File name: | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908 |
Full analysis: | https://app.any.run/tasks/961424e4-b4a2-4e46-a7d0-6f26e6e08ca9 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | December 05, 2022, 18:34:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 372322406B6A5C04F37E4DF210EEEC69 |
SHA1: | 2EEC6183D01C981BF7BB4EAB6E75C4D29D0C412C |
SHA256: | 3F90A9AAE3458C7E6184EDD089ECB8937E29D5A52649F9EF8A1502313932DE27 |
SSDEEP: | 24576:z+ahSadxWV1Jo7HFZzbgtEyzVp69691SLNLLLc:a74WV1Jg5bgFVpR1SLNLLL |
.dll | | | Win32 Dynamic Link Library (generic) (38.3) |
---|---|---|
.exe | | | Win32 Executable (generic) (26.2) |
.exe | | | Win16/32 Executable Delphi generic (12) |
.exe | | | Generic Win/DOS Executable (11.6) |
.exe | | | DOS Executable Generic (11.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-04 16:50:06 |
Comments: | Orl Recovery Application |
CompanyName: | Orl Recovery |
FileDescription: | Orl Recovery Application |
FileVersion: | 5.4.4.6 |
InternalName: | server1.exe |
LegalCopyright: | Copyright © 2021 Orl Recovery |
LegalTrademarks: | Orl Recovery Application |
OriginalFilename: | server1.exe |
ProductName: | Orl Recovery |
ProductVersion: | 5.4.4.6 |
Assembly Version: | 7.5.5.9 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2022-Dec-04 16:50:06 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
e\x05Xrqu&d | 8192 | 981628 | 982016 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.9998 |
.text | 991232 | 42136 | 42496 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.61871 |
.rsrc | 1040384 | 436160 | 436224 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.7065 |
.reloc | 1482752 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0980042 |
Section_5 | 1490944 | 16 | 512 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0.142636 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.3157 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 5.00129 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 4.66636 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 4.55741 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 4.1655 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 4.31575 | 21640 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 4.1246 | 38056 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 3.66748 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 3.35724 | 270376 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 3.01226 | 132 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3132 | "C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe" | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Orl Recovery Integrity Level: MEDIUM Description: Orl Recovery Application Exit code: 0 Version: 5.4.4.6 Modules
| |||||||||||||||
3480 | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | ||||||||||||
User: admin Company: Orl Recovery Integrity Level: MEDIUM Description: Orl Recovery Application Exit code: 0 Version: 5.4.4.6 Modules
| |||||||||||||||
2348 | "C:\Users\admin\AppData\Roaming\rcv\rce.exe" | C:\Users\admin\AppData\Roaming\rcv\rce.exe | — | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | |||||||||||
User: admin Company: Orl Recovery Integrity Level: MEDIUM Description: Orl Recovery Application Exit code: 0 Version: 5.4.4.6 Modules
| |||||||||||||||
3476 | C:\Users\admin\AppData\Roaming\rcv\rce.exe | C:\Users\admin\AppData\Roaming\rcv\rce.exe | rce.exe | ||||||||||||
User: admin Company: Orl Recovery Integrity Level: MEDIUM Description: Orl Recovery Application Version: 5.4.4.6 Modules
Quasar(PID) Process(3476) rce.exe Certificate Signature LogDirLogs Tagroop Startuprcr MutexQSR_MUTEX_baRzVwpXLLWpXWTkLS Install_Namerce.exe Sub_Dirrcv C2 (3)dnuocc.com:64594 www.dnuocc.com:64594 Version1.3.0.0 |
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3480 | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | C:\Users\admin\AppData\Roaming\rcv\rce.exe | executable | |
MD5:372322406B6A5C04F37E4DF210EEEC69 | SHA256:3F90A9AAE3458C7E6184EDD089ECB8937E29D5A52649F9EF8A1502313932DE27 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3476 | rce.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 279 b | shared |
3480 | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 279 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3476 | rce.exe | 185.216.71.78:64594 | dnuocc.com | Delis LLC | NL | malicious |
3476 | rce.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | malicious |
3480 | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
dnuocc.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3480 | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3480 | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | A Network Trojan was detected | ET TROJAN Common RAT Connectivity Check Observed |
3480 | SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3476 | rce.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3476 | rce.exe | A Network Trojan was detected | ET TROJAN Common RAT Connectivity Check Observed |
3476 | rce.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |