File name: | SubSeven S.A.T 1.0.7.rar |
Full analysis: | https://app.any.run/tasks/9185cc1b-e527-4a0b-9964-6a089e8d236c |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | March 10, 2019, 19:03:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B85AEA526843A6CCB23D8A25E2859095 |
SHA1: | 656F8A2D9F95D199EBBD6EC7C695590816A05069 |
SHA256: | 39CF91175D8AB9B6DB693FBDDD845ADE6AD14EF5BFC5432DBE92CC5971CEFCEE |
SSDEEP: | 6144:oMNm6dAruZW6m4uo1WYBkCk9hrHcKjEtZSLKTE8Lr/4JwjNpLrQlqcS5OmP:o4m6OHSkCk3vjEtcOThLb4ANpLTBOmP |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2696 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SubSeven S.A.T 1.0.7.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
3016 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\SubSeven S.A.T 1.0.7.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\SubSeven S.A.T 1.0.7.exe | WinRAR.exe | ||||||||||||
User: admin Company: SubSeven Inc. Integrity Level: MEDIUM Description: SubSeven S.A.T 1.0.7 Exit code: 0 Version: 1.0.7 Modules
| |||||||||||||||
3796 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\cnetindependent.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
|
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SubSeven S.A.T 1.0.7.rar | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR31A0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3016 | SubSeven S.A.T 1.0.7.exe | C:\Users\admin\AppData\Local\Temp\e6f3475a-6185-4267-83f6-71b58a7d05c7_chrome.txt | text | |
MD5:— | SHA256:— | |||
2696 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\Data\GeoIP.dat | binary | |
MD5:1F897B5825CF91799831862620911AFF | SHA256:5F85518CF71E7B53544E0BD0C1874D1F89A0D6DE7A6AD50683517575AAA56301 | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:— | SHA256:— | |||
2696 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\Configuration\settings.ini | text | |
MD5:E6CEE1AAE2E0FADF069888784E9207A9 | SHA256:F891459C922E178C9EF398474160654C90B6A9FFC4DD3B148BA18FEFFB664F5F | |||
3796 | WINWORD.EXE | C:\Users\admin\Desktop\~$etindependent.rtf | pgc | |
MD5:— | SHA256:— | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\cnetindependent.rtf.LNK | lnk | |
MD5:— | SHA256:— | |||
2696 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\SubSeven S.A.T 1.0.7.exe | executable | |
MD5:— | SHA256:— | |||
3016 | SubSeven S.A.T 1.0.7.exe | C:\Users\admin\AppData\Local\Temp\4147af6d-4916-4fc1-9485-6a1753c51244_ccookies.txt | text | |
MD5:— | SHA256:— | |||
3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3016 | SubSeven S.A.T 1.0.7.exe | GET | 301 | 104.31.76.103:80 | http://browserloot.rokey.xyz/api/get-ip.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3016 | SubSeven S.A.T 1.0.7.exe | 104.31.76.103:80 | browserloot.rokey.xyz | Cloudflare Inc | US | shared |
3016 | SubSeven S.A.T 1.0.7.exe | 104.31.77.103:443 | browserloot.rokey.xyz | Cloudflare Inc | US | shared |
3016 | SubSeven S.A.T 1.0.7.exe | 104.31.76.103:443 | browserloot.rokey.xyz | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
browserloot.rokey.xyz |
| malicious |
rokey.xyz |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | MALWARE [PTsecurity] BrowserLoot Stealer |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] BrowserLoot Stealer Connection |