Windows Analysis Report
tfSYi9zABT.exe

Overview

General Information

Sample name:	tfSYi9zABT.exe renamed because original name is a hash value
Original sample name:	cef03024e5b35b5197c1337596109958.exe
Analysis ID:	1545820
MD5:	cef03024e5b35b5197c1337596109958
SHA1:	6ca77f693ccc8c283c4de40fb94b62b06538437d
SHA256:	5c76b09c0f287820cc34b5f06a8fd627bface66474241daa4b5d86273cf3102d
Tags:	32exe
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Quasar RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Uses dynamic DNS services

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tfSYi9zABT.exe

Avira: detected

Found malware configuration

Source: tfSYi9zABT.exe

Malware Configuration Extractor: Quasar {"Host:Port": "~^')}-{#", "InstallName": "~o\"`", "MutexName": "Q/t*@", "StartupKey": "BmL]RX3~v2", "Tag": "5qAQ?%5n", "ServerCertificate": "`<L~"}

Multi AV Scanner detection for domain / URL

Source: crissnda5.ddns.net

Virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for submitted file

Source: tfSYi9zABT.exe	Virustotal: Detection: 83%			Perma Link
Source: tfSYi9zABT.exe	ReversingLabs: Detection: 86%

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tfSYi9zABT.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: tfSYi9zABT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tfSYi9zABT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.4:49730 -> 208.95.112.1:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ~^')}-{#

Uses dynamic DNS services

Source: unknown

DNS query: name: crissnda5.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 87.121.86.32:2024

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SKATTV-ASBG SKATTV-ASBG

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: crissnda5.ddns.net

Source: tfSYi9zABT.exe	String found in binary or memory: http://api.ipify.org/
Source: tfSYi9zABT.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: tfSYi9zABT.exe	String found in binary or memory: http://ip-api.com/json/
Source: tfSYi9zABT.exe, 00000000.00000002.4115090399.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: tfSYi9zABT.exe, 00000000.00000002.4115090399.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B8890B8	0_2_00007FFD9B8890B8
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B8890A8	0_2_00007FFD9B8890A8
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B8757D6	0_2_00007FFD9B8757D6
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B871718	0_2_00007FFD9B871718
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B889615	0_2_00007FFD9B889615
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B876582	0_2_00007FFD9B876582

Sample file is different than original file name gathered from version info

Source: tfSYi9zABT.exe, 00000000.00000000.1666034153.0000000000B5A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs tfSYi9zABT.exe
Source: tfSYi9zABT.exe	Binary or memory string: OriginalFilenameClient.exe" vs tfSYi9zABT.exe

Uses 32bit PE files

Source: tfSYi9zABT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: tfSYi9zABT.exe, ------.cs

Base64 encoded string: 'gMF/1BjUy69kQYPmFT5Vmlj/C89TrNqccg8F6q58zLN66Jn1EqDU1eKLV2WA49cRdz68f26Ln8Lhd6Kq7Wdzsg==', 'LFaZRZgeB16rFy2urwxVP0NfhxXuy009a3kdetDxI9T8X0HtnXPuLswcgtey0B8qWCY7LoveMEf/DWc8wcEa0Ks2+70L09COtLQSLedTXt4=', 'h36LUNE6D6Y9hpohEF6YNS5bniF/Glgol+St+nwGv2QBfXWLmUsLx5aanXm2PRFz2aY54a//jMvBGR9l4hF9Vg==', 'jZIlbZLrBvn7C0Ntt/Uy1VCNMQ5NR4TIo/pQwPRUgtA9V5685ml+DP68ybJI+R4Ix1ybauk6pN7opxERMwr5ZgVzfwUPDtA4BagKt8M2m8E=', 'RBns8ujiO9cWMFwnkHDg0xMnemi+vkMFa7HJqUb/QvoLMneX0O+es5WD3t+yo2dTkiIsPC2+wgsZFPBmeoQA5aHgmjDvNAH1McuWI5Wtq0o=', 'Pplz1pSqCfNu8dBsROdDTlORzLlwTdKT+Bjcnoit9S59DYCbsI/8zfbnJOsVCqGxP6sU2Rul+ngqnqyn1032VA==', 'nnCCO+k6vzCW8hz3m1KFW/T2j3/MZpugmxCkSboUqFu/YBw6DgP8MAOhHA1aP/WLohuVWdo+Aj95+3YVdJGzYg==', 'VsiU6kMBR4Q0MKimY+QO8O0+5i+ovNBf3Xx99gZ9a8m+i+j11BEH4HdmgxKMvsLXHO9Lc1lTsodfcnhve5UkiA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_6VCXMuKq5sglsUPNYu

Source: tfSYi9zABT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tfSYi9zABT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tfSYi9zABT.exe	Virustotal: Detection: 83%
Source: tfSYi9zABT.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: tfSYi9zABT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tfSYi9zABT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Code function: 0_2_00007FFD9B880468 push eax; retf

