File name:

2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer

Full analysis: https://app.any.run/tasks/0ae89a72-b27b-4bf7-b37e-e6a1f654a9e1
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 13:32:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
golang
xor-url
generic
quasar
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 15 sections
MD5:

BBA8D9B47EA99A1FBC87D78ED7339F26

SHA1:

AF8C1198247ED4BB9A917AC755E22CEBC0480BD1

SHA256:

2F200621A628CB8DAD9B7383C89AB4EE4BB95C4645A2B9F4FE4B0088441DD87C

SSDEEP:

98304:1w98OUuVMlCBZ1cf6hbNvuHdLjF+9kkkf1kluNmacQXcs6E3CO3KPlrWvhBxDD:3tL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • QUASAR has been detected (YARA)

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2196)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • Connects to unusual port

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

  • INFO

    • Checks supported languages

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • Reads the computer name

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • Reads the machine GUID from the registry

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • Application based on Golang

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • Reads Environment values

      • 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe (PID: 7712)

    • Checks proxy server information

      • slui.exe (PID: 7336)

    • Reads the software policy settings

      • slui.exe (PID: 7336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(7712) 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
Decrypted-URLs (7)http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
https://api.ipify.org/
https://ipwho.is/
https://stackoverflow.com/q/11564914/23354;
https://stackoverflow.com/q/14436606/23354
https://stackoverflow.com/q/2152978/23354

Quasar

(PID) Process(7712) 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
Version1.4.1
C2 (2)Ramsadaye-38594.portmap.io:38594
Sub_DirSubDir
Install_NameClient.exe
Mutex2f72f045-155b-428e-9a93-74097cc15239
StartupQuasar Client Startup
TagHexSec
LogDirLogs
Signatureqj+itghnDARCf25poUb+atbqYSIFkrxBbioRrP4NVLDy+mQ9cTBZmm5Z1zANgmYaOpMh3XCuuE9D6G+dDwZsV/ocQ/uwsRj5n/vVV2yluTjror4KKNxX7LGDpkQ/dXuIdW5kQ8/OQ7NjgHyO94WI87Fkr6tuPCc2Nt4Ggy2FfjXSOpvzPuc9T2vd0vZDxVYHqF26lb8FZiKVFnICh2xkEvHRHXBg651CHRKbEPLjNhdK59bFHBbUOcLgW2mpTJbh7xljTzTOi0xNbi/wuxUgFUKZt8MEcLJWL5VdM8cN9Sy9...
CertificateMIIE9DCCAtygAwIBAgIQAKqbGTEU82DQOP497imGSTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDUxNTA5NTIzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyI8UQkZxmpTLD614qdIdpDVVCj/z2rQ2/34yHX93JtZUcNwsyYGEeMdwYGhgGyJCUtaiHr8o...
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 726016
InitializedDataSize: 3350528
UninitializedDataSize: -
EntryPoint: 0x71860
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XOR-URL 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7336C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7712"C:\Users\admin\Desktop\2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe" C:\Users\admin\Desktop\2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
xor-url
(PID) Process(7712) 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
Decrypted-URLs (7)http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://schemas.microsoft.com/SMI/2016/WindowsSettings
https://api.ipify.org/
https://ipwho.is/
https://stackoverflow.com/q/11564914/23354;
https://stackoverflow.com/q/14436606/23354
https://stackoverflow.com/q/2152978/23354
Quasar
(PID) Process(7712) 2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
Version1.4.1
C2 (2)Ramsadaye-38594.portmap.io:38594
Sub_DirSubDir
Install_NameClient.exe
Mutex2f72f045-155b-428e-9a93-74097cc15239
StartupQuasar Client Startup
TagHexSec
LogDirLogs
Signatureqj+itghnDARCf25poUb+atbqYSIFkrxBbioRrP4NVLDy+mQ9cTBZmm5Z1zANgmYaOpMh3XCuuE9D6G+dDwZsV/ocQ/uwsRj5n/vVV2yluTjror4KKNxX7LGDpkQ/dXuIdW5kQ8/OQ7NjgHyO94WI87Fkr6tuPCc2Nt4Ggy2FfjXSOpvzPuc9T2vd0vZDxVYHqF26lb8FZiKVFnICh2xkEvHRHXBg651CHRKbEPLjNhdK59bFHBbUOcLgW2mpTJbh7xljTzTOi0xNbi/wuxUgFUKZt8MEcLJWL5VdM8cN9Sy9...
CertificateMIIE9DCCAtygAwIBAgIQAKqbGTEU82DQOP497imGSTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDUxNTA5NTIzNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyI8UQkZxmpTLD614qdIdpDVVCj/z2rQ2/34yHX93JtZUcNwsyYGEeMdwYGhgGyJCUtaiHr8o...
Total events
3 817
Read events
3 817
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
65
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4980
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4980
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4980
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4980
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4980
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7712
2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer.exe
193.161.193.99:38594
Ramsadaye-38594.portmap.io
OOO Bitree Networks
RU
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
Ramsadaye-38594.portmap.io
  • 193.161.193.99
malicious
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2196
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-19_bba8d9b47ea99a1fbc87d78ed7339f26_frostygoop_ghostlocker_knight_luca-stealer