Edit tour
Windows
Analysis Report
Client-base.exe
Overview
General Information
| Sample name: | Client-base.exe |
| Analysis ID: | 1589885 |
| MD5: | 21ce4cd2ce246c86222b57b93cdc92bd |
| SHA1: | 9dc24ad846b2d9db64e5bbea1977e23bb185d224 |
| SHA256: | 273c917fc8fddcb94de25686720df1ea12f948dfbebffa56314b6565123ae678 |
| Tags: | exeQuasarRATuser-lontze7 |
| Infos: |   |
 | |
Detection
Quasar
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Quasar
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
Client-base.exe (PID: 7656 cmdline: "C:\Users\ user\Deskt op\Client- base.exe" MD5: 21CE4CD2CE246C86222B57B93CDC92BD) - schtasks.exe (PID: 7692 cmdline:
"schtasks" /create / tn "Quasar Client St artup" /sc ONLOGON / tr "C:\Use rs\user\Ap pData\Roam ing\SubDir \Client.ex e" /rl HIG HEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2) 
conhost.exe (PID: 7700 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Quasar RAT, QuasarRAT | Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult. |
{"Version": "1.4.1", "Host:Port": "0.tcp.in.ngrok.io:14296;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "cc827307-beb6-456e-b5dd-e28a204ebd45", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "UttNOaKsKDg70omGHo4AsuQEXKeY3dl8vAUSpKFRZYMXV8mJMcjm3tK0+AUvP8CLA8fMsyrca0pr45n8jpe7mMyZtt8aKdOsPgGoyiMGPdBtjfNJlmMpnuceLr9e7q7ZMOLh/eIc5q3V2H62ck15qbR/m8Kn14gpz1Pju38Aha92WfC/QPzC4RYw7l7ejIBbo4TmrExWkFP3zyO3hbQSzRMj7CcOD2wui8eo911eXgc6R/KawJSzhP6OT4Jgx7N4JP1pjp7P1gSL/0wBDll4v1IxF2aMCR/oUmJbHs7VJEd5TGjBMX+PR4PzQ5AbpY7qsI6Je5Yceqn632ILvCKRh41P3Nkzhwx64ysMZN7tjbJzdQCTrhkEf8n+mv8AXYvZJKOOg/DTxmFvA2l1KZQerD3IRgL6fb9+asWQx5fnh19bjLYVPpEKm513YNivbM7A/SW1RuBH5d4CDyOF6lzsTrJBzXAWeExSoK5+tlbFfkFzKYlMgJ2PaTbDn8H1FB4C4l15qczu6d13SH2AOEwaR8GJ+vgKsP3pcr/pmmFKKTzpRzGd6I7jLYb62pkilMY1nmaJozSEHB2TPl5PHJ/m/myrQnHyFqjSYNmu1hfKcghjawJYYysjEdryCelP6QNshVOseOxNjS37XJbGupZrqI5Rz7WzRBdTKly4qm5nsoI=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMxfBX+smdsAfQ2MTkA3AzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwODA2MzgyM1oYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgkbNY1LVv9u7h7z9z5GVPBj3RPZFSFM508n7rYtnCetb+P14nmuMvcnJvXuMIOjOx1kgmpuPTUewHGVn7pJw1o1pG79brIvmQH4oGiOCSoD9mMVV3a950AGssOR9+WUGouFAxwx33XlnPSinfsfmu36Cs9VG56i/u4SNVT9UOQ4H+rMEm5wM103CPkI0mvBAcWGTa8k8hKogtv47fGEorxONA1aAEqCH0KLuRrjyE39S6hwkkaOIoxsx+CkijZqO1jYPb8eHt0j/igFmcUsWQg2tsobvO3A8LQecam9rnv59T+XwqiHVGjo+bIj+f1nHGvFFlK+siFgZMr5dKmfC4RJENoUpDq8wG207Z3IubS0YoeFFrvHiTISMI2drIgHIUgv/ag7QM/D1ZrsPEIIPrFXpsFj6AdEd4ASGlcqq4EdG++x4Wk0dn3dccLldgMyBupA5xxaR5UW0+Ui2IJxsHzwZ+jN/lBVSo7YtTqzO0zKNEYGUDFwjGTQW+/UUgnoKR3Ay/e9bmZjJi1HDYhhs4cdSdfZYSzHxege7pQ77ETqtjntM2zxO8cK++eNhF5IVWAuEZW/vJJT+GGLsp33G7GdlI/CDsG5jjYpmpx9Qmm2LrotxUjdYTsFqGIHFj7aavYx2dDxoqtmpvtIc6OK8H4BJ5ram5DOxv/Us2YV52B0CAwEAAaMyMDAwHQYDVR0OBBYEFI8d/ymL2iqzZUnX3BkP+yKmp+HAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBACIHuZBrj9xrtlDOq1bBzlybW3n0OM0RJrie7i/CYMZjGIowAk544fqWIJaQbMh/+CdGjZtjRpT0X6mn3C+exp0hJtO3koUW8oLhVy9VILhD7FWuxv2SFICMJG5s2NJKN/LmJXJRh7Ch9oeNLiBYvAFY9Ul1X//HIipbH/2iQbTP0dVQ7XpKP4fhdePEjhm1aetci6g8cNNI8Uhw3UdYltMSrRnAJ774rI9lVDYoPb/dHm4j6oL7bmf7SSvMQ4bOQopEk7C18e3cTZUpBghrDWNiAuJBYOitVEM4NOiS2fIHx9qAuatq5Z/ZCL+0qU1ocPT6dEGRPzmrD7LjFokR5CaESZi0I88thqj6+U3fnlhhhquZqBIL3WvGCZz5l+vPosUr0WXhi78wcknMP0/CV1UOxuVBTrgjGwXCq5IPpAyvffNxVzYgaf4w86QcTHpsQayCslWgV/olIWa4M5RKIa8PR3x4k4Fhky/KK4zuqleSqpnYumeMUNmJq/MIbsMDQ1LNlRYUypl2P+R03lpEdArdQ0SQpbyUd7VYf0sMRVky7jihP3ctGast/aVM0v87q61eE5VpJavQtQ8wkB3v7mKkEZ5E9dbD6uDFY2qz00NaN3CyiQ0rt/O/nn/U27DWvXJNvz+W0/AHzOV36+3x3/khg7regzagkapHeKS+dlYM"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth |
| |
| INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
| MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Quasar | Yara detected Quasar RAT | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| MAL_QuasarRAT_May19_1 | Detects QuasarRAT malware | Florian Roth |
| |
| INDICATOR_SUSPICIOUS_GENInfoStealer | Detects executables containing common artifcats observed in infostealers | ditekSHen |
| |
| MALWARE_Win_QuasarStealer | Detects Quasar infostealer | ditekshen |
|
AV Detection |   |
|---|
| Source: | Author: Joe Security: | ||
E-Banking Fraud | |
|---|
| Source: | Author: Joe Security: | ||
System Summary | |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
Stealing of Sensitive Information | |
|---|
| Source: | Author: Joe Security: | ||
Remote Access Functionality | |
|---|
| Source: | Author: Joe Security: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Malware Configuration Extractor: | ||