Edit tour

Windows Analysis Report
Sample.exe

Overview

General Information

Sample name:	Sample.exe
Analysis ID:	1584696
MD5:	196e2ae082841b1ab98dcfa445cf2704
SHA1:	4af7f4bb970331ae1eb569100de98c93b61c5459
SHA256:	c3e669b477d3e633bf336fc5d2506c86c8fc61b4d0be36fe2bbe3b361cf70a70
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (STR)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Sample.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\Sample.exe" MD5: 196E2AE082841B1AB98DCFA445CF2704)

schtasks.exe (PID: 6704 cmdline: "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Runtime Broker.exe (PID: 3616 cmdline: "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" MD5: 196E2AE082841B1AB98DCFA445CF2704)

schtasks.exe (PID: 2056 cmdline: "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Runtime Broker.exe (PID: 2816 cmdline: "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" MD5: 196E2AE082841B1AB98DCFA445CF2704)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "91.160.181.237:4782;91.160.181.237:4783;", "SubDirectory": "Runtime Broker", "InstallName": "Runtime Broker.exe", "MutexName": "bcda0faa-47b1-4e7d-be7c-8ff6fbc69a61", "StartupKey": "Runtime Broker", "Tag": "database", "LogDirectoryName": "Logs", "ServerSignature": "AXyAB9i/QMJIU4gAdq1J+oniXOume3lU0T3mxu8IbdQdZszooY4hH9oIzunY7uWEeH5OlXOXfcuCfe0kKFfGEKM7XRr8jCBOkPTdS45c6qEpqV6p7Xgf5apTLyQ+nhcpX2Kj5wmcb7/d/IkQ0EYvseR15ZhRZ9DhW2WyhUtb9PBZLtFfMk/4PXSr84aAVdYq0WtitFSDymQ93Y2bBvw4ONybXHQnu7GCtw37EfycClx3qEYXr3UWQqzNpk8zvgRFsC0DH1Jlj7X8pkiz+ZB5zxx38ZPAHOjO5vwkOzJzPmmT2VCkaw/6LYXGPeIz2GG76GtNcjP/yvlzB+pg9kOyptgH97tiKY5rux6cvIpEYY881bj6rgSmp6fexC9Tlo+0eZQJkuo0m0KnckjFf8jCCNsfzOy3W/XhlvZrwRBxTqCESNU8Pgl4/VUNQb97J7g2+qHvQP5YICJuwDKWsupSooNlMUbj28SdfjWHV4FqN0trPxfkI/aLYsvObLVm+XIkGE+9IqB+R01Fobp2B4AzvGiFS2k/lESyFiCTWOEpRL0rgyIM1/he6JGyo+bhq72+IZAehI6IJigodhZeXHPXbzg6gCjVhUJw1g+B2PVRgy+GTHcRYD+b3oX7L26Hih+/pEK1590qFQa8k4VPLbZ8BYEVAP/086SQFh+6LCqAW+A=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOJVSuPyL8hJWIKlG45dAzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDcwMjEyNDQyMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr0icLbTG7+EbVFBiDOtG0P/teScd/9W++vB3ud2IzAipEreS6eWe1tortnmxqOzd1naorhWrkJFOKd8ZvM97F7O2KjSUkAWPLy1ZtN8VVaBVyzeQGMcy052/AfS+9FPdgoWNjVhBO8BqUlRadFqtQ0YkSh3ljPOeCGoDcwFjbqpg4afzwhqeuubqFaAX1aglP+VXsZ0tqJgVR3A6tSoYNgl2l+qylC2tSYKtlCEVoCCAxiQWUrKIk03DkYW427jYo08qAVUaFdOvuI2vbtKn6qZVQ7teLgc1vUHyQYINFg2OipfBXvuwQ8ZAXq9kwN0UIy+WnI4cVUClWZMNPXZ+V3zkK98liNZZZDSbLc9OAGJqk6ZKNs1sczaMcMKQv/jo4ZgWyEYcJMvKT2yY6kG+rZ0xmahx8NjF+9r612Lhnh7/V67N95Sd9onoq6d9z8gokcu39xvtwTVFGzPUo2stLWEQDj0A01v/o4oFr99/v1a8yYgGsLMLC1LMJnftFqIY8jwUOMASGNP6REgR8JUt2NWI/keX7UKYT6W6B9r45w/JxrTHipkrHOMA0cRXF2G2c2yUo7kg8lugQodWcQHx3ppM99WgeM35CJbOPVow4j7lQhDM9Nt8Xbx+GmTzRxxL9nlAlTc/6s532MGcWRpG6GCtmdSkL1SRav0b6bJX2p8CAwEAAaMyMDAwHQYDVR0OBBYEFGkT/G3gZe2DglfmM3uVPBg+AI8xMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADIYLKX0Ilznp0aMkI/pP0gWscsfOHfPtdar81lsIoszY0F621AczluG1osi00pboN9K9zb9+HmOSi9MsFHu7OaDhZBmw0ebTZVccX8K/lVhbb28nG0Jwk80pUGbq6AoZY8AssHfaPq4j8A5cArI5eg6DPvT8ijjuq1vTln4EjRuZclCKMuGw6Vx/1SinCvaTff9GPxYn2/egLvNxLrNbi/L1UYfltIBXvvIECtQ4X45pPTVE9UBpSS2OMYxzpESZD0HFqdm5IZZ7sL8pJAo2/l4HqijJk1JCsljC//IABz9KneIRO0pQKRmVXTF9L2qGLse5bYd6RvSOqgromnz9wtHljZy9oRKzwqbfYAH/M/M6tbzIztff/TYw8Cuj/7lPDOHLxzepH04wvjjaceZRaM0lyHmB42qIuSvrvWo1Cg4YP3RnIdv2NqqpUkaPpO3ZX3LGQ1JFmqjDZkgOzjLlfAPOCX7Okalt/KrAhl8FxKY6BvdQaFYL746DAeT89aCwBHwnxWokLE2t9NBOpVVNRpDJ9XnwBEx0qDyeqXe7KGpR3ZdveyviEz/qdXSgw++q7/WRFuzWYGwOXZrSpfBT+W29JDz9HWEYzdvhPmL984TRQ0R3TZzYZct6uiArNb6rT+A+KWFDzJc+PB2MW1ToFDeQ28BB3ugpS3OSh/vfuDs"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Sample.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Sample.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Sample.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab816:$x4: Uninstalling... good bye :-( 0x2ad00b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
Sample.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc8:$f1: FileZilla\recentservers.xml 0x2aae08:$f2: FileZilla\sitemanager.xml 0x2aae4a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab096:$b1: Chrome\User Data\ 0x2ab0ec:$b1: Chrome\User Data\ 0x2ab3c4:$b2: Mozilla\Firefox\Profiles 0x2ab4c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab618:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d2:$b5: YandexBrowser\User Data\ 0x2ab740:$b5: YandexBrowser\User Data\ 0x2ab414:$s4: logins.json 0x2ab14a:$a1: username_value 0x2ab168:$a2: password_value 0x2ab454:$a3: encryptedUsername 0x2fd3b0:$a3: encryptedUsername 0x2ab478:$a4: encryptedPassword 0x2fd3ce:$a4: encryptedPassword 0x2fd34c:$a5: httpRealm
Sample.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab900:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab816:$x4: Uninstalling... good bye :-( 0x2ad00b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc8:$f1: FileZilla\recentservers.xml 0x2aae08:$f2: FileZilla\sitemanager.xml 0x2aae4a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab096:$b1: Chrome\User Data\ 0x2ab0ec:$b1: Chrome\User Data\ 0x2ab3c4:$b2: Mozilla\Firefox\Profiles 0x2ab4c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab618:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d2:$b5: YandexBrowser\User Data\ 0x2ab740:$b5: YandexBrowser\User Data\ 0x2ab414:$s4: logins.json 0x2ab14a:$a1: username_value 0x2ab168:$a2: password_value 0x2ab454:$a3: encryptedUsername 0x2fd3b0:$a3: encryptedUsername 0x2ab478:$a4: encryptedPassword 0x2fd3ce:$a4: encryptedPassword 0x2fd34c:$a5: httpRealm
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab900:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1658588464.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Sample.exe PID: 6600	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: Runtime Broker.exe PID: 3616	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Sample.exe.a80000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.Sample.exe.a80000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.Sample.exe.a80000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28eed7:$x1: Quasar.Common.Messages 0x29f200:$x1: Quasar.Common.Messages 0x2ab816:$x4: Uninstalling... good bye :-( 0x2ad00b:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.0.Sample.exe.a80000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadc8:$f1: FileZilla\recentservers.xml 0x2aae08:$f2: FileZilla\sitemanager.xml 0x2aae4a:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab096:$b1: Chrome\User Data\ 0x2ab0ec:$b1: Chrome\User Data\ 0x2ab3c4:$b2: Mozilla\Firefox\Profiles 0x2ab4c0:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd46c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab618:$b4: Opera Software\Opera Stable\Login Data 0x2ab6d2:$b5: YandexBrowser\User Data\ 0x2ab740:$b5: YandexBrowser\User Data\ 0x2ab414:$s4: logins.json 0x2ab14a:$a1: username_value 0x2ab168:$a2: password_value 0x2ab454:$a3: encryptedUsername 0x2fd3b0:$a3: encryptedUsername 0x2ab478:$a4: encryptedPassword 0x2fd3ce:$a4: encryptedPassword 0x2fd34c:$a5: httpRealm
0.0.Sample.exe.a80000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab900:$s3: Process already elevated. 0x28ebd6:$s4: get_PotentiallyVulnerablePasswords 0x278c92:$s5: GetKeyloggerLogsDirectory 0x29e95f:$s5: GetKeyloggerLogsDirectory 0x28ebf9:$s6: set_PotentiallyVulnerablePasswords 0x2fea9a:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Sample.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: Sample.exe

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "91.160.181.237:4782;91.160.181.237:4783;", "SubDirectory": "Runtime Broker", "InstallName": "Runtime Broker.exe", "MutexName": "bcda0faa-47b1-4e7d-be7c-8ff6fbc69a61", "StartupKey": "Runtime Broker", "Tag": "database", "LogDirectoryName": "Logs", "ServerSignature": "AXyAB9i/QMJIU4gAdq1J+oniXOume3lU0T3mxu8IbdQdZszooY4hH9oIzunY7uWEeH5OlXOXfcuCfe0kKFfGEKM7XRr8jCBOkPTdS45c6qEpqV6p7Xgf5apTLyQ+nhcpX2Kj5wmcb7/d/IkQ0EYvseR15ZhRZ9DhW2WyhUtb9PBZLtFfMk/4PXSr84aAVdYq0WtitFSDymQ93Y2bBvw4ONybXHQnu7GCtw37EfycClx3qEYXr3UWQqzNpk8zvgRFsC0DH1Jlj7X8pkiz+ZB5zxx38ZPAHOjO5vwkOzJzPmmT2VCkaw/6LYXGPeIz2GG76GtNcjP/yvlzB+pg9kOyptgH97tiKY5rux6cvIpEYY881bj6rgSmp6fexC9Tlo+0eZQJkuo0m0KnckjFf8jCCNsfzOy3W/XhlvZrwRBxTqCESNU8Pgl4/VUNQb97J7g2+qHvQP5YICJuwDKWsupSooNlMUbj28SdfjWHV4FqN0trPxfkI/aLYsvObLVm+XIkGE+9IqB+R01Fobp2B4AzvGiFS2k/lESyFiCTWOEpRL0rgyIM1/he6JGyo+bhq72+IZAehI6IJigodhZeXHPXbzg6gCjVhUJw1g+B2PVRgy+GTHcRYD+b3oX7L26Hih+/pEK1590qFQa8k4VPLbZ8BYEVAP/086SQFh+6LCqAW+A=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOJVSuPyL8hJWIKlG45dAzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDcwMjEyNDQyMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr0icLbTG7+EbVFBiDOtG0P/teScd/9W++vB3ud2IzAipEreS6eWe1tortnmxqOzd1naorhWrkJFOKd8ZvM97F7O2KjSUkAWPLy1ZtN8VVaBVyzeQGMcy052/AfS+9FPdgoWNjVhBO8BqUlRadFqtQ0YkSh3ljPOeCGoDcwFjbqpg4afzwhqeuubqFaAX1aglP+VXsZ0tqJgVR3A6tSoYNgl2l+qylC2tSYKtlCEVoCCAxiQWUrKIk03DkYW427jYo08qAVUaFdOvuI2vbtKn6qZVQ7teLgc1vUHyQYINFg2OipfBXvuwQ8ZAXq9kwN0UIy+WnI4cVUClWZMNPXZ+V3zkK98liNZZZDSbLc9OAGJqk6ZKNs1sczaMcMKQv/jo4ZgWyEYcJMvKT2yY6kG+rZ0xmahx8NjF+9r612Lhnh7/V67N95Sd9onoq6d9z8gokcu39xvtwTVFGzPUo2stLWEQDj0A01v/o4oFr99/v1a8yYgGsLMLC1LMJnftFqIY8jwUOMASGNP6REgR8JUt2NWI/keX7UKYT6W6B9r45w/JxrTHipkrHOMA0cRXF2G2c2yUo7kg8lugQodWcQHx3ppM99WgeM35CJbOPVow4j7lQhDM9Nt8Xbx+GmTzRxxL9nlAlTc/6s532MGcWRpG6GCtmdSkL1SRav0b6bJX2p8CAwEAAaMyMDAwHQYDVR0OBBYEFGkT/G3gZe2DglfmM3uVPBg+AI8xMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBADIYLKX0Ilznp0aMkI/pP0gWscsfOHfPtdar81lsIoszY0F621AczluG1osi00pboN9K9zb9+HmOSi9MsFHu7OaDhZBmw0ebTZVccX8K/lVhbb28nG0Jwk80pUGbq6AoZY8AssHfaPq4j8A5cArI5eg6DPvT8ijjuq1vTln4EjRuZclCKMuGw6Vx/1SinCvaTff9GPxYn2/egLvNxLrNbi/L1UYfltIBXvvIECtQ4X45pPTVE9UBpSS2OMYxzpESZD0HFqdm5IZZ7sL8pJAo2/l4HqijJk1JCsljC//IABz9KneIRO0pQKRmVXTF9L2qGLse5bYd6RvSOqgromnz9wtHljZy9oRKzwqbfYAH/M/M6tbzIztff/TYw8Cuj/7lPDOHLxzepH04wvjjaceZRaM0lyHmB42qIuSvrvWo1Cg4YP3RnIdv2NqqpUkaPpO3ZX3LGQ1JFmqjDZkgOzjLlfAPOCX7Okalt/KrAhl8FxKY6BvdQaFYL746DAeT89aCwBHwnxWokLE2t9NBOpVVNRpDJ9XnwBEx0qDyeqXe7KGpR3ZdveyviEz/qdXSgw++q7/WRFuzWYGwOXZrSpfBT+W29JDz9HWEYzdvhPmL984TRQ0R3TZzYZct6uiArNb6rT+A+KWFDzJc+PB2MW1ToFDeQ28BB3ugpS3OSh/vfuDs"}

Multi AV Scanner detection for dropped file

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Sample.exe	Virustotal: Detection: 70%			Perma Link
Source: Sample.exe	ReversingLabs: Detection: 73%

Yara detected Quasar RAT

Source: Yara match	File source: Sample.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658588464.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sample.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Runtime Broker.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Sample.exe

Joe Sandbox ML: detected

Source: Sample.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Sample.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 91.160.181.237

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.160.181.237 ports 4782,4783,2,4,7,8

Yara detected Generic Downloader

Source: Yara match	File source: Sample.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 91.160.181.237:4782

Source: global traffic

TCP traffic: 192.168.2.4:49751 -> 1.1.1.1:53

Source: Joe Sandbox View

ASN Name: PROXADFR PROXADFR

Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237
Source: unknown	TCP traffic detected without corresponding DNS query: 91.160.181.237

Source: Sample.exe, 00000000.00000002.1686333050.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.exe, 00000003.00000002.2924470996.0000000003159000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Sample.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://api.ipify.org/
Source: Sample.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://ipwho.is/
Source: Sample.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Sample.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Sample.exe, Runtime Broker.exe.0.dr	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Windows user hook set: 0 keyboard low level C:\Windows\system32\Runtime Broker\Runtime Broker.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: Sample.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658588464.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sample.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Runtime Broker.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Sample.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Sample.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Sample.exe, type: SAMPLE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED	Matched rule: Detects Quasar infostealer Author: ditekshen

Source: C:\Users\user\Desktop\Sample.exe	File created: C:\Windows\system32\Runtime Broker			Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	File created: C:\Windows\system32\Runtime Broker\Runtime Broker.exe			Jump to behavior

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B9EAFDD	3_2_00007FFD9B9EAFDD
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B9E9BD1	3_2_00007FFD9B9E9BD1
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B9E9271	3_2_00007FFD9B9E9271
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B9E55D6	3_2_00007FFD9B9E55D6
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B9E621F	3_2_00007FFD9B9E621F

Source: Sample.exe, 00000000.00000000.1658906266.0000000000DA0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCopyright (C) 2017-2021 0 vs Sample.exe
Source: Sample.exe	Binary or memory string: OriginalFilenameCopyright (C) 2017-2021 0 vs Sample.exe

Source: Sample.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Sample.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Sample.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Sample.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/3@0/1

Source: C:\Users\user\Desktop\Sample.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sample.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3808:120:WilError_03
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Mutant created: NULL
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\bcda0faa-47b1-4e7d-be7c-8ff6fbc69a61

Source: Sample.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Sample.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Sample.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Sample.exe	Virustotal: Detection: 70%
Source: Sample.exe	ReversingLabs: Detection: 73%

