File name: | IMG-0004_Pdf.vbs |
Full analysis: | https://app.any.run/tasks/a7ee67c5-935b-473a-b1cd-8709dd7b0c1e |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | March 14, 2019, 21:21:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | B39D7A67EE1D0FE23E9A42AA3D402FA5 |
SHA1: | C013F956F12F7393141857175B3DA32B60C18639 |
SHA256: | 20CFFA5B0018FE877639E424CB7B1EBEAFD72A420885E1BC3EFC8A4715A07F07 |
SSDEEP: | 24576:z6E4u88sxzaJ8X1aPa/iFEQvmJC/F8yQQFAZVMiFkvW8tyld8YQOC5hFCf0PA6Fl:M1rhaTmJC/lIZjkPXWj7Wn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3060 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IMG-0004_Pdf.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2472 | "C:\Users\admin\AppData\Local\Temp\file1name.exe" | C:\Users\admin\AppData\Local\Temp\file1name.exe | WScript.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2708 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\file2name.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3272 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\file2name.vbs" | C:\Windows\System32\wscript.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 Modules
| |||||||||||||||
3092 | "C:\Users\admin\AppData\Roaming\Client-built Quasar Mine Startup.exe" | C:\Users\admin\AppData\Roaming\Client-built Quasar Mine Startup.exe | file1name.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.3.0.0 Modules
| |||||||||||||||
3868 | "C:\Users\admin\AppData\Roaming\server 2019.exe" | C:\Users\admin\AppData\Roaming\server 2019.exe | — | file1name.exe | |||||||||||
User: admin Company: Abronsius Integrity Level: MEDIUM Description: Update Exit code: 3221226540 Version: 3.00.0010 Modules
| |||||||||||||||
3848 | "C:\Users\admin\AppData\Roaming\server 2019.exe" | C:\Users\admin\AppData\Roaming\server 2019.exe | file1name.exe | ||||||||||||
User: admin Company: Abronsius Integrity Level: HIGH Description: Update Exit code: 0 Version: 3.00.0010 Modules
| |||||||||||||||
2544 | "C:\Users\admin\AppData\Local\Temp\file1name.exe" | C:\Users\admin\AppData\Local\Temp\file1name.exe | file1name.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3768 | "C:\Users\admin\AppData\Roaming\Install\Host.exe" | C:\Users\admin\AppData\Roaming\Install\Host.exe | file1name.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3044 | C:\Users\admin\AppData\Roaming\server 2019.exe | C:\Program Files\Internet Explorer\iexplore.exe | server 2019.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3060) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3060) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2708) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\file2name |
Operation: | write | Name: | |
Value: false - 3/14/2019 | |||
(PID) Process: | (2708) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | file2name |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\file2name.vbs" | |||
(PID) Process: | (2708) WScript.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | file2name |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\file2name.vbs" | |||
(PID) Process: | (2708) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2708) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2472) file1name.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2472) file1name.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3272) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | file2name |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\file2name.vbs" |
PID | Process | Filename | Type | |
---|---|---|---|---|
3848 | server 2019.exe | C:\Users\admin\AppData\Local\Temp\~DFB52C93A6B63FCBCA.TMP | — | |
MD5:— | SHA256:— | |||
3456 | server 2019.exe | C:\Users\admin\AppData\Local\Temp\~DF58FE3387DF003D70.TMP | — | |
MD5:— | SHA256:— | |||
3272 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file2name.vbs | text | |
MD5:03172BE4FAC787DBDA0FB5F55340F366 | SHA256:76FC99F14C62184745594F3C1557883A9739F94449E001015B4B7A33D6DCBA1F | |||
3768 | Host.exe | C:\Users\admin\autoplay\WSManHTTPConfig.vbs | text | |
MD5:5D8E8CDCDDE5E0994615B01F50E92CB8 | SHA256:2C5ECCB72F7A472A5DAB91BE50B5DEEAD68105DDE78EAE755FB878D1373CF4BE | |||
3044 | iexplore.exe | C:\Users\admin\AppData\Roaming\Q4V8N5Y3-O0F7-Q7T5-B113-K7R6L4T0H6H6.pas | binary | |
MD5:676A200B4123806B775DF9EC5CC6B10C | SHA256:6A9ADF7B6A91080B55DB9C90C2AE30C186645378798F7B8AD1E636775F19E828 | |||
2708 | WScript.exe | C:\Users\admin\AppData\Roaming\file2name.vbs | text | |
MD5:03172BE4FAC787DBDA0FB5F55340F366 | SHA256:76FC99F14C62184745594F3C1557883A9739F94449E001015B4B7A33D6DCBA1F | |||
3044 | iexplore.exe | C:\Users\admin\AppData\Roaming\Q4V8N5Y3-O0F7-Q7T5-B113-K7R6L4T0H6H6 | binary | |
MD5:6C0A13D08A0083E44FACDE90203EDC18 | SHA256:415378A93B19695EC2A833DAA8C3063A5F5B7F86DDEC5F17840E75049FFCAE31 | |||
2472 | file1name.exe | C:\Users\admin\autoplay\WSManHTTPConfig.vbs | text | |
MD5:5D8E8CDCDDE5E0994615B01F50E92CB8 | SHA256:2C5ECCB72F7A472A5DAB91BE50B5DEEAD68105DDE78EAE755FB878D1373CF4BE | |||
2472 | file1name.exe | C:\Users\admin\AppData\Roaming\Client-built Quasar Mine Startup.exe | executable | |
MD5:408CA61E9AF4B5BD019F76A9A9AAD115 | SHA256:6044F2494A476C978E606EF185BD6EC5A12E1286161A217F220895540A829760 | |||
3060 | WScript.exe | C:\Users\admin\AppData\Local\Temp\file2name.vbs | text | |
MD5:03172BE4FAC787DBDA0FB5F55340F366 | SHA256:76FC99F14C62184745594F3C1557883A9739F94449E001015B4B7A33D6DCBA1F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3092 | Client-built Quasar Mine Startup.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 253 b | shared |
3736 | Client-built Quasar Mine Startup.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 253 b | shared |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
3272 | wscript.exe | POST | 200 | 51.89.0.136:1077 | http://leew.linkpc.net:1077/is-ready | GB | text | 12 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | Client-built Quasar Mine Startup.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
3272 | wscript.exe | 51.89.0.136:1077 | leew.linkpc.net | — | GB | malicious |
3044 | iexplore.exe | 51.89.0.136:1011 | leew.linkpc.net | — | GB | malicious |
3736 | Client-built Quasar Mine Startup.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
2336 | Host.exe | 51.89.0.136:3366 | leew.linkpc.net | — | GB | malicious |
Domain | IP | Reputation |
---|---|---|
leew.linkpc.net |
| malicious |
manuel3.publicvm.com |
| malicious |
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3272 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
3272 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
3272 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
3272 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
3272 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
3092 | Client-built Quasar Mine Startup.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3092 | Client-built Quasar Mine Startup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer) |
3044 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] XpertRAT |
3044 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] XpertRAT |
3736 | Client-built Quasar Mine Startup.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |