File name: | League-Of-Legends-BOT.zip |
Full analysis: | https://app.any.run/tasks/017fc244-738a-4846-88d4-d961830b022b |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | October 14, 2019, 05:39:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 448F11679062F1244C136D1FF38A7966 |
SHA1: | F4AD3258CE8A98BDA51907CF7C3F7874CEE524CE |
SHA256: | 39DF288665EFB674512F761E1450D3101DD3A2C94CE5902B8EB2AE7C7C65D8C4 |
SSDEEP: | 24576:4fg+PKFt53H/6rZ/cNR6kK+a8K3gE+qb96b/SR/ehRuJUKKz:CnKh+ZJl6K3gdqh68wEJUr |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | League-Of-Legends-BOT/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:10:14 08:07:15 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
944 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\League-Of-Legends-BOT.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3488 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
252 | "C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe" | C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe | explorer.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
3028 | "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv' -Value '"C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe"' -PropertyType 'String' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | LeagueBot.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4012 | "C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe" | C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe | LeagueBot.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
2864 | "C:\Users\admin\AppData\Roaming\Winlog\winlog.exe" | C:\Users\admin\AppData\Roaming\Winlog\winlog.exe | LeagueBot.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
2892 | "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv' -Value '"C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe"' -PropertyType 'String' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | winlog.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2800 | "C:\Users\admin\AppData\Roaming\Winlog\winlog.exe" | C:\Users\admin\AppData\Roaming\Winlog\winlog.exe | winlog.exe | |
User: admin Company: Google Chrome Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 67.0.100.99 | ||||
2488 | cmd /c ""C:\Users\admin\AppData\Local\Temp\TAMkLjNOAHQI.bat" " | C:\Windows\system32\cmd.exe | — | winlog.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3956 | chcp 65001 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\ColorViewer.csproj | xml | |
MD5:A23D495FACE9E610981F2FDBEB862C12 | SHA256:C4E9B3F9FC76863CA2F1928836038ABFE7F29B5B0853CA3D2DBFDC39EE209D68 | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\obj\Debug\ColorPicker.csproj.CoreCompileInputs.cache | text | |
MD5:1D240B4263B2595B39BB5C32C1396847 | SHA256:4A346ED8DE7AC52A6A8149B293AF04E25C024D5143683435961330F30BE5F79B | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\obj\Debug\ColorPicker.csproj.FileListAbsolute.txt | text | |
MD5:AFD574B88AEB4A7D8E0C0047518CFB0E | SHA256:4C8FEE74DDFC2A865EC966EA7ADAA978EBF6F7BA2A883FFE6112725A97816A30 | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\Form1.cs | text | |
MD5:076FEB27F2B5DF418B4E636F2CC3EDED | SHA256:9D3B3DCEC0C69C1B372CD2214FF73D653913787129ECF7E7CFCE1F64D0922FAD | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\obj\Debug\ColorPicker.csprojResolveAssemblyReference.cache | pi2 | |
MD5:01660F9BD4396A9B010BD3CE9B47D8D9 | SHA256:F41B2E7AFF04859AE1BCD0FA50392DC0E724E9D3ABF4C498FAC2FEF04C0F70CF | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\bin\Debug\ColorViewer.pdb | pdb | |
MD5:9D221A6C96761EAD70D9288A1184E947 | SHA256:91BD085D5400B44F8B81ED0E933CEC8237789C4950D25A06E943AF190966B9C3 | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\.vs\LeagueBot\v15\Server\sqlite3\storage.ide-wal | binary | |
MD5:59F0AC1944598559EBECE930822295D4 | SHA256:622718F501ECDE92B203342052F7A5E16B6BE031BE1E56166DF516088BF1E055 | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\Interop.cs | text | |
MD5:4CCE71324AB357B04C553D288E488A1A | SHA256:32BE52B7943FDC16F25E773E7443CC1C3E5D498F360BC0F079E5ABC42B9F08CF | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\bin\Debug\ColorViewer.exe | executable | |
MD5:2BAB78C29AAF31165045A7F5AC846812 | SHA256:A8F6DB08B1D67B428BFCB746123479D14511B4C002AAA54499A36CE3C47E9249 | |||
944 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\.vs\LeagueBot\v15\Server\sqlite3\storage.ide | sqlite | |
MD5:359599B61BAA003DBC85169E7F670F97 | SHA256:62AA936BF82FA6CA6A9F8BCEBD3FD5B4DB49660920B99B1512F8283863A80136 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2800 | winlog.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 265 b | shared |
4012 | LeagueBot.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 265 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2800 | winlog.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
4012 | LeagueBot.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
2800 | winlog.exe | 84.108.213.8:4782 | prrr.duckdns.org | Bezeq International | IL | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
prrr.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4012 | LeagueBot.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
4012 | LeagueBot.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
4012 | LeagueBot.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
2800 | winlog.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2800 | winlog.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
2800 | winlog.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2800 | winlog.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |
2800 | winlog.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |