QuasarRAT.v1 | 35e7fe834913

Classifications

Backdoor

Threat Names

QuasarRAT QuasarRAT.v1

Dynamic Analysis Report

Created on 2024-05-21T00:39:21+00:00

svchost.exe

Windows Exe (x86-32)

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\svchost.exe

Sample File

Binary

MIME Type	application/vnd.microsoft.portable-executable
File Size	3.11 MB
MD5	a23466356602ad7c60b27723af04fbdf
SHA1	9b527c13c495b8e091639e6f17a5a10e771262db
SHA256	35e7fe834913b280077c5a30396138bfdcb3dae404b7802878be38b3d2120606
SSDeep	49152:KvBt62XlaSFNWPjljiFa2RoUYIJjg4jhdcoGdITHHB72eh2NT:Kvr62XlaSFNWPjljiFXRoUYIJjgv
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x0071E3DE
Size Of Code	0x0031C400
Size Of Initialized Data	0x00000E00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2023-03-12 16:16 (UTC)

Version Information (11)

Comments	-
CompanyName	Microsoft corporation
FileDescription	Host process for windows service
FileVersion	1.9.8.6
InternalName	svchost.exe
LegalCopyright	Microsoft 2024
LegalTrademarks	Microsoft. Inc
OriginalFilename	svchost.exe
ProductName	svchost.exe
ProductVersion	1.2.1.1
Assembly Version	1.2.1.1

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x0031C3E4	0x0031C400	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.09
.rsrc	0x00720000	0x00000B00	0x00000C00	0x0031C600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.18
.reloc	0x00722000	0x0000000C	0x00000200	0x0031D200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0031E3AC	0x0031C5AC	0x00000000

Memory Dumps (1)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
svchost.exe	1	0x00FE0000	0x01303FFF	Relevant Image		64-bit	-		... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
QuasarRAT	QuasarRAT	Backdoor	5/5	... Actions Show Ruleset Show Match

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

Before

After

WHOIS Domain Information

Screenshot

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information