Source: Sample.exe

String found in binary or memory: HasSubValue3Conflicting item/add type

Source: C:\Users\user\Desktop\Sample.exe

File read: C:\Users\user\Desktop\Sample.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Sample.exe "C:\Users\user\Desktop\Sample.exe"
Source: C:\Users\user\Desktop\Sample.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sample.exe	Process created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
Source: unknown	Process created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sample.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: Sample.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Sample.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Sample.exe

Static file information: File size 3266048 > 1048576

Source: Sample.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600

Source: Sample.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Sample.exe	Code function: 0_2_00007FFD9B7600BD pushad ; iretd	0_2_00007FFD9B7600C1
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B7700BD pushad ; iretd	3_2_00007FFD9B7700C1
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 3_2_00007FFD9B9E336E push eax; ret	3_2_00007FFD9B9E340C
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Code function: 4_2_00007FFD9B7700BD pushad ; iretd	4_2_00007FFD9B7700C1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\Sample.exe

Executable created and started: C:\Windows\system32\Runtime Broker\Runtime Broker.exe

Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe

File created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Sample.exe

File created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Sample.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Sample.exe	File opened: C:\Users\user\Desktop\Sample.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	File opened: C:\Windows\system32\Runtime Broker\Runtime Broker.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	File opened: C:\Windows\system32\Runtime Broker\Runtime Broker.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Memory allocated: 1B050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Memory allocated: 1B120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Memory allocated: A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Memory allocated: 1A6B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Code function: 3_2_00007FFD9B77F1F2 str ax

3_2_00007FFD9B77F1F2

Source: C:\Users\user\Desktop\Sample.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Window / User API: threadDelayed 6759			Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Window / User API: threadDelayed 3088			Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe TID: 6552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 4520	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 4520	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 1060	Thread sleep count: 6759 > 30	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 1060	Thread sleep count: 3088 > 30	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe TID: 2676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Sample.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Runtime Broker.exe, 00000003.00000002.2929954290.000000001BA32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Runtime Broker.exe, 00000003.00000002.2929954290.000000001BA32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Sample.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\Sample.exe	Process created: C:\Windows\System32\Runtime Broker\Runtime Broker.exe "C:\Windows\system32\Runtime Broker\Runtime Broker.exe"	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe	Queries volume information: C:\Users\user\Desktop\Sample.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Queries volume information: C:\Windows\System32\Runtime Broker\Runtime Broker.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe	Queries volume information: C:\Windows\System32\Runtime Broker\Runtime Broker.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Sample.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: Sample.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658588464.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sample.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Runtime Broker.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: Sample.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Sample.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1658588464.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sample.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Runtime Broker.exe PID: 3616, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	121 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	41 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Sample.exe	71%	Virustotal		Browse
Sample.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar
Sample.exe	100%	Avira	HEUR/AGEN.1307453
Sample.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	100%	Avira	HEUR/AGEN.1307453
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	100%	Joe Sandbox ML
C:\Windows\System32\Runtime Broker\Runtime Broker.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.Quasar

Source	Detection	Scanner	Label	Link
91.160.181.237	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
91.160.181.237	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	Sample.exe, Runtime Broker.exe.0.dr	false	high
https://stackoverflow.com/q/14436606/23354	Sample.exe, Runtime Broker.exe.0.dr	false	high
https://stackoverflow.com/q/2152978/23354sCannot	Sample.exe, Runtime Broker.exe.0.dr	false	high
https://ipwho.is/	Sample.exe, Runtime Broker.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Sample.exe, 00000000.00000002.1686333050.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Runtime Broker.exe, 00000003.00000002.2924470996.0000000003159000.00000004.00000800.00020000.00000000.sdmp	false	high
https://stackoverflow.com/q/11564914/23354;	Sample.exe, Runtime Broker.exe.0.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.160.181.237	unknown	France		12322	PROXADFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584696
Start date and time:	2025-01-06 08:21:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Sample.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/3@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Runtime Broker.exe, PID 2816 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:22:24	API Interceptor	3803453x Sleep call for process: Runtime Broker.exe modified
07:22:22	Task Scheduler	Run new task: Runtime Broker path: C:\Windows\system32\Runtime s>Broker\Runtime Broker.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PROXADFR	cZO.exe	Get hash	malicious	Unknown	Browse	82.65.181.52
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	78.240.160.233
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	78.224.99.170
	momo.mips.elf	Get hash	malicious	Mirai	Browse	88.180.232.176
	momo.arm.elf	Get hash	malicious	Mirai	Browse	78.234.76.85
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	88.165.176.186
	armv4l.elf	Get hash	malicious	Unknown	Browse	91.174.92.37
	1.elf	Get hash	malicious	Unknown	Browse	78.225.31.198
	armv6l.elf	Get hash	malicious	Unknown	Browse	78.201.21.165

Process:	C:\Windows\System32\Runtime Broker\Runtime Broker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sample.exe.log

Download File

Process:	C:\Users\user\Desktop\Sample.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Download File

Process:	C:\Users\user\Desktop\Sample.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3266048
Entropy (8bit):	6.084421049485132
Encrypted:	false
SSDEEP:	49152:Pv/lL26AaNeWgPhlmVqvMQ7XSK4tMK1J3SoGdOTHHB72eh2NT:PvNL26AaNeWgPhlmVqkQ7XSK4tMz
MD5:	196E2AE082841B1AB98DCFA445CF2704
SHA1:	4AF7F4BB970331AE1EB569100DE98C93B61C5459
SHA-256:	C3E669B477D3E633BF336FC5D2506C86C8FC61B4D0BE36FE2BBE3B361CF70A70
SHA-512:	B64CF310FC65954C4873889CE68BCE0539435539D6FF017D8C0238EE829EC9FD5220398558F58E17E9154210856F245D94BD6BCF7780EDF0AAE6BED71958232E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekshen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.W.....2...................... 2...................................................... ............... ..H............text...4.1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(........0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.............--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.............-5..........08......f~w...,.~....(....(.....v.(.....s....}.....s....}....r..(......(.....(......(....*....0..L........{....r...po....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.084421049485132
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Sample.exe
File size:	3'266'048 bytes
MD5:	196e2ae082841b1ab98dcfa445cf2704
SHA1:	4af7f4bb970331ae1eb569100de98c93b61c5459
SHA256:	c3e669b477d3e633bf336fc5d2506c86c8fc61b4d0be36fe2bbe3b361cf70a70
SHA512:	b64cf310fc65954c4873889ce68bce0539435539d6ff017d8c0238ee829ec9fd5220398558f58e17e9154210856f245d94bd6bcf7780edf0aae6bed71958232e
SSDEEP:	49152:Pv/lL26AaNeWgPhlmVqvMQ7XSK4tMK1J3SoGdOTHHB72eh2NT:PvNL26AaNeWgPhlmVqkQ7XSK4tMz
TLSH:	56E55A1437F85E23E1BBE273D5B0041667F1EC2AB3A3FB5B6181677A1C53B505801AAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x71e42e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31e3d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x320000	0xaec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x322000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31c434	0x31c600	a329949c1442b8351b0ee0324f979454	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x320000	0xaec	0xc00	4e1303286f1c711139751157853de5da	False	0.3766276041666667	data	5.205668892059367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x322000	0xc	0x200	99e75cdb3927a57ba5de39a6c2349231	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3200a0	0x374	data			0.4287330316742081
RT_MANIFEST	0x320414	0x6d7	XML 1.0 document, Unicode text, UTF-8 (with BOM) text			0.40319817247287265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 08:22:24.638360977 CET	49730	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:24.643318892 CET	4782	49730	91.160.181.237	192.168.2.4
Jan 6, 2025 08:22:24.647136927 CET	49730	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:24.656491041 CET	49730	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:24.661339998 CET	4782	49730	91.160.181.237	192.168.2.4
Jan 6, 2025 08:22:40.672255993 CET	49751	53	192.168.2.4	1.1.1.1
Jan 6, 2025 08:22:40.677107096 CET	53	49751	1.1.1.1	192.168.2.4
Jan 6, 2025 08:22:40.678870916 CET	49751	53	192.168.2.4	1.1.1.1
Jan 6, 2025 08:22:40.683732033 CET	53	49751	1.1.1.1	192.168.2.4
Jan 6, 2025 08:22:41.232369900 CET	49751	53	192.168.2.4	1.1.1.1
Jan 6, 2025 08:22:41.237356901 CET	53	49751	1.1.1.1	192.168.2.4
Jan 6, 2025 08:22:41.237472057 CET	49751	53	192.168.2.4	1.1.1.1
Jan 6, 2025 08:22:46.039855003 CET	4782	49730	91.160.181.237	192.168.2.4
Jan 6, 2025 08:22:46.039927006 CET	49730	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:46.054337978 CET	49730	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:46.059365034 CET	4782	49730	91.160.181.237	192.168.2.4
Jan 6, 2025 08:22:49.678505898 CET	49752	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:49.683424950 CET	4783	49752	91.160.181.237	192.168.2.4
Jan 6, 2025 08:22:49.683546066 CET	49752	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:49.684645891 CET	49752	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:22:49.689425945 CET	4783	49752	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:11.083223104 CET	4783	49752	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:11.083281994 CET	49752	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:11.083616018 CET	49752	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:11.088380098 CET	4783	49752	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:14.537856102 CET	49753	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:14.542829990 CET	4782	49753	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:14.542952061 CET	49753	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:14.543329954 CET	49753	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:14.548129082 CET	4782	49753	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:35.909601927 CET	4782	49753	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:35.909662962 CET	49753	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:35.910037994 CET	49753	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:35.914843082 CET	4782	49753	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:39.272758007 CET	49878	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:39.277620077 CET	4783	49878	91.160.181.237	192.168.2.4
Jan 6, 2025 08:23:39.277693033 CET	49878	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:39.278048992 CET	49878	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:23:39.282793999 CET	4783	49878	91.160.181.237	192.168.2.4
Jan 6, 2025 08:24:00.644642115 CET	4783	49878	91.160.181.237	192.168.2.4
Jan 6, 2025 08:24:00.651284933 CET	49878	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:00.659506083 CET	49878	4783	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:00.664331913 CET	4783	49878	91.160.181.237	192.168.2.4
Jan 6, 2025 08:24:04.383343935 CET	50023	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:04.388247013 CET	4782	50023	91.160.181.237	192.168.2.4
Jan 6, 2025 08:24:04.388323069 CET	50023	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:04.391289949 CET	50023	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:04.396049023 CET	4782	50023	91.160.181.237	192.168.2.4
Jan 6, 2025 08:24:25.802331924 CET	4782	50023	91.160.181.237	192.168.2.4
Jan 6, 2025 08:24:25.802457094 CET	50023	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:25.802764893 CET	50023	4782	192.168.2.4	91.160.181.237
Jan 6, 2025 08:24:25.807554960 CET	4782	50023	91.160.181.237	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2025 08:22:40.671669006 CET	53	59441	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	02:22:20
Start date:	06/01/2025
Path:	C:\Users\user\Desktop\Sample.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Sample.exe"
Imagebase:	0xa80000
File size:	3'266'048 bytes
MD5 hash:	196E2AE082841B1AB98DCFA445CF2704
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.1658588464.0000000000A82000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:22:21
Start date:	06/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:22:21
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:22:22
Start date:	06/01/2025
Path:	C:\Windows\System32\Runtime Broker\Runtime Broker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
Imagebase:	0xb60000
File size:	3'266'048 bytes
MD5 hash:	196E2AE082841B1AB98DCFA445CF2704
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Windows\System32\Runtime Broker\Runtime Broker.exe, Author: ditekshen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:22:22
Start date:	06/01/2025
Path:	C:\Windows\System32\Runtime Broker\Runtime Broker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\Runtime Broker\Runtime Broker.exe"
Imagebase:	0xe0000
File size:	3'266'048 bytes
MD5 hash:	196E2AE082841B1AB98DCFA445CF2704
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:22:23
Start date:	06/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\system32\Runtime Broker\Runtime Broker.exe" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:22:23
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B763525 Relevance: 1.6, APIs: 1, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B763607

Memory Dump Source

Source File: 00000000.00000002.1689572742.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b760000_Sample.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3f6f9bd78f9fd24f1daa3284477b2e743d7790476b4af7c1fa950fe35a075ad5
Instruction ID: 2a7f2c0340a711bbb42292638a393177c7907ad14023b5a3f184a0fb35627000
Opcode Fuzzy Hash: 3f6f9bd78f9fd24f1daa3284477b2e743d7790476b4af7c1fa950fe35a075ad5
Instruction Fuzzy Hash: DB31053190DB5C8FDB1ADB688855AE9BFF0EF56311F0542AFD049D71A2CB246805C791

Function 00007FFD9B763569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B763607

Memory Dump Source

Source File: 00000000.00000002.1689572742.00007FFD9B760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b760000_Sample.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4a8b8c94f086977879cdd3474ff1e75271943733efd8d93069a142ff53493ada
Instruction ID: 962261b025cca217792da3e8a6972bc5335c04c52e44e017d2e01fce52c6a387
Opcode Fuzzy Hash: 4a8b8c94f086977879cdd3474ff1e75271943733efd8d93069a142ff53493ada
Instruction Fuzzy Hash: 4A31D23190DB5C8FDB19DB588859AE9BBF0FF65311F04426FD049D32A2DB74A805CB91

Analysis Process: Runtime Broker.exePID: 3616, Parent PID: 6600COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9B9E55D6 Relevance: 2.1, Instructions: 2122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2933149040.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b9e0000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987325f82d2683bb214a47c918827fb95a786185c08f5e3638345606d184e13e
Instruction ID: ab4b500cdd066e4a9cf396cda66956ab66a956b81c4e31dadabc1e9d2a89f5d2
Opcode Fuzzy Hash: 987325f82d2683bb214a47c918827fb95a786185c08f5e3638345606d184e13e
Instruction Fuzzy Hash: 54F2B270A19A0D8FDFA8DF68C494BA977E1FF58304F1141A9D44ED72A6DE34EA41CB40

Function 00007FFD9B9E9BD1 Relevance: 1.5, Instructions: 1487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2933149040.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b9e0000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a261c251868ff93f15cd671c3493aafc5901cf1c843db8c3c1952ff158d00d4
Instruction ID: bb6eada74dfd3954a460088bde9854044ef5c1cc11bbe89cfff6f16ce3a4b292
Opcode Fuzzy Hash: 5a261c251868ff93f15cd671c3493aafc5901cf1c843db8c3c1952ff158d00d4
Instruction Fuzzy Hash: 4C923931B1D94D5FEBA8EB6C8469B7837D1EF99310F0501BAE44EC72B6DE24AD028341

Function 00007FFD9B9EAFDD Relevance: .9, Instructions: 862
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2933149040.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b9e0000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74e64ae2cc60c52c13e975c55ccdb71dcc46eaada7c2fa26d6df41f0bbf0b7c
Instruction ID: 8fe2fb2339d46313d2752280f6aac427aa2bead5ec7293acd243d03915928fca
Opcode Fuzzy Hash: d74e64ae2cc60c52c13e975c55ccdb71dcc46eaada7c2fa26d6df41f0bbf0b7c
Instruction Fuzzy Hash: 5B525030B18A498FDBA8EF2CC4A4B6977E1FF99304F1545B9E04EC72A6DE35E8418741

Function 00007FFD9B9E9271 Relevance: .7, Instructions: 678
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2933149040.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b9e0000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958ef265a16dc3b926b291051a825c9edb53c3f53c358a6bbb70c00374cec96a
Instruction ID: 91908e4a938359840fc15a951a140768e1b5f3a7f8dbc2fb9a9346d53cea33a4
Opcode Fuzzy Hash: 958ef265a16dc3b926b291051a825c9edb53c3f53c358a6bbb70c00374cec96a
Instruction Fuzzy Hash: 35227230B19A0D5FEB68EB5C84A97B977E2FF98300F15417DD44EC32A6DE34AA428741

Function 00007FFD9B9E621F Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2933149040.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b9e0000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dfa441546b408a3beea0ef6afa2b8483f2b669843123f7fc2ce7850a1242af
Instruction ID: 1058182eaf64a272a55923a6d5a7cb40ba191a2602fd6dceb91927f7a485183e
Opcode Fuzzy Hash: 12dfa441546b408a3beea0ef6afa2b8483f2b669843123f7fc2ce7850a1242af
Instruction Fuzzy Hash: 7B023C30E28A1D8FEBA8DF58C49476977E1FF98301F1541B9D44ED32A6DA34BA81CB40

Function 00007FFD9B9EE6F9 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2933149040.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b9e0000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2cbf482465d378ce32e5461ef7deb13fb27d0264cf1dd58ba9b212af7e93a8
Instruction ID: 07a7efbdca827bd9d306dc2342dd95b8b4cbf9202be97668492eb810f87abe70
Opcode Fuzzy Hash: cf2cbf482465d378ce32e5461ef7deb13fb27d0264cf1dd58ba9b212af7e93a8
Instruction Fuzzy Hash: 00714731A2DE4D4FDB58EB6C98655B977E1EF58310B0442BBE04EC32A7DE24A94287C1

Function 00007FFD9B773525 Relevance: 1.6, APIs: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B773607

Memory Dump Source

Source File: 00000003.00000002.2931308223.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 51955e1d0ce3be647fced7196de5672d2fb8a31963807ce985130c27c303b9f9
Instruction ID: b803aeec6fd82c83b42943360f875056a85d923ba65a0fd59f878740581bddc8
Opcode Fuzzy Hash: 51955e1d0ce3be647fced7196de5672d2fb8a31963807ce985130c27c303b9f9
Instruction Fuzzy Hash: 9E414431A0DB4C8FCB19DF6888996E97BF0FF56310F0542AFD049C71A2CA64A906C791

Function 00007FFD9B773569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFD9B773607

Memory Dump Source

Source File: 00000003.00000002.2931308223.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bd0a00df7b58dadcc5a35d66d8850a82156c50b21c9139f2f5d7d583e0e35f55
Instruction ID: 99aa4fdf22d60e79e06ea2bfa5e5e0831ea722e96da557ab6ef9d887c11094a8
Opcode Fuzzy Hash: bd0a00df7b58dadcc5a35d66d8850a82156c50b21c9139f2f5d7d583e0e35f55
Instruction Fuzzy Hash: C731C13190CB5C8FDB19DB588859AE9BBF0FF65311F04426BD049D32A2DB74A906CB91

Non-executed Functions

Function 00007FFD9B77F1F2 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2931308223.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afecb03f595489ac8c11ac2c29886081fb784167a893c786c46c35ceb37ce25d
Instruction ID: f752c7b0eaacd635d0c267c467e19e757e3ff60a32e718bfc71e799a2bf7117d
Opcode Fuzzy Hash: afecb03f595489ac8c11ac2c29886081fb784167a893c786c46c35ceb37ce25d
Instruction Fuzzy Hash: 61316F1FA4E1A61EE315B3BCB5B28FD3B51CF6223970842F3F19D4D0E79D09208A4A94

Analysis Process: Runtime Broker.exePID: 2816, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B772DC8 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9B772FCD

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f248d4f5f156661b60d77c1e4f846f93deba70e69573b7b5fd8888fecb70c39e
Instruction ID: e0a27318116ece0f2c43546adfdfe21bf2ad0e7f5f7b9db68acaf7eceddeeab0
Opcode Fuzzy Hash: f248d4f5f156661b60d77c1e4f846f93deba70e69573b7b5fd8888fecb70c39e
Instruction Fuzzy Hash: 10718871F1990D4FDBA8EBA884A57BCB3D2EF99310F454179D45ED32E6CE68AC028740

Function 00007FFD9B770BCD Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

;N_I, xrefs: 00007FFD9B770C04

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID: ;N_I
API String ID: 0-1313454297
Opcode ID: 49ed9f19fd4892e6ba4f5dabc46c4bacdd2d8d1579e4b6d353ff0970fba27a01
Instruction ID: c1be42add7b5796d2763fd4b4b29dba7daf2155d248b29f1aecf70d6094cbd7b
Opcode Fuzzy Hash: 49ed9f19fd4892e6ba4f5dabc46c4bacdd2d8d1579e4b6d353ff0970fba27a01
Instruction Fuzzy Hash: FD815C3270FB854FE7259BBC54B46A93FA1EF41300B5401FAE488873EBE9687941C741

Function 00007FFD9B7715FA Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

.N_^, xrefs: 00007FFD9B771601

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID: .N_^
API String ID: 0-2858261171
Opcode ID: d3319b9f2747acd99580145792a08e03aae0093ef7ec89b805d3ed144ba2dd7a
Instruction ID: 8e467d0115f43e3a5eb38e6cb31278c31c443e56b81d3caa2290e02baf0af8dd
Opcode Fuzzy Hash: d3319b9f2747acd99580145792a08e03aae0093ef7ec89b805d3ed144ba2dd7a
Instruction Fuzzy Hash: 0A21051670DAA90FD715A76CA8B56F43BD1DF5622070D02F7D099CB1A3CD0859098391

Function 00007FFD9B7720FA Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab3a07c71b158245cab55c149b5c2074b59eff46f703dfb02b811d5aafae601
Instruction ID: dc421a6aaaf9ec7a24efc5c0e3a42abb0169f44890d20e2960398fd91600638a
Opcode Fuzzy Hash: 3ab3a07c71b158245cab55c149b5c2074b59eff46f703dfb02b811d5aafae601
Instruction Fuzzy Hash: B9A11B31B1AA8E0FEBA5EB6884A56B977D2FF95300F0502B9D45DC71F7CD68AD028740

Function 00007FFD9B7724A2 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d23bb0dfacdb66ab782051d25a87274c7ded7e4eea5f6469f7c88e529246478
Instruction ID: d120ad74c956284a1ef345d9e9d5e41a8c940ca4f8a8ef2d0ddebe45282a05d3
Opcode Fuzzy Hash: 2d23bb0dfacdb66ab782051d25a87274c7ded7e4eea5f6469f7c88e529246478
Instruction Fuzzy Hash: 94513820B1EE5A0FEB95E7B844B16AE3BD2DF8624074442F9E00DC72EBDD5C9D428340

Function 00007FFD9B772110 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97c3b093ad7ec8d687928d6d667f26cb8eae1b27527df55dd21af18db703eef
Instruction ID: fa6d42cc164940a4e1e507de15adc7e1dc354ee6e51289762d4c30cea9a9ddb5
Opcode Fuzzy Hash: e97c3b093ad7ec8d687928d6d667f26cb8eae1b27527df55dd21af18db703eef
Instruction Fuzzy Hash: E7410C31B0E64D0FEBA5EBA844B1AF977E1EF96300F0601BAD45DC71E7CE68A9018741

Function 00007FFD9B772729 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a826ae71c4a8930dbcd90a8cbf900867f3ee138164f42f3e7650a57fada266
Instruction ID: 940f9425173e278303723f11d946870b130816cf1d66b792d39e4ddeb24c2318
Opcode Fuzzy Hash: 47a826ae71c4a8930dbcd90a8cbf900867f3ee138164f42f3e7650a57fada266
Instruction Fuzzy Hash: 16415D21B1EB490FE758ABAC94667BD77D1EF95314F0002BEE05EC32D6CD6869028782

Function 00007FFD9B77196D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5046c334d7076a854bf22dbf0943d5ad7beb7f27be346d8e19db265cf75b2004
Instruction ID: a7a0912d785436f004ef0e0d4df7e0acd61f1d7ab9e9dc0d0db3042a3925a4ce
Opcode Fuzzy Hash: 5046c334d7076a854bf22dbf0943d5ad7beb7f27be346d8e19db265cf75b2004
Instruction Fuzzy Hash: 06215A3060E6864FDB54DF68C0D55A577A1EF91310B1A43FAC048CF5BBD928ED86C380

Function 00007FFD9B771BF5 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b3a882fe896f00e6fb40dc461a83de6727e61575f5e481c28093209cd50df8
Instruction ID: d867cb8c04744f7e6944f875ec757fff6b02c74e64f2625e84373c5fd8d783c5
Opcode Fuzzy Hash: 40b3a882fe896f00e6fb40dc461a83de6727e61575f5e481c28093209cd50df8
Instruction Fuzzy Hash: 3131A83476A9554FE308DB6C80B16AE3F61AF89304F9442E9F819433CEEE3C6540CB51

Function 00007FFD9B770872 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd42362d554cbc9c03b9b1166eee172a7989ac1a7fa80c77f5853a2dfcf966a
Instruction ID: 1d2186af1e94312329faaa577e175a2892907978420ea817c0dcd91b4dfdddbc
Opcode Fuzzy Hash: dfd42362d554cbc9c03b9b1166eee172a7989ac1a7fa80c77f5853a2dfcf966a
Instruction Fuzzy Hash: 19215752A1EBCA4FFB55A7680875669ABA1FF52340F4506FAD089CB1E7EC0868048391

Function 00007FFD9B7732DD Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d5cd00cf9e68a4a4d0a80752f948cf5c9abebac6388e67ac0e2456c4ed1cb4
Instruction ID: e5dee88c0968df98369a5067a02f7b1c2e5bd002d8d240b72d253db2ac94b036
Opcode Fuzzy Hash: 55d5cd00cf9e68a4a4d0a80752f948cf5c9abebac6388e67ac0e2456c4ed1cb4
Instruction Fuzzy Hash: 2F21F431F1AA5D4FD794EB6884A99B973D1EF58301B4505BAE00DC72E6DE24D901C740

Function 00007FFD9B773491 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941147a9158d2416630b13e6af41680a69c0409815f57a43ce1f54c90e5e28dd
Instruction ID: 099475f7aad453a8c4ed0dd82c50f85e6eefdb8350929488a7da9c57b0f2b232
Opcode Fuzzy Hash: 941147a9158d2416630b13e6af41680a69c0409815f57a43ce1f54c90e5e28dd
Instruction Fuzzy Hash: DD11DC22B1EB880FE355E6786CA98F17BD0DF9022430A03BBE44CC31B3CD0896878351

Function 00007FFD9B770D90 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76dbbbcdc91895d9ba7acfc1f21c661c49ac62df3ef582b2f0931f9527155c4
Instruction ID: 66f54c084d5f41862abd510349ed6efa4decabdd287057370782b92a0ca0c205
Opcode Fuzzy Hash: d76dbbbcdc91895d9ba7acfc1f21c661c49ac62df3ef582b2f0931f9527155c4
Instruction Fuzzy Hash: DD113852B2EECA0FDF66927848B45F53B92DF95310B0902FBE449C31E7DD5869468381

Function 00007FFD9B7728D5 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8268f5db7031bfbac9a8e6a61017a472c783a2e355de13eb5f03313035d6f0a4
Instruction ID: 18fd0442cd924939b6ebf21cf2246d5af6d2624fe66570f3e256d8a103bbf21a
Opcode Fuzzy Hash: 8268f5db7031bfbac9a8e6a61017a472c783a2e355de13eb5f03313035d6f0a4
Instruction Fuzzy Hash: C911A020A0EBCD4FE357A37858A9AA43FD1EF87215B0A01E7E098CB0B7C9984945C342

Function 00007FFD9B771E58 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83adbb006465599d0a75cbc28fde084f40e2bad0518862471ce4cd31abd54b90
Instruction ID: a10ba54d781d25082cd5412dfe1bc3d62b638a8b8a41931ba2af7830fdd2e758
Opcode Fuzzy Hash: 83adbb006465599d0a75cbc28fde084f40e2bad0518862471ce4cd31abd54b90
Instruction Fuzzy Hash: 5CF0F022B19C1D0FE794F2AD54E9AF967C5DBA822631401B3E00CC72BBDC1498428381

Function 00007FFD9B771E70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c259b904772428ebb0806584e6110b615724de8f332564e58108b56a5bf15e
Instruction ID: 2d3530ab6fe06d07a9dc021d0149174f54e3758e2503810028611f63d9f30aaa
Opcode Fuzzy Hash: 77c259b904772428ebb0806584e6110b615724de8f332564e58108b56a5bf15e
Instruction Fuzzy Hash: 73E02221F19C0D0FABA4F6AD44D9F7922C1EBAC21171405B2E40CC32BACC689C418381

Function 00007FFD9B77094D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1715005481.00007FFD9B770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b770000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69f4cf8aea6bdbc50f99b108c3ddefaca2eb61f653c88e2c7a879772e4bc4b3
Instruction ID: d074c9fb9528ec618007ac3d9e73d21cd0b7d12437d2de1dab907c18091b2537
Opcode Fuzzy Hash: f69f4cf8aea6bdbc50f99b108c3ddefaca2eb61f653c88e2c7a879772e4bc4b3
Instruction Fuzzy Hash: 56E02012F1A91D17EB94337814760FC2181DF58650741013AD40DC71D7DC1D3D420240

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Sample.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sample.exe.log

C:\Windows\System32\Runtime Broker\Runtime Broker.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Sample.exe

Function 00007FFD9B763525 Relevance: 1.6, APIs: 1, Instructions: 117
fileCOMMON

Function 00007FFD9B763569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON

Function 00007FFD9B9E9BD1 Relevance: 1.5, Instructions: 1487
COMMON

Function 00007FFD9B9EAFDD Relevance: .9, Instructions: 862
COMMON

Function 00007FFD9B9E9271 Relevance: .7, Instructions: 678
COMMON

Function 00007FFD9B9EE6F9 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Function 00007FFD9B773525 Relevance: 1.6, APIs: 1, Instructions: 132
fileCOMMON

Function 00007FFD9B773569 Relevance: 1.6, APIs: 1, Instructions: 109
fileCOMMON