File name: | EnsoulSetup.zip |
Full analysis: | https://app.any.run/tasks/076fe394-2372-4386-95d5-1437ace2c285 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | October 14, 2019, 07:03:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 3FCB16438D7670A94277C447C77D8A0F |
SHA1: | 0B8110465CCBC60D978CF44ACB9BA13458197959 |
SHA256: | 195574E4E9A81E8200A6994B1C8F63BB7920E0141449FB3AB4A92B548CDFD0E6 |
SSDEEP: | 12288:HB8AUaX+rS/Q/iFVvNjG1IHXH/voWRsE4rZS3:ifg+PKFt53H/6rZo |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | EnsoulSetup.exe |
---|---|
ZipUncompressedSize: | 543744 |
ZipCompressedSize: | 428856 |
ZipCRC: | 0xe1fe35d9 |
ZipModifyDate: | 2019:10:13 21:34:06 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
944 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\EnsoulSetup.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3920 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa944.12613\EnsoulSetup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa944.12613\EnsoulSetup.exe | WinRAR.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
2604 | "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv' -Value '"C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe"' -PropertyType 'String' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EnsoulSetup.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3212 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa944.12613\EnsoulSetup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa944.12613\EnsoulSetup.exe | EnsoulSetup.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
1608 | "C:\Users\admin\AppData\Roaming\Winlog\winlog.exe" | C:\Users\admin\AppData\Roaming\Winlog\winlog.exe | EnsoulSetup.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
1800 | "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv' -Value '"C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe"' -PropertyType 'String' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | winlog.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1416 | "C:\Users\admin\AppData\Roaming\Winlog\winlog.exe" | C:\Users\admin\AppData\Roaming\Winlog\winlog.exe | winlog.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Version: 67.0.100.99 | ||||
2236 | cmd /c ""C:\Users\admin\AppData\Local\Temp\DFdX2jtb50jK.bat" " | C:\Windows\system32\cmd.exe | — | winlog.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3112 | chcp 65001 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4060 | ping -n 10 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2HSW9V1HTFITYR69TSYQ.temp | — | |
MD5:— | SHA256:— | |||
1800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8TJLZYWFC8YDJOCKGVZE.temp | — | |
MD5:— | SHA256:— | |||
1800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3ad576.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
2604 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3a69fa.TMP | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa944.12613\EnsoulSetup.exe | executable | |
MD5:628FAAC4842AB3578EE07A2223BD0EE9 | SHA256:DF94710E596143FB9DF9F6CCAFB83CD04362AA0294B2021FED284A8AD942C69F | |||
1800 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:35375F3D71AE42AA9777154D256B33BF | SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF | |||
3212 | EnsoulSetup.exe | C:\Users\admin\AppData\Roaming\Winlog\winlog.exe | executable | |
MD5:628FAAC4842AB3578EE07A2223BD0EE9 | SHA256:DF94710E596143FB9DF9F6CCAFB83CD04362AA0294B2021FED284A8AD942C69F | |||
1416 | winlog.exe | C:\Users\admin\AppData\Local\Temp\DFdX2jtb50jK.bat | text | |
MD5:362FACE0856F3EB6707A87AE3EA9FAFD | SHA256:56B35CC6C7C41C35CDD0D04D8706FB2CD573B5BFD38EB90FFCD1B0EA7E2FDA5C | |||
1608 | winlog.exe | C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe | executable | |
MD5:628FAAC4842AB3578EE07A2223BD0EE9 | SHA256:DF94710E596143FB9DF9F6CCAFB83CD04362AA0294B2021FED284A8AD942C69F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3212 | EnsoulSetup.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 265 b | shared |
1416 | winlog.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 265 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3212 | EnsoulSetup.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
1416 | winlog.exe | 84.108.213.8:4782 | prrr.duckdns.org | Bezeq International | IL | malicious |
1416 | winlog.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
prrr.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3212 | EnsoulSetup.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3212 | EnsoulSetup.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3212 | EnsoulSetup.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
1416 | winlog.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
1416 | winlog.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
1416 | winlog.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
1416 | winlog.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |
1416 | winlog.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |