Threat name:
Quasar, AveMaria, Clipboard Hijacker, Ke
Alert
Classification:
rans.phis.troj.adwa.spyw.expl.evad
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious PE / MSI digital signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Deletes shadow drive data (may be related to ransomware)
Disables zone checking for all users
Drops PE files to the startup folder
Drops PE files with benign system names
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AveMaria stealer
Yara detected BrowserPasswordDump
Yara detected Clipboard Hijacker
Yara detected Generic Stealer
Yara detected Keylogger Generic
Yara detected StormKitty Stealer
Yara detected Vidar stealer
Yara detected Xorium Stealer
behaviorgraph
top1
dnsIp2
2
Behavior Graph
ID:
1939655
Sample:
hvME3SFWw1.exe
Startdate:
09/07/2026
Architecture:
WINDOWS
Score:
100
129
ned.omni-signage.com
2->129
131
telegram.me
2->131
133
2 other IPs or domains
2->133
143
Suricata IDS alerts
for network traffic
2->143
145
Found malware configuration
2->145
147
Malicious sample detected
(through community Yara
rule)
2->147
149
38 other signatures
2->149
10
hvME3SFWw1.exe
3
27
2->10
started
15
SecurityHealthService.exe
2->15
started
17
SecurityHealthService.exe
6
2->17
started
19
12 other processes
2->19
signatures3
process4
dnsIp5
135
62.60.226.185, 49717, 49728, 49734
FEMOITGB
Germany
10->135
137
ned.omni-signage.com
172.67.140.27, 443, 49706, 49709
CLOUDFLARENET-CloudflareIncUS
Canada
10->137
139
telegram.me
149.154.167.99, 443, 49703, 49724
TELEGRAMVG
United Kingdom
10->139
99
C:\Users\user\...\SecurityHealthService.exe, PE32+
10->99
dropped
101
C:\Users\user\...\SecurityHealthService.exe, PE32+
10->101
dropped
103
C:\Users\user\AppData\Local\...\fbcd6673.exe, PE32
10->103
dropped
111
4 other malicious files
10->111
dropped
173
Tries to harvest and
steal Putty / WinSCP
information (sessions,
passwords, etc)
10->173
175
Found many strings related
to Crypto-Wallets (likely
being stolen)
10->175
177
Found API chain indicative
of sandbox detection
10->177
195
8 other signatures
10->195
21
cmd.exe
1
10->21
started
23
cmd.exe
1
10->23
started
25
cmd.exe
10->25
started
35
3 other processes
10->35
105
C:\Users\user\AppData\Local\...\f101cf63.exe, PE32
15->105
dropped
107
C:\Users\user\AppData\Local\...\e4af4209.exe, PE32+
15->107
dropped
109
C:\Users\user\AppData\Local\...\88caba81.exe, PE32
15->109
dropped
113
2 other malicious files
15->113
dropped
179
Deletes shadow drive
data (may be related
to ransomware)
15->179
181
Tries to detect sandboxes
and other dynamic analysis
tools (process name
or module or function)
15->181
183
Tries to harvest and
steal ftp login credentials
15->183
185
Tries to harvest and
steal browser information
(history, passwords,
etc)
15->185
27
schtasks.exe
15->27
started
187
Multi AV Scanner detection
for dropped file
17->187
197
2 other signatures
17->197
29
schtasks.exe
1
17->29
started
189
Antivirus detection
for dropped file
19->189
191
Queries sensitive video
device information (via
WMI, Win32_VideoController,
often done to detect
virtual machines)
19->191
193
Changes security center
settings (notifications,
updates, antivirus,
firewall)
19->193
31
schtasks.exe
19->31
started
33
MpCmdRun.exe
19->33
started
37
3 other processes
19->37
file6
signatures7
process8
process9
46
2 other processes
21->46
50
2 other processes
23->50
52
2 other processes
25->52
39
conhost.exe
27->39
started
41
conhost.exe
29->41
started
54
2 other processes
31->54
43
conhost.exe
33->43
started
56
5 other processes
35->56
58
3 other processes
37->58
dnsIp10
151
Installs a global keyboard
hook
43->151
141
ip-api.com
208.95.112.1, 49718, 80
TUT-AS-TotalUptimeTechnologiesLLCUS
United States
46->141
115
C:\Users\user\AppData\Roaming\Chrome.exe, PE32
46->115
dropped
117
C:\Users\user\AppData\Local\Temp\xhjmdw.exe, PE32+
46->117
dropped
153
Bypasses PowerShell
execution policy
46->153
155
Adds a directory exclusion
to Windows Defender
46->155
60
powershell.exe
46->60
started
63
powershell.exe
46->63
started
119
C:\Users\user\AppData\Local\...\Dllhost.exe, PE32
50->119
dropped
65
Dllhost.exe
50->65
started
121
C:\Users\user\AppData\Local\Temp\Wihnup.exe, PE32
52->121
dropped
157
Antivirus detection
for dropped file
52->157
159
Queries sensitive video
device information (via
WMI, Win32_VideoController,
often done to detect
virtual machines)
52->159
161
Protects its processes
via BreakOnTermination
flag
52->161
163
Tries to detect sandboxes
and other dynamic analysis
tools (process name
or module or function)
52->163
68
cmd.exe
52->68
started
70
cmd.exe
52->70
started
123
C:\Users\user\AppData\Roaming\...\Client.exe, PE32
56->123
dropped
125
C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+
56->125
dropped
127
C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+
56->127
dropped
165
Multi AV Scanner detection
for dropped file
56->165
167
Creates multiple autostart
registry keys
56->167
169
Deletes shadow drive
data (may be related
to ransomware)
56->169
171
4 other signatures
56->171
72
schtasks.exe
56->72
started
74
schtasks.exe
56->74
started
file11
signatures12
process13
file14
199
Loading BitLocker PowerShell
Module
60->199
76
conhost.exe
60->76
started
79
conhost.exe
63->79
started
95
C:\Users\user\AppData\...\Java update.exe, PE32
65->95
dropped
97
C:\Users\user\AppData\Local\Temp\Server.exe, PE32
65->97
dropped
201
Antivirus detection
for dropped file
65->201
203
System process connects
to network (likely due
to code injection or
exploit)
65->203
205
Multi AV Scanner detection
for dropped file
65->205
207
3 other signatures
65->207
81
schtasks.exe
65->81
started
83
Wihnup.exe
68->83
started
93
2 other processes
68->93
85
conhost.exe
70->85
started
87
schtasks.exe
70->87
started
89
conhost.exe
72->89
started
91
conhost.exe
74->91
started
signatures15
process16
signatures17
209
Protects its processes
via BreakOnTermination
flag
83->209
211
Installs a global keyboard
hook
83->211
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.