| File name: | SubSeven S.A.T 1.0.7.rar |
| Full analysis: | https://app.any.run/tasks/9185cc1b-e527-4a0b-9964-6a089e8d236c |
| Verdict: | Malicious activity |
| Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
| Analysis date: | March 10, 2019, 19:03:11 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | B85AEA526843A6CCB23D8A25E2859095 |
| SHA1: | 656F8A2D9F95D199EBBD6EC7C695590816A05069 |
| SHA256: | 39CF91175D8AB9B6DB693FBDDD845ADE6AD14EF5BFC5432DBE92CC5971CEFCEE |
| SSDEEP: | 6144:oMNm6dAruZW6m4uo1WYBkCk9hrHcKjEtZSLKTE8Lr/4JwjNpLrQlqcS5OmP:o4m6OHSkCk3vjEtcOThLb4ANpLTBOmP |
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2696 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SubSeven S.A.T 1.0.7.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 3016 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\SubSeven S.A.T 1.0.7.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\SubSeven S.A.T 1.0.7.exe | WinRAR.exe | ||||||||||||
User: admin Company: SubSeven Inc. Integrity Level: MEDIUM Description: SubSeven S.A.T 1.0.7 Exit code: 0 Version: 1.0.7 Modules
| |||||||||||||||
| 3796 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\cnetindependent.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SubSeven S.A.T 1.0.7.rar | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2696) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3796 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR31A0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3016 | SubSeven S.A.T 1.0.7.exe | C:\Users\admin\AppData\Local\Temp\4147af6d-4916-4fc1-9485-6a1753c51244_ccookies.txt | text | |
MD5:— | SHA256:— | |||
| 3796 | WINWORD.EXE | C:\Users\admin\Desktop\~$etindependent.rtf | pgc | |
MD5:— | SHA256:— | |||
| 3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:— | SHA256:— | |||
| 3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\cnetindependent.rtf.LNK | lnk | |
MD5:— | SHA256:— | |||
| 2696 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\Configuration\LoginRememberMe.ini | text | |
MD5:68934A3E9455FA72420237EB05902327 | SHA256:FCBCF165908DD18A9E49F7FF27810176DB8E9F63B4352213741664245224F8AA | |||
| 2696 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\SubSeven S.A.T 1.0.7.exe | executable | |
MD5:— | SHA256:— | |||
| 3016 | SubSeven S.A.T 1.0.7.exe | C:\Users\admin\AppData\Local\Temp\e6f3475a-6185-4267-83f6-71b58a7d05c7_chrome.txt | text | |
MD5:— | SHA256:— | |||
| 3796 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:— | SHA256:— | |||
| 2696 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2696.12905\SubSeven S.A.T 1.0.7\VelyseTheme.dll | executable | |
MD5:52BFCE7E8DC04712CD2091C12F126F77 | SHA256:B332DAAC3B130051E8D2A5FD325D6D094CA1C9A602B45667855341F4CB9100AE | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3016 | SubSeven S.A.T 1.0.7.exe | GET | 301 | 104.31.76.103:80 | http://browserloot.rokey.xyz/api/get-ip.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3016 | SubSeven S.A.T 1.0.7.exe | 104.31.76.103:80 | browserloot.rokey.xyz | Cloudflare Inc | US | shared |
3016 | SubSeven S.A.T 1.0.7.exe | 104.31.76.103:443 | browserloot.rokey.xyz | Cloudflare Inc | US | shared |
3016 | SubSeven S.A.T 1.0.7.exe | 104.31.77.103:443 | browserloot.rokey.xyz | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
|---|---|---|
browserloot.rokey.xyz |
| malicious |
rokey.xyz |
| malicious |
PID | Process | Class | Message |
|---|---|---|---|
3016 | SubSeven S.A.T 1.0.7.exe | A Network Trojan was detected | MALWARE [PTsecurity] BrowserLoot Stealer |
3016 | SubSeven S.A.T 1.0.7.exe | A Network Trojan was detected | MALWARE [PTsecurity] BrowserLoot Stealer Connection |