Play interactive tour

Edit tour

Analysis Report conn.exe

Overview

General Information

Sample Name:	conn.exe
Analysis ID:	372606
MD5:	4a69ed64c420ab52e75d231e61d8b98a
SHA1:	8b10386b1d0f5b7e70fd7015aed347a1677d1324
SHA256:	6b649d9b51f8e693faa95adfc39d03af5a37f54a80badf5713627b99b60d6e3f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Quasar

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Quasar RAT

.NET source code references suspicious native API functions

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

May check the online IP address of the machine

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

conn.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\conn.exe' MD5: 4A69ED64C420AB52E75D231E61D8B98A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
conn.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37974:$x3: GetKeyloggerLogsResponse 0x31c94:$x4: GetKeyloggerLogs 0x37904:$s1: <RunHidden>k__BackingField 0x2def8:$s2: set_SystemInfos 0x3793a:$s3: set_RunHidden 0x2ed0e:$s4: set_RemotePath 0x30507:$s7: xClient.Core.ReverseProxy.Packets
conn.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3793a:$s7: set_RunHidden
conn.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378d7:$s1: DoUploadAndExecute 0x37e28:$s2: DoDownloadAndExecute 0x36b5a:$s3: DoShellExecute 0x3730f:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
conn.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37974:$x1: GetKeyloggerLogsResponse 0x31ca5:$s1: DoShellExecuteResponse 0x368dc:$s2: GetPasswordsResponse 0x2ed33:$s3: GetStartupItemsResponse 0x357b5:$s4: <GetGenReader>b__7 0x37905:$s5: RunHidden 0x37930:$s5: RunHidden 0x3793e:$s5: RunHidden 0x3795b:$s5: RunHidden
conn.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f08:$x4: get_encryptedPassword 0x37e28:$x5: DoDownloadAndExecute
conn.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376d7:$s1: DoUploadAndExecute 0x37c28:$s2: DoDownloadAndExecute 0x3695a:$s3: DoShellExecute 0x3710f:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376d7:$s1: DoUploadAndExecute 0x37c28:$s2: DoDownloadAndExecute 0x3695a:$s3: DoShellExecute 0x3710f:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: conn.exe PID: 7148	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.conn.exe.450000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37974:$x3: GetKeyloggerLogsResponse 0x31c94:$x4: GetKeyloggerLogs 0x37904:$s1: <RunHidden>k__BackingField 0x2def8:$s2: set_SystemInfos 0x3793a:$s3: set_RunHidden 0x2ed0e:$s4: set_RemotePath 0x30507:$s7: xClient.Core.ReverseProxy.Packets
0.2.conn.exe.450000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3793a:$s7: set_RunHidden
0.2.conn.exe.450000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378d7:$s1: DoUploadAndExecute 0x37e28:$s2: DoDownloadAndExecute 0x36b5a:$s3: DoShellExecute 0x3730f:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
0.2.conn.exe.450000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37974:$x1: GetKeyloggerLogsResponse 0x31ca5:$s1: DoShellExecuteResponse 0x368dc:$s2: GetPasswordsResponse 0x2ed33:$s3: GetStartupItemsResponse 0x357b5:$s4: <GetGenReader>b__7 0x37905:$s5: RunHidden 0x37930:$s5: RunHidden 0x3793e:$s5: RunHidden 0x3795b:$s5: RunHidden
0.2.conn.exe.450000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f08:$x4: get_encryptedPassword 0x37e28:$x5: DoDownloadAndExecute
0.2.conn.exe.450000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.0.conn.exe.450000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37974:$x3: GetKeyloggerLogsResponse 0x31c94:$x4: GetKeyloggerLogs 0x37904:$s1: <RunHidden>k__BackingField 0x2def8:$s2: set_SystemInfos 0x3793a:$s3: set_RunHidden 0x2ed0e:$s4: set_RemotePath 0x30507:$s7: xClient.Core.ReverseProxy.Packets
0.0.conn.exe.450000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3793a:$s7: set_RunHidden
0.0.conn.exe.450000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378d7:$s1: DoUploadAndExecute 0x37e28:$s2: DoDownloadAndExecute 0x36b5a:$s3: DoShellExecute 0x3730f:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
0.0.conn.exe.450000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37974:$x1: GetKeyloggerLogsResponse 0x31ca5:$s1: DoShellExecuteResponse 0x368dc:$s2: GetPasswordsResponse 0x2ed33:$s3: GetStartupItemsResponse 0x357b5:$s4: <GetGenReader>b__7 0x37905:$s5: RunHidden 0x37930:$s5: RunHidden 0x3793e:$s5: RunHidden 0x3795b:$s5: RunHidden
0.0.conn.exe.450000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f08:$x4: get_encryptedPassword 0x37e28:$x5: DoDownloadAndExecute
0.0.conn.exe.450000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: conn.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: conn.exe	Virustotal: Detection: 60%			Perma Link
Source: conn.exe	ReversingLabs: Detection: 77%

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: conn.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conn.exe PID: 7148, type: MEMORY
Source: Yara match	File source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: conn.exe

Joe Sandbox ML: detected

Source: conn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: conn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\conn.exe	DNS query: name: freegeoip.net
Source: C:\Users\user\Desktop\conn.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\conn.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\conn.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\conn.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\conn.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\conn.exe	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 139.196.56.98:47822

Source: Joe Sandbox View	IP Address: 54.225.155.255 54.225.155.255
Source: Joe Sandbox View	IP Address: 104.26.15.73 104.26.15.73

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: telize.com

Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: conn.exe	String found in binary or memory: http://api.ipify.org/
Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org46k
Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net
Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net/shutdown
Source: conn.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net46k
Source: conn.exe, 00000000.00000002.901221628.00000000028DA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conn.exe, 00000000.00000002.901221628.00000000028DA000.00000004.00000001.sdmp	String found in binary or memory: http://telize.com
Source: conn.exe	String found in binary or memory: http://telize.com/geoip
Source: conn.exe, 00000000.00000002.901221628.00000000028DA000.00000004.00000001.sdmp	String found in binary or memory: http://telize.com46k
Source: conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com
Source: conn.exe, 00000000.00000002.901235346.00000000028ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com/geoip
Source: conn.exe, 00000000.00000002.901235346.00000000028ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com46kPI

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: conn.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conn.exe PID: 7148, type: MEMORY
Source: Yara match	File source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: conn.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: conn.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: conn.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: conn.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: conn.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth

Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_00459322	0_2_00459322
Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_0600A610	0_2_0600A610
Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_060012B4	0_2_060012B4
Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_06004350	0_2_06004350

Source: conn.exe	Binary or memory string: OriginalFilename vs conn.exe
Source: conn.exe, 00000000.00000002.901695641.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs conn.exe
Source: conn.exe, 00000000.00000002.900651387.00000000008F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs conn.exe
Source: conn.exe, 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename4 vs conn.exe
Source: conn.exe	Binary or memory string: OriginalFilename4 vs conn.exe

Source: conn.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: conn.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: conn.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: conn.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: conn.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: conn.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: conn.exe, ???????u0afa??uee22ued94??u28a9?????.cs	Base64 encoded string: 'RrkItsYIo01Eval3oghDHLkgz+OJKZtJqaLZqCovNfm0L3cyulJ9MBtdWC08PPL1'
Source: 0.0.conn.exe.450000.0.unpack, ???????u0afa??uee22ued94??u28a9?????.cs	Base64 encoded string: 'RrkItsYIo01Eval3oghDHLkgz+OJKZtJqaLZqCovNfm0L3cyulJ9MBtdWC08PPL1'
Source: 0.2.conn.exe.450000.0.unpack, ???????u0afa??uee22ued94??u28a9?????.cs	Base64 encoded string: 'RrkItsYIo01Eval3oghDHLkgz+OJKZtJqaLZqCovNfm0L3cyulJ9MBtdWC08PPL1'

Source: 0.2.conn.exe.450000.0.unpack, uaaf1??????u24c6????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.conn.exe.450000.0.unpack, uaaf1??????u24c6????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.conn.exe.450000.0.unpack, uaaf1??????u24c6????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.conn.exe.450000.0.unpack, uaaf1??????u24c6????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: conn.exe, uaaf1??????u24c6????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: conn.exe, uaaf1??????u24c6????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@5/4

Source: C:\Users\user\Desktop\conn.exe

Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_jIqYxwTlRgIWNgFg10

Source: conn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\conn.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\conn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\conn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: conn.exe	Virustotal: Detection: 60%
Source: conn.exe	ReversingLabs: Detection: 77%

Source: C:\Users\user\Desktop\conn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: conn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: conn.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_06005C82 push eax; ret	0_2_06005C89
Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_060082EC push es; retn 007Fh	0_2_0600837C
Source: C:\Users\user\Desktop\conn.exe	Code function: 0_2_0600836C push es; retn 007Fh	0_2_0600837C

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\conn.exe

File opened: C:\Users\user\Desktop\conn.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\conn.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\conn.exe TID: 6660

Thread sleep time: -65000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\conn.exe

Last function: Thread delayed

Source: conn.exe, 00000000.00000002.901695641.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: conn.exe, 00000000.00000002.901695641.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: conn.exe, 00000000.00000002.901695641.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: conn.exe, 00000000.00000002.901695641.0000000005B20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\conn.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\conn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: conn.exe, ?u3213???????uf8b1?????u24d5?ufffd??.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: conn.exe, ?u248euecb2???u0f2c?????u1aaa??????ue030.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 0.0.conn.exe.450000.0.unpack, ?u248euecb2???u0f2c?????u1aaa??????ue030.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 0.0.conn.exe.450000.0.unpack, ?u3213???????uf8b1?????u24d5?ufffd??.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.2.conn.exe.450000.0.unpack, ?u3213???????uf8b1?????u24d5?ufffd??.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.2.conn.exe.450000.0.unpack, ?u248euecb2???u0f2c?????u1aaa??????ue030.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')

Source: conn.exe, 00000000.00000002.901011178.0000000001300000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: conn.exe, 00000000.00000002.901011178.0000000001300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: conn.exe, 00000000.00000002.901011178.0000000001300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: conn.exe, 00000000.00000002.901011178.0000000001300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\conn.exe	Queries volume information: C:\Users\user\Desktop\conn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\conn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\conn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: conn.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conn.exe PID: 7148, type: MEMORY
Source: Yara match	File source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: conn.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: conn.exe PID: 7148, type: MEMORY
Source: Yara match	File source: 0.2.conn.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.conn.exe.450000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Hidden Files and Directories1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information11	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Network Configuration Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
conn.exe	61%	Virustotal		Browse
conn.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Quasar
conn.exe	100%	Avira	HEUR/AGEN.1135947
conn.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.conn.exe.450000.0.unpack	100%	Avira	HEUR/AGEN.1135947		Download File
0.2.conn.exe.450000.0.unpack	100%	Avira	HEUR/AGEN.1135947		Download File

Domains

Source	Detection	Scanner	Label	Link
telize.com	0%	Virustotal		Browse
www.telize.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.telize.com46kPI	0%	Avira URL Cloud	safe
http://www.telize.com/geoip	1%	Virustotal		Browse
http://www.telize.com/geoip	0%	Avira URL Cloud	safe
http://telize.com46k	0%	Avira URL Cloud	safe
http://telize.com/geoip	0%	Avira URL Cloud	safe
http://freegeoip.net46k	0%	Avira URL Cloud	safe
http://api.ipify.org46k	0%	Avira URL Cloud	safe
http://www.telize.com	0%	Avira URL Cloud	safe
http://telize.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	54.225.155.255	true	false		high
telize.com	88.198.193.213	true	false	0%, Virustotal, Browse	unknown
www.telize.com	88.198.193.213	true	false	0%, Virustotal, Browse	unknown
freegeoip.net	104.26.15.73	true	false		high
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://freegeoip.net/xml/	false		high
http://www.telize.com/geoip	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://telize.com/geoip	false	Avira URL Cloud: safe	unknown
http://api.ipify.org/	false		high
http://freegeoip.net/shutdown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.telize.com46kPI	conn.exe, 00000000.00000002.901235346.00000000028ED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://telize.com46k	conn.exe, 00000000.00000002.901221628.00000000028DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://freegeoip.net46k	conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org46k	conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://elb097307-934924932.us-east-1.elb.amazonaws.com	conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	false		high
http://www.telize.com	conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://freegeoip.net	conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	conn.exe, 00000000.00000002.901221628.00000000028DA000.00000004.00000001.sdmp	false		high
http://api.ipify.org	conn.exe, 00000000.00000002.901243141.0000000002903000.00000004.00000001.sdmp	false		high
http://telize.com	conn.exe, 00000000.00000002.901221628.00000000028DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
139.196.56.98	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
88.198.193.213	telize.com	Germany	24940	HETZNER-ASDE	false
54.225.155.255	elb097307-934924932.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
104.26.15.73	freegeoip.net	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	372606
Start date:	22.03.2021
Start time:	04:18:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	conn.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@5/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 20.82.209.183, 92.122.145.220, 104.43.139.144, 104.42.151.234, 52.155.217.156, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.198.193.213	JwzZ6mkzIG.exe	Get hash	malicious	Browse	www.telize.com/geoip
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	www.telize.com/geoip
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	www.telize.com/geoip
54.225.155.255	ZZXJzDEmZ2.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	2.exe	Get hash	malicious	Browse	api.ipify.org/
	Static.dll	Get hash	malicious	Browse	api.ipify.org/?format=xml
	Static.dll	Get hash	malicious	Browse	api.ipify.org/
104.26.15.73	JwzZ6mkzIG.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	Partner Letter- DStv and GOtv Price Adjustment October 2020.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	82019- DSTV SUBSCRIPTION RENEWAL.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	13PREPAID DEALER CREDIT NOTE.PDF.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	57NOVEMBER PAY OUT.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	20New Price on Quickteller Paypoint.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	65December Offers.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	25OCT SIMREG INCENTIVE.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	66Nov 2018 New Festive Season Promo.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	91Memorandum of understanding btw you & MTN.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	74Commission.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	53EAGLE EYE REPORT CUMM. WK 3 OCTOBER 2018.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	87INVITATION LETTER.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	49Commission Structure 2.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	244G Upgrades across all S&D Touch Points.pd.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	7Non compliant SWAN outlets Lagos 4TH Oct,2018.xls.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	65DTT STOCK IN TRADE BONUS.xls.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	35New Price on Quickteller Paypoint.pd.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	9New DStv price structure.pd.exe	Get hash	malicious	Browse	freegeoip.net/shutdown

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.net	FMAudit.Installer_2172_511315624.exe	Get hash	malicious	Browse	104.26.15.73
	NOVEMBER 2020 SALES TARGET.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	JwzZ6mkzIG.exe	Get hash	malicious	Browse	104.26.15.73
	Partner Letter- DStv and GOtv Price Adjustment October 2020.pdf.exe	Get hash	malicious	Browse	104.26.15.73
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	104.26.15.73
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	172.67.75.176
	http://orfanatorenascer.com.br/techs/no.php	Get hash	malicious	Browse	104.26.14.73
	Pos withdrawal reduced to 0.5%.exe	Get hash	malicious	Browse	104.26.14.73
	ppp.exe	Get hash	malicious	Browse	172.67.75.176
	Paga Overview (Training Slide).pdf.exe	Get hash	malicious	Browse	172.67.75.176
	82019- DSTV SUBSCRIPTION RENEWAL.xlsx.exe	Get hash	malicious	Browse	104.26.15.73
	53Glo Special Incentive.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	13PREPAID DEALER CREDIT NOTE.PDF.exe	Get hash	malicious	Browse	104.26.15.73
	1SIM Serial File Upload on TPP.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	1HIGLIGHTS OF THE PAWAKAD AGENT CONFERENCE.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	57NOVEMBER PAY OUT.pdf.exe	Get hash	malicious	Browse	104.26.15.73
	25INVITATION TO QUICKTELLER NATIONAL AGENT FORUM.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	20New Price on Quickteller Paypoint.pdf.exe	Get hash	malicious	Browse	104.26.15.73
	53ORSC Payment Adjustment.pd.exe	Get hash	malicious	Browse	104.26.14.73
	7MTN Cards.pdf.exe	Get hash	malicious	Browse	104.26.14.73
telize.com	JwzZ6mkzIG.exe	Get hash	malicious	Browse	88.198.193.213
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	88.198.193.213
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	88.198.193.213
	pKzpc3T89w.exe	Get hash	malicious	Browse	159.203.157.217
elb097307-934924932.us-east-1.elb.amazonaws.com	ffm7xVSvTW.exe	Get hash	malicious	Browse	54.235.83.248
	0318_39864005148201.doc	Get hash	malicious	Browse	50.19.242.215
	Purchase Order for March P2209G.exe	Get hash	malicious	Browse	54.235.189.250
	rB3VEEewBz.exe	Get hash	malicious	Browse	54.225.129.141
	0318_45657944978421.doc	Get hash	malicious	Browse	23.21.252.4
	UEC0094884.exe	Get hash	malicious	Browse	50.19.96.218
	New Purchase Order for March P2209G.exe	Get hash	malicious	Browse	23.21.252.4
	order specification 01369000.xlsx	Get hash	malicious	Browse	23.21.252.4
	SecuriteInfo.com.Trojan.Kronos.21.31435.exe	Get hash	malicious	Browse	54.221.253.252
	9ac5WRdNZH.exe	Get hash	malicious	Browse	50.19.96.218
	JNRY68bkhl.exe	Get hash	malicious	Browse	50.19.242.215
	ZZXJzDEmZ2.exe	Get hash	malicious	Browse	50.19.242.215
	ZZXJzDEmZ2.exe	Get hash	malicious	Browse	54.225.155.255
	Company Profile.exe	Get hash	malicious	Browse	23.21.48.44
	SecuriteInfo.com.Variant.Razy.848795.10426.dll	Get hash	malicious	Browse	54.225.129.141
	NewOrder20527.exe	Get hash	malicious	Browse	54.235.83.248
	SecuriteInfo.com.W32.AIDetect.malware2.29567.exe	Get hash	malicious	Browse	50.19.96.218
	SS Encrypter.exe	Get hash	malicious	Browse	54.225.129.141
	m2.exe	Get hash	malicious	Browse	54.243.164.148
	2.exe	Get hash	malicious	Browse	54.225.155.255
www.telize.com	JwzZ6mkzIG.exe	Get hash	malicious	Browse	88.198.193.213
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	88.198.193.213
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	88.198.193.213
	pKzpc3T89w.exe	Get hash	malicious	Browse	159.203.157.217

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	zwnMKPSUN4.apk	Get hash	malicious	Browse	52.0.7.30
	yADAHiDZu3.dll	Get hash	malicious	Browse	52.73.70.149
	ffm7xVSvTW.exe	Get hash	malicious	Browse	54.235.83.248
	Shipping Documents.exe	Get hash	malicious	Browse	35.169.225.248
	plain.exe	Get hash	malicious	Browse	54.159.186.190
	0318_39864005148201.doc	Get hash	malicious	Browse	50.19.242.215
	fkt.exe	Get hash	malicious	Browse	54.159.186.190
	Remittance.htm	Get hash	malicious	Browse	3.223.105.97
	Purchase Order for March P2209G.exe	Get hash	malicious	Browse	54.235.189.250
	FebRevisedSOA.xlsx	Get hash	malicious	Browse	54.83.52.76
	z2xQEFs54b.exe	Get hash	malicious	Browse	3.223.115.185
	YpyXT7Tnik.exe	Get hash	malicious	Browse	23.21.142.97
	#Ud83d#Udd0aAudio997.wavv-copy.html	Get hash	malicious	Browse	52.204.183.31
	rB3VEEewBz.exe	Get hash	malicious	Browse	54.225.129.141
	AWB 9284730932.xlsx	Get hash	malicious	Browse	54.83.52.76
	PO TM-3851 ,BT-4792 RS-70100.xlsx	Get hash	malicious	Browse	54.83.52.76
	FebRevisedSOA.xlsx	Get hash	malicious	Browse	54.83.52.76
	payment list.xlsx	Get hash	malicious	Browse	54.83.52.76
	Receipt#5645.html	Get hash	malicious	Browse	52.1.164.67
	0318_45657944978421.doc	Get hash	malicious	Browse	23.21.252.4
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	qzinl7qkwD.exe	Get hash	malicious	Browse	101.200.185.27
	z2xQEFs54b.exe	Get hash	malicious	Browse	101.200.0.178
	qzinl7qkwD.exe	Get hash	malicious	Browse	101.200.185.27
	xGUWss9eaF.exe	Get hash	malicious	Browse	203.107.32.162
	7ibA68lMfE.exe	Get hash	malicious	Browse	118.31.60.46
	QGX5orDBSF.exe	Get hash	malicious	Browse	118.31.60.46
	3dCvDxq9vX.exe	Get hash	malicious	Browse	47.111.27.184
	Copia De Pago_pdf.exe	Get hash	malicious	Browse	121.196.178.171
	nxHN51lQwj.exe	Get hash	malicious	Browse	101.200.222.14
	N5lzNeDlcu.exe	Get hash	malicious	Browse	101.37.76.66
	E4AaEjT91C.exe	Get hash	malicious	Browse	101.200.222.14
	Cancellation_Letter_702918452-02242021.xls	Get hash	malicious	Browse	101.132.227.128
	6g4vjjKXbe.exe	Get hash	malicious	Browse	182.92.155.100
	SecuriteInfo.com.Trojan.GenericKD.36454273.22415.exe	Get hash	malicious	Browse	203.107.32.162
	Setup.exe	Get hash	malicious	Browse	47.92.194.216
	Setup.exe	Get hash	malicious	Browse	47.92.194.216
	SWIFT.exe	Get hash	malicious	Browse	39.106.43.80
	RFQ_OB Jiefeng E&E Co Ltd.exe	Get hash	malicious	Browse	47.97.154.136
	LQ-635K.exe	Get hash	malicious	Browse	47.98.149.187
	dwg.exe	Get hash	malicious	Browse	47.110.53.154
HETZNER-ASDE	SecuriteInfo.com.W32.AIDetect.malware1.6516.exe	Get hash	malicious	Browse	95.216.186.40
	5MZKivSsq7.exe	Get hash	malicious	Browse	88.99.66.31
	Zpww3dgXw8.exe	Get hash	malicious	Browse	95.216.186.40
	SecuriteInfo.com.Variant.Zusy.371743.25402.dll	Get hash	malicious	Browse	116.203.16.95
	ITB SE20059OSB.xlsx	Get hash	malicious	Browse	159.69.132.215
	ZQrSsleYS6.exe	Get hash	malicious	Browse	195.201.225.248
	dcxFq0eju6.exe	Get hash	malicious	Browse	88.99.66.31
	ySWrcyhy7r.exe	Get hash	malicious	Browse	195.201.225.248
	4jqQjaJZDY.exe	Get hash	malicious	Browse	195.201.225.248
	x86	Get hash	malicious	Browse	95.217.133.8
	z2xQEFs54b.exe	Get hash	malicious	Browse	136.243.147.81
	#Uc708#Ub3c4#Uc6b0_#Uc11c#Ubc84_2016_#Ud55c#Uae00_#Uc5b8#Uc5b4#Ud329(ya).js	Get hash	malicious	Browse	188.40.120.141
	CBKH2GqLzs.exe	Get hash	malicious	Browse	195.201.225.248
	1W2Ih2UesO.exe	Get hash	malicious	Browse	195.201.225.248
	l3kIICNXe2.exe	Get hash	malicious	Browse	195.201.225.248
	Seguimiento de Fedex -pdf.vbs	Get hash	malicious	Browse	195.201.241.20
	FileZilla_3.53.0_win64_sponsored-setup.exe	Get hash	malicious	Browse	49.12.121.47
	JAVxUlD4fx.exe	Get hash	malicious	Browse	135.181.50.210
	3.exe	Get hash	malicious	Browse	88.99.66.31

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.413847985756096
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	conn.exe
File size:	273920
MD5:	4a69ed64c420ab52e75d231e61d8b98a
SHA1:	8b10386b1d0f5b7e70fd7015aed347a1677d1324
SHA256:	6b649d9b51f8e693faa95adfc39d03af5a37f54a80badf5713627b99b60d6e3f
SHA512:	49b8fbec643dc8e096bb5f86a7546511559e1e9c994b47f2522765fd2cf07c20f0fe6b4c5eb00d899c668dbaf29f980b12e416ac4c575fcac1961c37674adbe0
SSDEEP:	3072:2H1MGaPKMti7h3yhfqx97oESzS+rS3kUcdVeEybwx9mGUEo5brUhajSa5B5c:2VMGrLhqCz1SSbdqVSbJsgrUha1+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;`................. ...........?... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x443fde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x603BA8B7 [Sun Feb 28 14:29:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
cmp byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push 00800000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
nop
add byte ptr [eax], al
add byte ptr [eax-3FFFFBC0h], ah
add al, byte ptr [eax]
add ah, ah
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+43h], ah
add al, 00h
inc ebp
add eax, 04E40000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
rol byte ptr [edx], 00000034h
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43f8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x8a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41fe4	0x42000	False	0.522353663589	data	6.42280636235	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x44000	0x8a8	0xa00	False	0.3796875	data	5.2057226368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x440a0	0x2c0	data
RT_MANIFEST	0x44360	0x545	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.2.2.2
InternalName
FileVersion	1.2.2.2
CompanyName
LegalTrademarks
ProductName	conn
ProductVersion	1.2.2.2
FileDescription	Mircosoft Corporation
OriginalFilename

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/22/21-04:19:47.632322	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2021 04:18:58.513457060 CET	49728	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.578691006 CET	80	49728	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.578824997 CET	49728	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.580065966 CET	49728	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.645518064 CET	80	49728	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.645566940 CET	80	49728	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.692079067 CET	49728	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.705668926 CET	49729	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.772171021 CET	80	49729	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.772300005 CET	49729	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.772650957 CET	49729	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.837136984 CET	80	49729	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.837177038 CET	80	49729	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.837347031 CET	49729	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.843250990 CET	49729	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.845066071 CET	49730	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.907924891 CET	80	49729	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.909852028 CET	80	49730	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.909993887 CET	49730	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.910736084 CET	49730	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.976659060 CET	80	49730	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.976717949 CET	80	49730	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:58.976902008 CET	49730	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:58.977015018 CET	49730	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:18:59.043009996 CET	80	49730	88.198.193.213	192.168.2.4
Mar 22, 2021 04:18:59.057661057 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:18:59.098248005 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.098387957 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:18:59.099651098 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:18:59.138282061 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.142345905 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.144362926 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:18:59.182918072 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.188174009 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.188195944 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.188213110 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:18:59.188299894 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:18:59.338249922 CET	49732	80	192.168.2.4	54.225.155.255
Mar 22, 2021 04:18:59.463143110 CET	80	49732	54.225.155.255	192.168.2.4
Mar 22, 2021 04:18:59.463257074 CET	49732	80	192.168.2.4	54.225.155.255
Mar 22, 2021 04:18:59.463567019 CET	49732	80	192.168.2.4	54.225.155.255
Mar 22, 2021 04:18:59.588128090 CET	80	49732	54.225.155.255	192.168.2.4
Mar 22, 2021 04:18:59.597532988 CET	80	49732	54.225.155.255	192.168.2.4
Mar 22, 2021 04:18:59.645232916 CET	49732	80	192.168.2.4	54.225.155.255
Mar 22, 2021 04:19:00.030889988 CET	49734	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:03.176862955 CET	49734	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:09.177412033 CET	49734	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:25.476852894 CET	49749	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:28.491461992 CET	49749	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:34.491832972 CET	49749	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:51.229096889 CET	49762	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:54.243586063 CET	49762	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:19:59.537647963 CET	80	49732	54.225.155.255	192.168.2.4
Mar 22, 2021 04:19:59.537748098 CET	49732	80	192.168.2.4	54.225.155.255
Mar 22, 2021 04:20:00.259640932 CET	49762	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:20:13.644386053 CET	80	49728	88.198.193.213	192.168.2.4
Mar 22, 2021 04:20:13.644644976 CET	49728	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:20:16.216615915 CET	49771	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:20:19.230077028 CET	49771	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:20:25.230607986 CET	49771	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:20:38.670022011 CET	49728	80	192.168.2.4	88.198.193.213
Mar 22, 2021 04:20:38.735449076 CET	80	49728	88.198.193.213	192.168.2.4
Mar 22, 2021 04:20:39.232887030 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:20:39.271719933 CET	80	49731	104.26.15.73	192.168.2.4
Mar 22, 2021 04:20:39.272023916 CET	49731	80	192.168.2.4	104.26.15.73
Mar 22, 2021 04:20:39.607887030 CET	49732	80	192.168.2.4	54.225.155.255
Mar 22, 2021 04:20:39.732650042 CET	80	49732	54.225.155.255	192.168.2.4
Mar 22, 2021 04:20:40.999938011 CET	49774	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:20:44.013201952 CET	49774	47822	192.168.2.4	139.196.56.98
Mar 22, 2021 04:20:50.029305935 CET	49774	47822	192.168.2.4	139.196.56.98

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 22, 2021 04:18:51.362596989 CET	64646	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:51.420589924 CET	53	64646	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:51.462116957 CET	65298	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:51.512419939 CET	53	65298	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:52.720312119 CET	59123	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:52.769920111 CET	53	59123	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:53.608863115 CET	54531	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:53.668353081 CET	53	54531	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:53.675580978 CET	49714	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:53.723026037 CET	53	49714	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:54.649334908 CET	58028	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:54.705657959 CET	53	58028	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:56.058057070 CET	53097	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:56.104768991 CET	53	53097	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:57.722496033 CET	49257	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:57.774060965 CET	53	49257	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:58.311546087 CET	62389	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:58.495038986 CET	53	62389	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:58.653358936 CET	49910	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:58.704096079 CET	53	49910	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:59.000123978 CET	55854	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:59.056240082 CET	53	55854	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:59.233412027 CET	64549	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:59.281776905 CET	53	64549	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:59.289604902 CET	63153	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:59.336432934 CET	53	63153	8.8.8.8	192.168.2.4
Mar 22, 2021 04:18:59.490133047 CET	52991	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:18:59.536906004 CET	53	52991	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:00.450191021 CET	53700	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:00.498236895 CET	53	53700	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:02.359086037 CET	51726	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:02.409529924 CET	53	51726	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:03.687365055 CET	56794	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:03.748779058 CET	53	56794	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:05.767222881 CET	56534	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:05.818197966 CET	53	56534	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:06.720364094 CET	56627	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:06.773724079 CET	53	56627	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:07.667592049 CET	56621	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:07.714219093 CET	53	56621	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:08.621561050 CET	63116	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:08.671457052 CET	53	63116	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:09.568367004 CET	64078	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:09.623683929 CET	53	64078	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:11.068959951 CET	64801	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:11.124044895 CET	53	64801	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:12.374921083 CET	61721	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:12.422979116 CET	53	61721	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:14.698828936 CET	51255	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:14.747030020 CET	53	51255	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:15.914321899 CET	61522	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:15.963824034 CET	53	61522	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:25.175862074 CET	52337	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:25.224069118 CET	53	52337	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:39.892402887 CET	55046	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:39.959144115 CET	53	55046	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:40.482136011 CET	49612	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:40.592389107 CET	53	49612	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:40.869796038 CET	49285	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:40.932547092 CET	53	49285	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:41.012198925 CET	50601	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:41.067106009 CET	53	50601	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:41.511439085 CET	60875	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:41.634691954 CET	53	60875	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:42.127136946 CET	56448	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:42.182343006 CET	53	56448	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:42.728449106 CET	59172	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:42.783828020 CET	53	59172	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:43.241267920 CET	62420	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:43.298932076 CET	53	62420	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:43.997251034 CET	60579	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:44.043700933 CET	53	60579	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:44.931754112 CET	50183	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:44.989485979 CET	53	50183	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:45.564503908 CET	61531	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:45.632580996 CET	53	61531	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:46.494090080 CET	49228	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:46.550661087 CET	53	49228	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:47.577482939 CET	49228	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:47.632170916 CET	53	49228	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:59.306355953 CET	59794	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:59.353091955 CET	53	59794	8.8.8.8	192.168.2.4
Mar 22, 2021 04:19:59.464220047 CET	55916	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:19:59.526755095 CET	53	55916	8.8.8.8	192.168.2.4
Mar 22, 2021 04:20:04.387851000 CET	52752	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:20:04.445521116 CET	53	52752	8.8.8.8	192.168.2.4
Mar 22, 2021 04:20:33.597274065 CET	60542	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:20:33.646754026 CET	53	60542	8.8.8.8	192.168.2.4
Mar 22, 2021 04:20:34.859230995 CET	60689	53	192.168.2.4	8.8.8.8
Mar 22, 2021 04:20:34.914356947 CET	53	60689	8.8.8.8	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 22, 2021 04:19:47.632322073 CET	192.168.2.4	8.8.8.8	d0c9	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 22, 2021 04:18:58.311546087 CET	192.168.2.4	8.8.8.8	0x372a	Standard query (0)	telize.com	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:58.653358936 CET	192.168.2.4	8.8.8.8	0x5285	Standard query (0)	www.telize.com	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.000123978 CET	192.168.2.4	8.8.8.8	0xee6a	Standard query (0)	freegeoip.net	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.233412027 CET	192.168.2.4	8.8.8.8	0x891b	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.289604902 CET	192.168.2.4	8.8.8.8	0xd068	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 22, 2021 04:18:58.495038986 CET	8.8.8.8	192.168.2.4	0x372a	No error (0)	telize.com		88.198.193.213	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:58.704096079 CET	8.8.8.8	192.168.2.4	0x5285	No error (0)	www.telize.com		88.198.193.213	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.056240082 CET	8.8.8.8	192.168.2.4	0xee6a	No error (0)	freegeoip.net		104.26.15.73	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.056240082 CET	8.8.8.8	192.168.2.4	0xee6a	No error (0)	freegeoip.net		172.67.75.176	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.056240082 CET	8.8.8.8	192.168.2.4	0xee6a	No error (0)	freegeoip.net		104.26.14.73	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.155.255	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.221.253.252	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.140.41	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.129.141	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.76.253	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.281776905 CET	8.8.8.8	192.168.2.4	0x891b	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		107.22.233.72	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.140.41	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.189.250	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.157.230	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Mar 22, 2021 04:18:59.336432934 CET	8.8.8.8	192.168.2.4	0xd068	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.155.255	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

telize.com

www.telize.com

freegeoip.net

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49728	88.198.193.213	80	C:\Users\user\Desktop\conn.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2021 04:18:58.580065966 CET	1273	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: telize.com Connection: Keep-Alive
Mar 22, 2021 04:18:58.645566940 CET	1274	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 22 Mar 2021 03:18:58 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: http://www.telize.com/geoip Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49729	88.198.193.213	80	C:\Users\user\Desktop\conn.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2021 04:18:58.772650957 CET	1274	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49730	88.198.193.213	80	C:\Users\user\Desktop\conn.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2021 04:18:58.910736084 CET	1275	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49731	104.26.15.73	80	C:\Users\user\Desktop\conn.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2021 04:18:59.099651098 CET	1276	OUT	GET /xml/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net Connection: Keep-Alive
Mar 22, 2021 04:18:59.142345905 CET	1277	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 22 Mar 2021 03:18:59 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Mon, 22 Mar 2021 04:18:59 GMT Location: http://freegeoip.net/shutdown cf-request-id: 08f98a75350000c2ef9a96a000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lpnaYx0Hkmfuw8IrC6TgfZcJ%2FZcKY9BXWhlLbsreX7xD332dkitzS6oG2Ww4ofpZdWJBgBLidVwmqSJvCfGq7lbqPZF4imHdYNm65Oud"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 633c469b8d3dc2ef-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Mar 22, 2021 04:18:59.144362926 CET	1277	OUT	GET /shutdown HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net
Mar 22, 2021 04:18:59.188174009 CET	1279	IN	HTTP/1.1 200 OK Date: Mon, 22 Mar 2021 03:18:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dd82444bcaa09aa883a31a2e4c6c2985c1616383139; expires=Wed, 21-Apr-21 03:18:59 GMT; path=/; domain=.freegeoip.net; HttpOnly; SameSite=Lax vary: Accept-Encoding expires: Sat, 26 Jul 1997 05:00:00 GMT cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0 pragma: no-cache last-modified: Wed, 17 Mar 2021 00:09:20 GMT x-cache-miss-from: parking-6dfcfcdcd9-mfqcd CF-Cache-Status: HIT Age: 443379 cf-request-id: 08f98a75620000c2ef55b9b000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=H8KwLF30WNs7w4WhhMyuj1Smd8PODTOHfCBia5V%2BgPGsLL04ovsSdw8blSN2I3BtZJunOvLjXFgKtzqO8J6ieCPlrd%2FCwulK%2BvkY7vup"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 633c469bdd4fc2ef-FRA Data Raw: 36 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 Data Ascii: 609<!DOCTYPE html><html><head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent;
Mar 22, 2021 04:18:59.188195944 CET	1280	IN	Data Raw: 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 Data Ascii: } body { overflow: hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Follo
Mar 22, 2021 04:18:59.188213110 CET	1280	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49732	54.225.155.255	80	C:\Users\user\Desktop\conn.exe

Timestamp	kBytes transferred	Direction	Data
Mar 22, 2021 04:18:59.463567019 CET	1282	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: api.ipify.org Connection: Keep-Alive
Mar 22, 2021 04:18:59.597532988 CET	1283	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Mon, 22 Mar 2021 03:18:59 GMT Content-Length: 11 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 38 Data Ascii: 84.17.52.78

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: conn.exe PID: 7148 Parent PID: 5940

General

Start time:	04:18:57
Start date:	22/03/2021
Path:	C:\Users\user\Desktop\conn.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\conn.exe'
Imagebase:	0x450000
File size:	273920 bytes
MD5 hash:	4A69ED64C420AB52E75D231E61D8B98A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.636242521.0000000000452000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: conn.exe PID: 7148 Parent PID: 5940 conn.exeCOMMON

Executed Functions

Function 06003C79, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06003ECE

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 08b6863c09254ace44a10455746583dd2042e0dd9b2cd8dd66336cdcb70f6bcf
Instruction ID: aa38d3ff550a13777d575e409797f0bfd5160c6d0ef27fea039aa789dfb56322
Opcode Fuzzy Hash: 08b6863c09254ace44a10455746583dd2042e0dd9b2cd8dd66336cdcb70f6bcf
Instruction Fuzzy Hash: 25713770A00B058FE7A9DF6AD44179ABBF1FF48204F008A2ED08AD7A80D775E905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06005D0C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06005E2A

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b614c354f61e0c9424694feff5a3de7d3d72df65f1dba089d6cf34709d9f399b
Instruction ID: 6beb367554410af534525ba172baf517d881ffdc3b013892f3f513a58012d1b1
Opcode Fuzzy Hash: b614c354f61e0c9424694feff5a3de7d3d72df65f1dba089d6cf34709d9f399b
Instruction Fuzzy Hash: 5B51E0B1C00349DFEB15CFA9D984ADEBFB1BF48314F24812AE418AB250D7749881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06005D18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06005E2A

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 500972ba36ec1e950661c7bfe000d8d74e2568fa8bd65ccdd94b6e5fc823a938
Instruction ID: 0940b60f93c5202a225d5a3e8d9317bf20ead0b30f6c1a37f5626bfad297c7a6
Opcode Fuzzy Hash: 500972ba36ec1e950661c7bfe000d8d74e2568fa8bd65ccdd94b6e5fc823a938
Instruction Fuzzy Hash: AA41D1B1D00349DFEB15CF9AD984ADEBFB5BF48310F24812AE418AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06003474, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06008511

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fc39836d26f661952ad72de0031d04bbff7686d225a59282efcae0fea9c1b960
Instruction ID: 3233ff8695580525c6eb7e75b8db3c93eab715982969fe06b2f306a3c3f377ef
Opcode Fuzzy Hash: fc39836d26f661952ad72de0031d04bbff7686d225a59282efcae0fea9c1b960
Instruction Fuzzy Hash: A1411AB8A00205DFEB54CF99C888BAABBF5FF88314F15C859D519A7361D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 060040C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06003F49,00000800,00000000,00000000), ref: 0600413A

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f2cac0c3fd43ca4c008fb7781871d47d546cb1c9bf85b64ea63e370b098af392
Instruction ID: 5b1e397d90262e7da565dfed9b638f0468060e5b842dcee614e4a40b8df3518c
Opcode Fuzzy Hash: f2cac0c3fd43ca4c008fb7781871d47d546cb1c9bf85b64ea63e370b098af392
Instruction Fuzzy Hash: 0B1100B6C00249DFEB10CF9AD844BDEBBF4AB98320F14842AE515A7600C378A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060031E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06003F49,00000800,00000000,00000000), ref: 0600413A

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5fcd2f8e79ec0c1b09f4ba26f37e701efc4d0c6655c6a1d06bc6367bb4078f78
Instruction ID: 144dfe7fa1b8dfe3af3c2a482360265cd1f24abd96dd4609f820094f33338161
Opcode Fuzzy Hash: 5fcd2f8e79ec0c1b09f4ba26f37e701efc4d0c6655c6a1d06bc6367bb4078f78
Instruction Fuzzy Hash: 101103B6D00249DFEB10CF9AD844BDEBBF4AB98324F14842AE615B7240C374A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06003E68, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06003ECE

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a43c67069bc15f5e4213d8ed53d44c9ca396ea9922b6dfab217be528015f0f27
Instruction ID: 6e1cf7bfaefaa61f6b0d3b954a50d4d54a8decd5933fed0523ebd8de69ba8ef4
Opcode Fuzzy Hash: a43c67069bc15f5e4213d8ed53d44c9ca396ea9922b6dfab217be528015f0f27
Instruction Fuzzy Hash: 0F1110B5C002498FEB10CF9AC844BDFFBF4AF88224F14852AD419A7240D379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06009478, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0600A44D

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0bf0592237a9b0105d9a7db721ceffb738384eee27c8e399cf60bd491e661d9a
Instruction ID: f4ce177757c5098447267f489bcc3967dea321c6c6de39c3d1eceb205a62cc8b
Opcode Fuzzy Hash: 0bf0592237a9b0105d9a7db721ceffb738384eee27c8e399cf60bd491e661d9a
Instruction Fuzzy Hash: 271145B4900348CFEB50CF9AD888BDEBFF4EB48324F10842AE518A7240D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0600A3F0, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0600A44D

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2771cef8725fefd638c0e088b66c88e33234d13a6a1bf709b7fa30a25ea56a67
Instruction ID: f8bb5c6a4900e3304e7876eab363f2d0e0c445f4cfaa9287808b59185541c401
Opcode Fuzzy Hash: 2771cef8725fefd638c0e088b66c88e33234d13a6a1bf709b7fa30a25ea56a67
Instruction Fuzzy Hash: C21115B5900348DFDB10CF9AD549BDEBFF4EB48324F24841AD559A7200D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D428, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900780197.0000000000A3D000.00000040.00000001.sdmp, Offset: 00A3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6d6618a4b481ef6f2bfb51d2b1c6f3c2f5f5a8547a4ed0ea7e7e01ee67f963
Instruction ID: 0629348b4466fccae20fa699d9e0e5ea23fd5fc4fa4d487a9ca7467f7cb1dfaf
Opcode Fuzzy Hash: be6d6618a4b481ef6f2bfb51d2b1c6f3c2f5f5a8547a4ed0ea7e7e01ee67f963
Instruction Fuzzy Hash: 3C2107B1504240EFDB05CF14E9C0B26BF75FB94324F24C669F9494B246C336E856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D514, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900780197.0000000000A3D000.00000040.00000001.sdmp, Offset: 00A3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23088646792b22d0df12d3c6ad69ca56e5c4ed77909777fb4dfe80fcfe078faa
Instruction ID: 5daeab47dab965dfcfbfc0e521715d145ef991e9182aa94d25ea15bf07212679
Opcode Fuzzy Hash: 23088646792b22d0df12d3c6ad69ca56e5c4ed77909777fb4dfe80fcfe078faa
Instruction Fuzzy Hash: A12104B2504240EFDB05DF14E9C0F2ABF75FB88328F248669F9054B246C336D856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D04C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900798323.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c5091d46687d1bd714db3467e1537f124e11e6e6a89b20078bd3f16eba3f8f
Instruction ID: d8c4ca4848d9a4c10544a202e9174d4c4e28b76dbe3b1ae2e1d16a17a039d66d
Opcode Fuzzy Hash: 11c5091d46687d1bd714db3467e1537f124e11e6e6a89b20078bd3f16eba3f8f
Instruction Fuzzy Hash: A42104B9504244EFDB14CF14D8C0B26BB75FBC4318F24CAADD90A4B246C776D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D423, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900780197.0000000000A3D000.00000040.00000001.sdmp, Offset: 00A3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction ID: e03d4289f04f53c4c11b1430867835d2d550dfe28b1da93d9058947553deb536
Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction Fuzzy Hash: C311D376404280DFDB12CF14E5C4B16BF71FB94324F24C6AAE8490B616C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D50F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900780197.0000000000A3D000.00000040.00000001.sdmp, Offset: 00A3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction ID: e2fe3b1fb2fe237f53fb80b9c41e761c3e5342b4996485c0bd4c3a468c05cd10
Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
Instruction Fuzzy Hash: CD11E676404280DFDF11CF14E5C4B16BF71FB94324F24C6A9E8454B616C33AD956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A4D047, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900798323.0000000000A4D000.00000040.00000001.sdmp, Offset: 00A4D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
Instruction ID: 47322923553ab7ec40ff1907ccbf07e5beffa2777751996c4bcba4010b199e8a
Opcode Fuzzy Hash: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
Instruction Fuzzy Hash: F6118B79504280DFDB11CF14D9C4B15BBB1FB84324F28C6AED8494B656C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00459322, Relevance: 1.3, Instructions: 1309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.900577885.0000000000452000.00000002.00020000.sdmp, Offset: 00450000, based on PE: true

Associated: 00000000.00000002.900565316.0000000000450000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84662bdfff181c308b5d9142eb6a0cdfa2b820514601306fb401038d163e0ff2
Instruction ID: 7d9b3643fb10a23171ba77ffe3461030d771e98826b4108937c4acf4775eda5f
Opcode Fuzzy Hash: 84662bdfff181c308b5d9142eb6a0cdfa2b820514601306fb401038d163e0ff2
Instruction Fuzzy Hash: 34B23A2144E3C29FC7535F7488B51E1BFB0EE5722471E49DBD4C08F463E22869AADB62

Uniqueness

Uniqueness Score: -1.00%

Function 06004350, Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df465c1aaf92a17c7f412a2646c44a3c41d49ffff32ec902cfda865841a54d84
Instruction ID: 562d32e3aca6ebd6a5cb3093a3948b8ecd63586dd81f3e6d010573f14771e166
Opcode Fuzzy Hash: df465c1aaf92a17c7f412a2646c44a3c41d49ffff32ec902cfda865841a54d84
Instruction Fuzzy Hash: 145258B9D80706CFE790CF16E4D81993BA1FB44328FD04A08D2616B6D9D3BC656ACF64

Uniqueness

Uniqueness Score: -1.00%

Function 0600A610, Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2c4a2fd0413a3203367224aebfbce24b6c70ac76130ab94fbf88ca1c51db94
Instruction ID: cb52437b06ae8cd444177727d40e8219a0906df27309ec19dd783a86dd664847
Opcode Fuzzy Hash: cd2c4a2fd0413a3203367224aebfbce24b6c70ac76130ab94fbf88ca1c51db94
Instruction Fuzzy Hash: 69F14B34B403098FFB94DFA5C994B9DBBF2BF88304F158169E405AB2A6DB749945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 060012B4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.901862900.0000000006000000.00000040.00000001.sdmp, Offset: 06000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600dd761086ac8e37f816b9cec857c29e0e07c78288c9401b0f7b682c7ff9f38
Instruction ID: b89ce0d27405c6e6650b50847a6a9fab3c643f452a26abaefa3190e4a97d66b7
Opcode Fuzzy Hash: 600dd761086ac8e37f816b9cec857c29e0e07c78288c9401b0f7b682c7ff9f38
Instruction Fuzzy Hash: 32A17036E4061ACFEF4ACFA5C8445DDBBF2FF89300B15856AE815AB260DB31E955CB40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report conn.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph