Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:Client-built.exe
Analysis ID:1665569
MD5:17de58f65c652fc9e5b7224a42fd20d0
SHA1:a6369a6b5dc73ac7bf2c72bff6d4b1059ff7b1d4
SHA256:e1cd02a8df5e325a4738e0a68464807cfca08f8d71fec828a0b6a7a12eee07a2
Tags:exeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Quasar
Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Client-built.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    • AV Detection
    • Compliance
    • E-Banking Fraud
    • System Summary
    • Stealing of Sensitive Information
    • Remote Access Functionality

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: Client-built.exeVirustotal: Detection: 19%Perma Link
    Source: Client-built.exeReversingLabs: Detection: 25%
    Source: Yara matchFile source: Client-built.exe, type: SAMPLE
    Source: Client-built.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: Client-built.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: Client-built.exe, type: SAMPLE
    Source: Client-built.exeStatic PE information: No import functions for PE file found
    Source: Client-built.exeStatic PE information: Data appended to the last section found
    Source: Client-built.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal56.troj.winEXE@0/0@0/0
    Source: Client-built.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: Client-built.exeVirustotal: Detection: 19%
    Source: Client-built.exeReversingLabs: Detection: 25%
    Source: Client-built.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Client-built.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: Client-built.exeStatic file information: File size 2457408 > 1048576
    Source: Client-built.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c400
    Source: Client-built.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: Client-built.exe, type: SAMPLE

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: Client-built.exe, type: SAMPLE

    Mitre Att&ck Matrix

    No Mitre Att&ck techniques found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1665569 Sample: Client-built.exe Startdate: 15/04/2025 Architecture: WINDOWS Score: 56 5 Multi AV Scanner detection for submitted file 2->5 7 Yara detected Quasar RAT 2->7

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Client-built.exe19%VirustotalBrowse
    Client-built.exe25%ReversingLabsWin32.Malware.Heuristic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1665569
    Start date and time:2025-04-15 17:13:42 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 34s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:0
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Client-built.exe
    Detection:MAL
    Classification:mal56.troj.winEXE@0/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis
    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):5.902007642578072
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Client-built.exe
    File size:2'457'408 bytes
    MD5:17de58f65c652fc9e5b7224a42fd20d0
    SHA1:a6369a6b5dc73ac7bf2c72bff6d4b1059ff7b1d4
    SHA256:e1cd02a8df5e325a4738e0a68464807cfca08f8d71fec828a0b6a7a12eee07a2
    SHA512:fca8927e6f12d22e34db027f6ebf5e78a99d2b59f9f1e4452f075fd648fe32c7270f48d1af3571ce508165e8ccc08555fcf875bd30bd50567738851f29fd5fb1
    SSDEEP:49152:Cvkt62XlaSFNWPjljiFa2RoUYIr4mWmzP:Cv462XlaSFNWPjljiFXRoUYIr4mb
    TLSH:B9B54A0177E95EB3E51ED2B3D0A1645763F0D82AE383FB43A561BB766C9376498028C3
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x71e3ee
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3a00x4b.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa93.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000x31c3f40x31c4000df27a550295cd5a7ea8a12c1a15a60eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x3200000xa930xc00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x3220000xc0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Network Behavior

    No network behavior found

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly