Try VMRay Platform
Malicious
Classifications

Backdoor Keylogger Spyware

Threat Names

QuasarRAT Mal/Generic-S Mal/HTMLGen-A QuasarRAT.v1

Dynamic Analysis Report

Created on 2024-05-24T01:08:06+00:00

Office.exe

Windows Exe (x86-32)
...
Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\Office.exe Sample File Binary
Malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\Office\svchost.exe (Accessed File)
MIME Type application/vnd.microsoft.portable-executable
File Size 3.11 MB
MD5 937217c0370dce96d63931fda0f27c77 Copy to Clipboard
SHA1 536ecba61aa24e8939be96a409010c2750215da2 Copy to Clipboard
SHA256 45649f750756140bd9d47794c91c11e6d6b28424c8b497c3d5bf0a59bb9ba527 Copy to Clipboard
SSDeep 49152:DvaI22SsaNYfdPBldt698dBcjHOdcmoGdrTHHB72eh2NT:DvX22SsaNYfdPBldt6+dBcjHOdh Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x00400000
Entry Point 0x0071E3FE
Size Of Code 0x0031C600
Size Of Initialized Data 0x00000E00
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2023-03-12 16:16 (UTC)
Version Information (11)
»
Comments -
CompanyName Microsoft
FileDescription -
FileVersion 1.0.0.0
InternalName -
LegalCopyright Microsoft Corporation
LegalTrademarks -
OriginalFilename -
ProductName svchost
ProductVersion 1.0.0.0
Assembly Version 1.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0031C404 0x0031C600 0x00000200 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.08
.rsrc 0x00720000 0x00000A68 0x00000C00 0x0031C800 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 5.23
.reloc 0x00722000 0x0000000C 0x00000200 0x0031D400 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.08
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0031E3CC 0x0031C5CC 0x00000000
Memory Dumps (9)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
office.exe 1 0x00170000 0x00493FFF Relevant Image False 64-bit - False
...
office.exe 1 0x00170000 0x00493FFF Process Termination False 64-bit - False
...
svchost.exe 2 0x00770000 0x00A93FFF Relevant Image False 64-bit - False
...
buffer 2 0x1BBF8000 0x1BBFFFFF First Network Behavior False 64-bit - False
...
buffer 2 0x1B9F8000 0x1B9FFFFF First Network Behavior False 64-bit - False
...
buffer 2 0x1B008000 0x1B00FFFF First Network Behavior False 64-bit - False
...
buffer 2 0x00141000 0x0014FFFF First Network Behavior False 64-bit - False
...
svchost.exe 2 0x00770000 0x00A93FFF First Network Behavior False 64-bit - False
...
svchost.exe 2 0x00770000 0x00A93FFF Final Dump False 64-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
QuasarRAT QuasarRAT Backdoor
5/5
...
a5f0a581235d449a9779b2e16c956224e2a19bed2da9ce39e9a5e1b9d1ad38af Downloaded File Unknown
Clean
...
»
MIME Type application/json
File Size 1015 Bytes
MD5 6824cab8181894f0658e8e201ce705d4 Copy to Clipboard
SHA1 a62b1f4687ca4cde080a9524a2440705472a51ee Copy to Clipboard
SHA256 a5f0a581235d449a9779b2e16c956224e2a19bed2da9ce39e9a5e1b9d1ad38af Copy to Clipboard
SSDeep 24:7GSNLWfOu15aHm3sr21m2g0vC/IbXlxW/IYk24MwOVBA:77NWfBsgz1m2g0vCc0/DWMwOVm Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image