QuasarRAT | d2f90d475a10

Classifications

Backdoor

Threat Names

QuasarRAT

Dynamic Analysis Report

Created on 2024-05-20T10:02:56+00:00

msedge.exe

Windows Exe (x86-32)

Remarks (1/1)

Auto Reboot Triggered (0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\RDhJ0CNFevzX\Desktop\msedge.exe

Sample File

Binary

Also Known As	C:\Program Files\Microsoft\Update\msedge.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	3.17 MB
MD5	9fc5b8634e4eea57df161ac555b9038c
SHA1	2255163744db808966d7df921977b6809f008e8b
SHA256	d2f90d475a108951b3411445011c23803016cb0e537dde32d8d879a896906efb
SSDeep	49152:CvIiiN2tPa2vpJPylxhhC25D/WvneQxNESEZk/ihEoGdtFTHHB72eh2NTz:CvDq2tPa2vpJPylxhhz5D/WPRxYuU
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744
Static Analysis Parser Error	invalid icon image: 1

File Reputation Information

Verdict

Malicious

PE Information

Image Base	0x00400000
Entry Point	0x0071E56E
Size Of Code	0x0031C600
Size Of Initialized Data	0x00011800
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2024-03-10 23:09 (UTC)

Version Information (11)

Comments	-
CompanyName	-
FileDescription	Microsoft Edge
FileVersion	122.0.2365.80
InternalName	msedge.exe
LegalCopyright	Copyright Microsoft Corporation. All reights reserved.
LegalTrademarks	-
OriginalFilename	msedge.exe
ProductName	Microsoft Edge
ProductVersion	122.0.2365.80
Assembly Version	122.0.2365.80

Sections (3)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x00402000	0x0031C574	0x0031C600	0x00000200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.09
.rsrc	0x00720000	0x00011424	0x00011600	0x0031C800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.54
.reloc	0x00732000	0x0000000C	0x00000200	0x0032DE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.1

Imports (1)

mscoree.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	-	0x00402000	0x0031E544	0x0031C744	0x00000000

Memory Dumps (2)

Name	Process ID	Start VA	End VA	Dump Reason	PE Rebuild	Bitness	Entry Point	YARA	Actions
msedge.exe	1	0x00690000	0x009C3FFF	Relevant Image		64-bit	-		... Actions Go to Process Go to YARA Match Download Dump
msedge.exe	1	0x00690000	0x009C3FFF	Final Dump		64-bit	-		... Actions Go to Process Go to YARA Match Download Dump

YARA Matches (1)

Rule Name	Rule Description	Classification	Score	Actions
QuasarRAT	QuasarRAT	Backdoor	5/5	... Actions Show Ruleset Show Match

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".

Before

After

WHOIS Domain Information

Screenshot

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information