QuasarRAT,xRAT | 6da200577598

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\Unify.exe

Sample File

Binary

Also Known As	C:\Users\RDhJ0CNFevzX\AppData\Roaming\SubDir\Client.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	409.00 KB
MD5	7544e8e688461810abd5387160692c95
SHA1	bb41e11803d0da2fb7f6e2068220ddd3faf347c7
SHA256	6da2005775980d44d0a6f9d8f12d7394e8d81abf96f444a6c4da54c2376430a0
SSDeep	6144:MMfPp5S6M1Xy0gmfnF8V0dguFJSSvbaU01T/yUhAd5GbdQNJ:Bpg6M1i9mfnFUEgctoLILGbdQf
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x0046749E
Size Of Code	0x00065600
Size Of Initialized Data	0x00000C00
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-05-20 15:17 (UTC)

Version Information (11)

Comments	GitHub
CompanyName	GitHub
FileDescription	Update
FileVersion	3.1.5
InternalName	Unify.exe
LegalCopyright	Discord
LegalTrademarks	Discord
OriginalFilename	Unify.exe
ProductName	Discord
ProductVersion	3.1.5
Assembly Version	3.1.5.0

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x000654A4	0x00065600	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.54
.rsrc	0x00468000	0x00000A00	0x00000A00	0x00065800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.25
.reloc	0x0046A000	0x0000000C	0x00000200	0x00066200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0006746C	0x0006566C	0x00000000

Memory Dumps (16)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
unify.exe	1	0x00880000	0x008EBFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	1	0x04CDE000	0x04CDFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0486C000	0x0486FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x0442E000	0x0442FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00188000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x00A3CAD0	0x00A3CCD7	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
unify.exe	1	0x00880000	0x008EBFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
unify.exe	1	0x00880000	0x008EBFFF	Final Dump	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
unify.exe	1	0x00880000	0x008EBFFF	Process Termination	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
client.exe	7	0x00F40000	0x00FABFFF	Relevant Image	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump
buffer	7	0x04D5D000	0x04D5FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00CDC000	0x00CDFFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00B9E000	0x00B9FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x00188000	0x0018FFFF	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
buffer	7	0x0100FAB0	0x0100FCB7	First Network Behavior	32-bit	-	... Actions Go to Process Download Dump
client.exe	7	0x00F40000	0x00FABFFF	First Network Behavior	32-bit	-	... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (2)

Rule Name	Rule Description	Classification	Score	Actions
xRAT_1	xRAT malware	Backdoor	5/5	... Actions Show Ruleset Show Match
QuasarRAT	QuasarRAT	Backdoor	5/5	... Actions Show Ruleset Show Match

C:\Users\RDhJ0CNFevzX\AppData\Roaming\Logs\05-20-2024

Dropped File

Stream

MIME Type	application/octet-stream
File Size	224 Bytes
MD5	26a13d9730368205b64abdf37ec44aee
SHA1	b8c969913251318667cf37fac74d74a6a97d17a1
SHA256	1a57dac4200adccb79971fb993747ef7efc73d108febc47fdfc24974eaee8df4
SSDeep	3:NXCEO9X93cQdeY8/fmmE9BOonAPFbNR7t4QbjDeP34yiU34ig/hr3DyhUco0OPnO:NXCn9N3cZnse9bNRpvCP3viTr3uSnPnO
ImpHash	-

C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\install.exe

Dropped File

Empty File

MIME Type	inode/x-empty
File Size	0 Bytes (not extracted)
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information