analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

League-Of-Legends-BOT.zip

Full analysis: https://app.any.run/tasks/017fc244-738a-4846-88d4-d961830b022b
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 05:39:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
quasar
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

448F11679062F1244C136D1FF38A7966

SHA1:

F4AD3258CE8A98BDA51907CF7C3F7874CEE524CE

SHA256:

39DF288665EFB674512F761E1450D3101DD3A2C94CE5902B8EB2AE7C7C65D8C4

SSDEEP:

24576:4fg+PKFt53H/6rZ/cNR6kK+a8K3gE+qb96b/SR/ehRuJUKKz:CnKh+ZJl6K3gdqh68wEJUr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • LeagueBot.exe (PID: 252)
      • LeagueBot.exe (PID: 4012)
      • winlog.exe (PID: 2864)
      • winlog.exe (PID: 2800)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3488)

    • Changes the autorun value in the registry

      • powershell.exe (PID: 3028)
      • LeagueBot.exe (PID: 4012)
      • powershell.exe (PID: 2892)
      • winlog.exe (PID: 2800)

    • QUASAR was detected

      • LeagueBot.exe (PID: 4012)
      • winlog.exe (PID: 2800)

    • Actions looks like stealing of personal data

      • winlog.exe (PID: 2800)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2488)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • LeagueBot.exe (PID: 252)
      • winlog.exe (PID: 2864)

    • Application launched itself

      • LeagueBot.exe (PID: 252)
      • winlog.exe (PID: 2864)

    • Creates files in the user directory

      • LeagueBot.exe (PID: 252)
      • LeagueBot.exe (PID: 4012)
      • powershell.exe (PID: 3028)
      • powershell.exe (PID: 2892)

    • Executable content was dropped or overwritten

      • LeagueBot.exe (PID: 252)
      • WinRAR.exe (PID: 944)
      • winlog.exe (PID: 2864)
      • LeagueBot.exe (PID: 4012)

    • Starts itself from another location

      • LeagueBot.exe (PID: 4012)

    • Checks for external IP

      • LeagueBot.exe (PID: 4012)
      • winlog.exe (PID: 2800)

    • Starts CMD.EXE for commands execution

      • winlog.exe (PID: 2800)

    • Loads DLL from Mozilla Firefox

      • winlog.exe (PID: 2800)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2488)

  • INFO

    • Manual execution by user

      • LeagueBot.exe (PID: 252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: League-Of-Legends-BOT/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:10:14 08:07:15
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs leaguebot.exe powershell.exe #QUASAR leaguebot.exe winlog.exe powershell.exe #QUASAR winlog.exe cmd.exe no specs chcp.com no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\League-Of-Legends-BOT.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3488"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
252"C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe" C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe
explorer.exe
User:
admin
Company:
Google Chrome
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
67.0.100.99
3028"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv' -Value '"C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe"' -PropertyType 'String'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
LeagueBot.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4012"C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe"C:\Users\admin\Desktop\League-Of-Legends-BOT\Executable\LeagueBot.exe
LeagueBot.exe
User:
admin
Company:
Google Chrome
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
67.0.100.99
2864"C:\Users\admin\AppData\Roaming\Winlog\winlog.exe"C:\Users\admin\AppData\Roaming\Winlog\winlog.exe
LeagueBot.exe
User:
admin
Company:
Google Chrome
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
67.0.100.99
2892"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'opsrv' -Value '"C:\Users\admin\AppData\Roaming\chome_exe\opsrv.exe"' -PropertyType 'String'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
winlog.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2800"C:\Users\admin\AppData\Roaming\Winlog\winlog.exe"C:\Users\admin\AppData\Roaming\Winlog\winlog.exe
winlog.exe
User:
admin
Company:
Google Chrome
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
67.0.100.99
2488cmd /c ""C:\Users\admin\AppData\Local\Temp\TAMkLjNOAHQI.bat" "C:\Windows\system32\cmd.exewinlog.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3956chcp 65001C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 693
Read events
1 528
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
11
Text files
42
Unknown types
10

Dropped files

PID
Process
Filename
Type
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\ColorViewer.csprojxml
MD5:A23D495FACE9E610981F2FDBEB862C12
SHA256:C4E9B3F9FC76863CA2F1928836038ABFE7F29B5B0853CA3D2DBFDC39EE209D68
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\obj\Debug\ColorPicker.csproj.CoreCompileInputs.cachetext
MD5:1D240B4263B2595B39BB5C32C1396847
SHA256:4A346ED8DE7AC52A6A8149B293AF04E25C024D5143683435961330F30BE5F79B
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\obj\Debug\ColorPicker.csproj.FileListAbsolute.txttext
MD5:AFD574B88AEB4A7D8E0C0047518CFB0E
SHA256:4C8FEE74DDFC2A865EC966EA7ADAA978EBF6F7BA2A883FFE6112725A97816A30
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\Form1.cstext
MD5:076FEB27F2B5DF418B4E636F2CC3EDED
SHA256:9D3B3DCEC0C69C1B372CD2214FF73D653913787129ECF7E7CFCE1F64D0922FAD
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\obj\Debug\ColorPicker.csprojResolveAssemblyReference.cachepi2
MD5:01660F9BD4396A9B010BD3CE9B47D8D9
SHA256:F41B2E7AFF04859AE1BCD0FA50392DC0E724E9D3ABF4C498FAC2FEF04C0F70CF
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\bin\Debug\ColorViewer.pdbpdb
MD5:9D221A6C96761EAD70D9288A1184E947
SHA256:91BD085D5400B44F8B81ED0E933CEC8237789C4950D25A06E943AF190966B9C3
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\.vs\LeagueBot\v15\Server\sqlite3\storage.ide-walbinary
MD5:59F0AC1944598559EBECE930822295D4
SHA256:622718F501ECDE92B203342052F7A5E16B6BE031BE1E56166DF516088BF1E055
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\Interop.cstext
MD5:4CCE71324AB357B04C553D288E488A1A
SHA256:32BE52B7943FDC16F25E773E7443CC1C3E5D498F360BC0F079E5ABC42B9F08CF
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\ColorPicker\bin\Debug\ColorViewer.exeexecutable
MD5:2BAB78C29AAF31165045A7F5AC846812
SHA256:A8F6DB08B1D67B428BFCB746123479D14511B4C002AAA54499A36CE3C47E9249
944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa944.10228\League-Of-Legends-BOT\Sources\.vs\LeagueBot\v15\Server\sqlite3\storage.idesqlite
MD5:359599B61BAA003DBC85169E7F670F97
SHA256:62AA936BF82FA6CA6A9F8BCEBD3FD5B4DB49660920B99B1512F8283863A80136
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
winlog.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
265 b
shared
4012
LeagueBot.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
265 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
winlog.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
4012
LeagueBot.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
2800
winlog.exe
84.108.213.8:4782
prrr.duckdns.org
Bezeq International
IL
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 185.194.141.58
shared
prrr.duckdns.org
  • 84.108.213.8
malicious

Threats

PID
Process
Class
Message
4012
LeagueBot.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
4012
LeagueBot.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
4012
LeagueBot.exe
A Network Trojan was detected
REMOTE [PTsecurity] Quasar.RAT IP Lookup
2800
winlog.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2800
winlog.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2800
winlog.exe
A Network Trojan was detected
REMOTE [PTsecurity] Quasar.RAT IP Lookup
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2800
winlog.exe
A Network Trojan was detected
MALWARE [PTsecurity] Quasar RAT
2800
winlog.exe
A Network Trojan was detected
MALWARE [PTsecurity] Quasar RAT
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
League-Of-Legends-BOT.zip