analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

IMG-0004_Pdf.vbs

Full analysis: https://app.any.run/tasks/a7ee67c5-935b-473a-b1cd-8709dd7b0c1e
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: March 14, 2019, 21:21:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
quasar
trojan
evasion
xpertrat
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

B39D7A67EE1D0FE23E9A42AA3D402FA5

SHA1:

C013F956F12F7393141857175B3DA32B60C18639

SHA256:

20CFFA5B0018FE877639E424CB7B1EBEAFD72A420885E1BC3EFC8A4715A07F07

SSDEEP:

24576:z6E4u88sxzaJ8X1aPa/iFEQvmJC/F8yQQFAZVMiFkvW8tyld8YQOC5hFCf0PA6Fl:M1rhaTmJC/lIZjkPXWj7Wn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2708)
      • wscript.exe (PID: 3272)
    • Writes to a start menu file

      • WScript.exe (PID: 2708)
      • wscript.exe (PID: 3272)
      • Host.exe (PID: 3768)
      • file1name.exe (PID: 2472)
    • Application was dropped or rewritten from another process

      • file1name.exe (PID: 2472)
      • server 2019.exe (PID: 3848)
      • server 2019.exe (PID: 3868)
      • Client-built Quasar Mine Startup.exe (PID: 3092)
      • Host.exe (PID: 3768)
      • file1name.exe (PID: 2544)
      • Client-built Quasar Mine Startup.exe (PID: 3736)
      • server 2019.exe (PID: 2316)
      • server 2019.exe (PID: 3456)
      • Host.exe (PID: 2336)
    • Drops/Copies Quasar RAT executable

      • file1name.exe (PID: 2472)
    • UAC/LUA settings modification

      • server 2019.exe (PID: 3848)
      • server 2019.exe (PID: 3456)
    • QUASAR was detected

      • Client-built Quasar Mine Startup.exe (PID: 3092)
      • Client-built Quasar Mine Startup.exe (PID: 3736)
    • XPERTRAT was detected

      • iexplore.exe (PID: 3044)
    • Connects to CnC server

      • iexplore.exe (PID: 3044)
      • wscript.exe (PID: 3272)
  • SUSPICIOUS

    • Application launched itself

      • WScript.exe (PID: 3060)
      • WScript.exe (PID: 2708)
      • file1name.exe (PID: 2472)
      • Host.exe (PID: 3768)
    • Creates files in the user directory

      • WScript.exe (PID: 2708)
      • file1name.exe (PID: 2472)
      • file1name.exe (PID: 2544)
      • iexplore.exe (PID: 3044)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3060)
      • file1name.exe (PID: 2472)
      • file1name.exe (PID: 2544)
      • Host.exe (PID: 3768)
    • Executes scripts

      • WScript.exe (PID: 3060)
      • WScript.exe (PID: 2708)
    • Starts Internet Explorer

      • server 2019.exe (PID: 3848)
    • Checks for external IP

      • Client-built Quasar Mine Startup.exe (PID: 3092)
      • Client-built Quasar Mine Startup.exe (PID: 3736)
    • Connects to unusual port

      • iexplore.exe (PID: 3044)
      • Host.exe (PID: 2336)
      • wscript.exe (PID: 3272)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
14
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start wscript.exe file1name.exe wscript.exe wscript.exe #QUASAR client-built quasar mine startup.exe server 2019.exe no specs server 2019.exe file1name.exe host.exe #XPERTRAT iexplore.exe #QUASAR client-built quasar mine startup.exe server 2019.exe no specs server 2019.exe host.exe

Process information

PID
CMD
Path
Indicators
Parent process
3060"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IMG-0004_Pdf.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2472"C:\Users\admin\AppData\Local\Temp\file1name.exe" C:\Users\admin\AppData\Local\Temp\file1name.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\file1name.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2708"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\file2name.vbs" C:\Windows\System32\WScript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3272"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\file2name.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3092"C:\Users\admin\AppData\Roaming\Client-built Quasar Mine Startup.exe" C:\Users\admin\AppData\Roaming\Client-built Quasar Mine Startup.exe
file1name.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\roaming\client-built quasar mine startup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3868"C:\Users\admin\AppData\Roaming\server 2019.exe" C:\Users\admin\AppData\Roaming\server 2019.exefile1name.exe
User:
admin
Company:
Abronsius
Integrity Level:
MEDIUM
Description:
Update
Exit code:
3221226540
Version:
3.00.0010
Modules
Images
c:\users\admin\appdata\roaming\server 2019.exe
c:\systemroot\system32\ntdll.dll
3848"C:\Users\admin\AppData\Roaming\server 2019.exe" C:\Users\admin\AppData\Roaming\server 2019.exe
file1name.exe
User:
admin
Company:
Abronsius
Integrity Level:
HIGH
Description:
Update
Exit code:
0
Version:
3.00.0010
Modules
Images
c:\users\admin\appdata\roaming\server 2019.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2544"C:\Users\admin\AppData\Local\Temp\file1name.exe"C:\Users\admin\AppData\Local\Temp\file1name.exe
file1name.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\file1name.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
3768"C:\Users\admin\AppData\Roaming\Install\Host.exe"C:\Users\admin\AppData\Roaming\Install\Host.exe
file1name.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\install\host.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3044 C:\Users\admin\AppData\Roaming\server 2019.exeC:\Program Files\Internet Explorer\iexplore.exe
server 2019.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 863
Read events
1 408
Write events
1 455
Delete events
0

Modification events

(PID) Process:(3060) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3060) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2708) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\file2name
Operation:writeName:
Value:
false - 3/14/2019
(PID) Process:(2708) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:file2name
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\file2name.vbs"
(PID) Process:(2708) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:file2name
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\file2name.vbs"
(PID) Process:(2708) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2708) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2472) file1name.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2472) file1name.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3272) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:file2name
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\file2name.vbs"
Executable files
6
Suspicious files
2
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
3848server 2019.exeC:\Users\admin\AppData\Local\Temp\~DFB52C93A6B63FCBCA.TMP
MD5:
SHA256:
3456server 2019.exeC:\Users\admin\AppData\Local\Temp\~DF58FE3387DF003D70.TMP
MD5:
SHA256:
3272wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file2name.vbstext
MD5:03172BE4FAC787DBDA0FB5F55340F366
SHA256:76FC99F14C62184745594F3C1557883A9739F94449E001015B4B7A33D6DCBA1F
3768Host.exeC:\Users\admin\autoplay\WSManHTTPConfig.vbstext
MD5:5D8E8CDCDDE5E0994615B01F50E92CB8
SHA256:2C5ECCB72F7A472A5DAB91BE50B5DEEAD68105DDE78EAE755FB878D1373CF4BE
3044iexplore.exeC:\Users\admin\AppData\Roaming\Q4V8N5Y3-O0F7-Q7T5-B113-K7R6L4T0H6H6.pasbinary
MD5:676A200B4123806B775DF9EC5CC6B10C
SHA256:6A9ADF7B6A91080B55DB9C90C2AE30C186645378798F7B8AD1E636775F19E828
2708WScript.exeC:\Users\admin\AppData\Roaming\file2name.vbstext
MD5:03172BE4FAC787DBDA0FB5F55340F366
SHA256:76FC99F14C62184745594F3C1557883A9739F94449E001015B4B7A33D6DCBA1F
3044iexplore.exeC:\Users\admin\AppData\Roaming\Q4V8N5Y3-O0F7-Q7T5-B113-K7R6L4T0H6H6binary
MD5:6C0A13D08A0083E44FACDE90203EDC18
SHA256:415378A93B19695EC2A833DAA8C3063A5F5B7F86DDEC5F17840E75049FFCAE31
2472file1name.exeC:\Users\admin\autoplay\WSManHTTPConfig.vbstext
MD5:5D8E8CDCDDE5E0994615B01F50E92CB8
SHA256:2C5ECCB72F7A472A5DAB91BE50B5DEEAD68105DDE78EAE755FB878D1373CF4BE
2472file1name.exeC:\Users\admin\AppData\Roaming\Client-built Quasar Mine Startup.exeexecutable
MD5:408CA61E9AF4B5BD019F76A9A9AAD115
SHA256:6044F2494A476C978E606EF185BD6EC5A12E1286161A217F220895540A829760
3060WScript.exeC:\Users\admin\AppData\Local\Temp\file2name.vbstext
MD5:03172BE4FAC787DBDA0FB5F55340F366
SHA256:76FC99F14C62184745594F3C1557883A9739F94449E001015B4B7A33D6DCBA1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
702
TCP/UDP connections
711
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
Client-built Quasar Mine Startup.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
253 b
shared
3736
Client-built Quasar Mine Startup.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
253 b
shared
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
3272
wscript.exe
POST
200
51.89.0.136:1077
http://leew.linkpc.net:1077/is-ready
GB
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
Client-built Quasar Mine Startup.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
3272
wscript.exe
51.89.0.136:1077
leew.linkpc.net
GB
malicious
3044
iexplore.exe
51.89.0.136:1011
leew.linkpc.net
GB
malicious
3736
Client-built Quasar Mine Startup.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
2336
Host.exe
51.89.0.136:3366
leew.linkpc.net
GB
malicious

DNS requests

Domain
IP
Reputation
leew.linkpc.net
  • 51.89.0.136
malicious
manuel3.publicvm.com
  • 51.89.0.136
malicious
ip-api.com
  • 185.194.141.58
shared

Threats

PID
Process
Class
Message
3272
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3272
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3272
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3272
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3272
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3092
Client-built Quasar Mine Startup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3092
Client-built Quasar Mine Startup.exe
A Network Trojan was detected
MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer)
3044
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] XpertRAT
3044
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] XpertRAT
3736
Client-built Quasar Mine Startup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
23 ETPRO signatures available at the full report
No debug info