File name:

payload.exe

Full analysis: https://app.any.run/tasks/0232935f-2267-4c50-8a3c-4a2847b990ce
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: April 15, 2025, 19:10:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
evasion
uac
golang
quasar
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 15 sections
MD5:

B8DF39CA02AF7B119625515F947D45A6

SHA1:

22A9B0DA5DD26C5D1458E79445AFC8990A96540A

SHA256:

2903F404C914F87238216769BBAF9C97F7846F54605CB9048626C7A6732C8C27

SSDEEP:

98304:rZRYvxfl+DsxYbolk8g6wLs5xaOha0wfCJgewq/HYebNIZSCgBpUfXFrd63Ial1a:rFR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Bypass User Account Control (Modify registry)

      • payload.exe (PID: 4620)
    • Bypass User Account Control (ComputerDefaults)

      • ComputerDefaults.exe (PID: 2140)
    • QUASAR has been detected (YARA)

      • Client.exe (PID: 1164)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Checks for external IP

      • svchost.exe (PID: 2196)
      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Executable content was dropped or overwritten

      • payload.exe (PID: 4620)
    • Starts itself from another location

      • payload.exe (PID: 4620)
    • Changes default file association

      • payload.exe (PID: 4620)
    • Connects to unusual port

      • Client.exe (PID: 1164)
    • There is functionality for taking screenshot (YARA)

      • Client.exe (PID: 1164)
    • Starts CMD.EXE for commands execution

      • payload.exe (PID: 4620)
  • INFO

    • Checks supported languages

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Reads the computer name

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Reads the software policy settings

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
      • slui.exe (PID: 5064)
    • Reads Environment values

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Disables trace logs

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Checks proxy server information

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
      • slui.exe (PID: 5064)
    • Creates files or folders in the user directory

      • payload.exe (PID: 4620)
    • Reads the machine GUID from the registry

      • payload.exe (PID: 4620)
      • Client.exe (PID: 1164)
    • Reads security settings of Internet Explorer

      • ComputerDefaults.exe (PID: 2140)
    • Application based on Golang

      • Client.exe (PID: 1164)
    • Detects GO elliptic curve encryption (YARA)

      • Client.exe (PID: 1164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(1164) Client.exe
Version3.1.5
C2 (2)go-dramatically.gl.at.ply.gg:2676
Sub_Dirtemp
Install_NameClient.exe
Mutex$Sxr-camQAVefBjk7nvL7ph
StartupDriver689
TagnEGRosis
LogDirLogs
Signature
Certificate
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 2580480
InitializedDataSize: 304128
UninitializedDataSize: -
EntryPoint: 0x772a0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
11
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start payload.exe conhost.exe no specs svchost.exe #QUASAR client.exe cmd.exe no specs conhost.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1164"C:\Users\admin\AppData\Roaming\temp\Client.exe"C:\Users\admin\AppData\Roaming\temp\Client.exe
payload.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\temp\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
Quasar
(PID) Process(1164) Client.exe
Version3.1.5
C2 (2)go-dramatically.gl.at.ply.gg:2676
Sub_Dirtemp
Install_NameClient.exe
Mutex$Sxr-camQAVefBjk7nvL7ph
StartupDriver689
TagnEGRosis
LogDirLogs
Signature
Certificate
1180\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepayload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324"cmd.exe" /c start computerdefaults.exeC:\Windows\System32\cmd.exepayload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1660computerdefaults.exe C:\Windows\System32\ComputerDefaults.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
2140"C:\WINDOWS\system32\ComputerDefaults.exe" C:\Windows\System32\ComputerDefaults.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4180"C:\WINDOWS\system32\ComputerDefaults.exe" C:\Windows\System32\ComputerDefaults.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
4620"C:\Users\admin\Desktop\payload.exe" C:\Users\admin\Desktop\payload.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\desktop\payload.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
5064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5176\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 448
Read events
13 414
Write events
34
Delete events
0

Modification events

(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4620) payload.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4620payload.exeC:\Users\admin\AppData\Roaming\temp\Client.exeexecutable
MD5:B8DF39CA02AF7B119625515F947D45A6
SHA256:2903F404C914F87238216769BBAF9C97F7846F54605CB9048626C7A6732C8C27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
57
DNS requests
16
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4620
payload.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
672
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
672
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
672
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
672
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
672
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
672
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
672
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
40.126.31.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4620
payload.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4620
payload.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
1164
Client.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
whitelisted
1164
Client.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.131
  • 20.190.159.0
  • 40.126.31.3
  • 40.126.31.0
  • 20.190.159.2
  • 20.190.159.129
  • 40.126.31.1
whitelisted
google.com
  • 142.250.186.174
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
go-dramatically.gl.at.ply.gg
  • 147.185.221.27
malicious
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
Misc activity
ET INFO Go-http-client User-Agent Observed Outbound
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
No debug info