0_2_00007FFD9B8804D9

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

File opened: C:\Users\user\Desktop\tfSYi9zABT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Memory allocated: 1090000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Memory allocated: 1AF00000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Window / User API: threadDelayed 1194	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Window / User API: threadDelayed 8252	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep time: -295000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 7044	Thread sleep count: 1194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 7044	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep count: 8252 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep time: -20630000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: tfSYi9zABT.exe, 00000000.00000002.4116506371.000000001B87B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Queries volume information: C:\Users\user\Desktop\tfSYi9zABT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: tfSYi9zABT.exe, 00000000.00000002.4116677676.000000001B9E2000.00000004.00000020.00020000.00000000.sdmp, tfSYi9zABT.exe, 00000000.00000002.4114863662.0000000001130000.00000004.00000020.00020000.00000000.sdmp, tfSYi9zABT.exe, 00000000.00000002.4116818780.000000001BA2C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_6VCXMuKq5sglsUPNYu

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
87.121.86.32	crissnda5.ddns.net	Bulgaria		34577	SKATTV-ASBG	true

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
crissnda5.ddns.net	87.121.86.32	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	true	0%, Virustotal, Browse	unknown
~^')}-{#	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tfSYi9zABT.exe

Avira: detected

Found malware configuration

Source: tfSYi9zABT.exe

Malware Configuration Extractor: Quasar {"Host:Port": "~^')}-{#", "InstallName": "~o\"`", "MutexName": "Q/t*@", "StartupKey": "BmL]RX3~v2", "Tag": "5qAQ?%5n", "ServerCertificate": "`<L~"}

Multi AV Scanner detection for domain / URL

Source: crissnda5.ddns.net

Virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for submitted file

Source: tfSYi9zABT.exe	Virustotal: Detection: 83%			Perma Link
Source: tfSYi9zABT.exe	ReversingLabs: Detection: 86%

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tfSYi9zABT.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: tfSYi9zABT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tfSYi9zABT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.4:49730 -> 208.95.112.1:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ~^')}-{#

Uses dynamic DNS services

Source: unknown

DNS query: name: crissnda5.ddns.net

Yara detected Generic Downloader

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 87.121.86.32:2024

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SKATTV-ASBG SKATTV-ASBG

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: crissnda5.ddns.net

Source: tfSYi9zABT.exe	String found in binary or memory: http://api.ipify.org/
Source: tfSYi9zABT.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: tfSYi9zABT.exe	String found in binary or memory: http://ip-api.com/json/
Source: tfSYi9zABT.exe, 00000000.00000002.4115090399.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: tfSYi9zABT.exe, 00000000.00000002.4115090399.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B8890B8	0_2_00007FFD9B8890B8
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B8890A8	0_2_00007FFD9B8890A8
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B8757D6	0_2_00007FFD9B8757D6
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B871718	0_2_00007FFD9B871718
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B889615	0_2_00007FFD9B889615
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Code function: 0_2_00007FFD9B876582	0_2_00007FFD9B876582

Sample file is different than original file name gathered from version info

Source: tfSYi9zABT.exe, 00000000.00000000.1666034153.0000000000B5A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClient.exe" vs tfSYi9zABT.exe
Source: tfSYi9zABT.exe	Binary or memory string: OriginalFilenameClient.exe" vs tfSYi9zABT.exe

Uses 32bit PE files

Source: tfSYi9zABT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: tfSYi9zABT.exe, type: SAMPLE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: tfSYi9zABT.exe, ------.cs

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_6VCXMuKq5sglsUPNYu

Source: tfSYi9zABT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tfSYi9zABT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tfSYi9zABT.exe	Virustotal: Detection: 83%
Source: tfSYi9zABT.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: tfSYi9zABT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tfSYi9zABT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Code function: 0_2_00007FFD9B880468 push eax; retf

0_2_00007FFD9B8804D9

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

File opened: C:\Users\user\Desktop\tfSYi9zABT.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Memory allocated: 1090000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Memory allocated: 1AF00000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Window / User API: threadDelayed 1194	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Window / User API: threadDelayed 8252	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep time: -295000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 7044	Thread sleep count: 1194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 7044	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep count: 8252 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe TID: 6704	Thread sleep time: -20630000s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: tfSYi9zABT.exe, 00000000.00000002.4116506371.000000001B87B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Enables debug privileges

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Queries volume information: C:\Users\user\Desktop\tfSYi9zABT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\tfSYi9zABT.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Users\user\Desktop\tfSYi9zABT.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_6VCXMuKq5sglsUPNYu

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: tfSYi9zABT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.tfSYi9zABT.exe.b00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1665954446.0000000000B02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tfSYi9zABT.exe PID: 6676, type: MEMORYSTR

ID:	1545820
Product:	CloudBasic
Start time:	04:58:05
Start date:	31.10.2024
Sample:	tfSYi9zABT.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cef03024e5b35b5197c1337596109958
SHA1:	6ca77f693ccc8c283c4de40fb94b62b06538437d
SHA256:	5c76b09c0f287820cc34b5f06a8fd627bface66474241daa4b5d86273cf3102d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Windows Analysis Report
tfSYi9zABT.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report tfSYi9zABT.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
tfSYi9zABT.exe

Malware Threat Intel
Provided by