3d2f3f1fa26f64fe2657bcce04be4adb42d963d3e5
Instruction Fuzzy Hash: 761144B6C0065A8FDB10CF99D5417EEFBF0BB48320F19866AD818A7240D338A905CFA5

Function 06E4F698 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 06E4F6FE

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 65af24548d56618693a940a838fe17d5f7c7f99dcd5f1ad7c56b313b9ea46fef
Instruction ID: c4046a59f506fe2e9e78221e93e26f11cfa3420b623772023450088e12b7e0db
Opcode Fuzzy Hash: 65af24548d56618693a940a838fe17d5f7c7f99dcd5f1ad7c56b313b9ea46fef
Instruction Fuzzy Hash: 2A1110B6C003498FCB10DFAAD448ADEFBF4AF88724F10855AD819A7650C379A545CFA1

Function 06EF58C8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06EF6835

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c62b57826ad98cc9db0a8e732b4df00f77bf205df5c5c4b3a54b07e7ecaacbd1
Instruction ID: 04db328e30fb6f60b7083fae47a520e16800441bd77656cfc28416cad1a06cd5
Opcode Fuzzy Hash: c62b57826ad98cc9db0a8e732b4df00f77bf205df5c5c4b3a54b07e7ecaacbd1
Instruction Fuzzy Hash: 9A1130B0C003488FCB60DF9AD489BDEBBF4EB48320F208459DA19A7240D378A944CFA4

Function 06EF67D9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06EF6835

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 25768af256bc14a01c19da258ac3d8ac6354457a7912344131c6b4bb707c5b6c
Instruction ID: c8d62d2f929c497854a5ace58ca6d16e037916faf9498df4c06df35d2cdcca91
Opcode Fuzzy Hash: 25768af256bc14a01c19da258ac3d8ac6354457a7912344131c6b4bb707c5b6c
Instruction Fuzzy Hash: C41142B5C00389CFCB50DFAAD989BDEBBF4AB08310F24845AD519B7610D338A544CFA5

Function 030AD154 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557740429.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30ad000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f12511a52a6631618b104b47daf911cf8f67372a5caf1d80825cf03292c0269
Instruction ID: 0a8b738c318624b31aee6fe70bfb86c9084e2f20b2adc6a36f26e3b0863d5193
Opcode Fuzzy Hash: 1f12511a52a6631618b104b47daf911cf8f67372a5caf1d80825cf03292c0269
Instruction Fuzzy Hash: 19213775600604EFDB00DF9CE5D0F2ABBA5FB84314F24C9ADE9094B642C336D846CB61

Function 030AD14F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557740429.00000000030AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30ad000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21f20f9b933fcfff6280cc061701e95e78f5f46405777b46ba0931fd6c09a03
Instruction ID: acba1568f4a9a9d0c01d4d68003f018e4d3440f37c3ab4dc1f79dc88362e1985
Opcode Fuzzy Hash: c21f20f9b933fcfff6280cc061701e95e78f5f46405777b46ba0931fd6c09a03
Instruction Fuzzy Hash: 6A11DD75504684DFCB12CF58E5D4B15FBA2FB84314F28C6AAE8494B656C33AD80ACB61

Non-executed Functions

Function 03179670 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\V[n, xrefs: 031798BB

Memory Dump Source

Source File: 00000000.00000002.4557940464.0000000003170000.00000040.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3170000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID: \V[n
API String ID: 0-1005319620
Opcode ID: 3a1427f8fd92d45b28ab18ba7734102ff8fa90ea41cf9bf75c456adba776527e
Instruction ID: c585472a9059f37c50c13cd11609a0e76de0d17630ea503f7bc8ecd740f6cb0f
Opcode Fuzzy Hash: 3a1427f8fd92d45b28ab18ba7734102ff8fa90ea41cf9bf75c456adba776527e
Instruction Fuzzy Hash: 89915B70E00309DFDF14CFA9C9957DEBBF2AF88714F188129E415AB294EB749849CB91

Function 06EF0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb6c694efe90a056f5b9d982066c1dd7db1d00ecdf3ce50d9a13914129c01ae
Instruction ID: 58d8db9108db5e0d074f223d544900d0813df7698f14df1046047f69a637ec8a
Opcode Fuzzy Hash: fdb6c694efe90a056f5b9d982066c1dd7db1d00ecdf3ce50d9a13914129c01ae
Instruction Fuzzy Hash: 4612A7F0409F45DAD318EF65E84C1893BB6B74A32AF504209D2E16E2EDDBB415CACF64

Function 06E4E2D0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4559608265.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e40000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34aad9e33dfd71297cc5da2361d08619cabda74babc761c96c6fb030f0c36973
Instruction ID: 3c12a769fbf08f0a10c85972632a3c0faf1a847168b6dbe8b7dc056791e42936
Opcode Fuzzy Hash: 34aad9e33dfd71297cc5da2361d08619cabda74babc761c96c6fb030f0c36973
Instruction Fuzzy Hash: A4A18F32E00309CFCF55EFB5E84459EBBB6FF85300B25556AE816AB261DB31E945CB80

Function 06EF0006 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4559675677.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ef0000_RtU8kXPnKr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851ff6a6309a64ddfd17a1f882d43f9fbf6e19832c07af6bfd87b9cb02f35205
Instruction ID: 672d867b4ad31bd8f4f4076698a14c5b72139aa50cfa051253d394353e2bd11b
Opcode Fuzzy Hash: 851ff6a6309a64ddfd17a1f882d43f9fbf6e19832c07af6bfd87b9cb02f35205
Instruction Fuzzy Hash: 00D13CB0409B459FD319EF25EC481893BB6BB8B326B504319D1A16F2DDDBB814CACF64

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RtU8kXPnKr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Logs\12-31-2024

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
RtU8kXPnKr.exe

Function 06EF69F8 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 0317DF18 Relevance: 1.8, APIs: 1, Instructions: 311
libraryCOMMON

Function 06E45083 Relevance: 6.4, APIs: 4, Instructions: 403
threadCOMMON

Function 06E44DB8 Relevance: 6.4, APIs: 4, Instructions: 360
threadCOMMON

Function 06E453E9 Relevance: 6.1, APIs: 4, Instructions: 141
threadCOMMON

Function 06E4399C Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 06E4F499 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Function 06EF1CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Function 06EF1CF0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 03173334 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 06EF129C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 03171978 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 06E41DAC Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 06E425B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 06EF677F Relevance: 1.6, APIs: 1, Instructions: 66
comCOMMON