File name:

SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908

Full analysis: https://app.any.run/tasks/961424e4-b4a2-4e46-a7d0-6f26e6e08ca9
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: December 05, 2022, 18:34:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
quasar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

372322406B6A5C04F37E4DF210EEEC69

SHA1:

2EEC6183D01C981BF7BB4EAB6E75C4D29D0C412C

SHA256:

3F90A9AAE3458C7E6184EDD089ECB8937E29D5A52649F9EF8A1502313932DE27

SSDEEP:

24576:z+ahSadxWV1Jo7HFZzbgtEyzVp69691SLNLLLc:a74WV1Jg5bgFVpR1SLNLLL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
      • rce.exe (PID: 3476)
    • QUASAR detected by memory dumps

      • rce.exe (PID: 3476)
  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
      • rce.exe (PID: 3476)
    • Reads the Internet Settings

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
      • rce.exe (PID: 3476)
    • Starts itself from another location

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
    • Application launched itself

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3132)
      • rce.exe (PID: 2348)
    • Checks for external IP

      • rce.exe (PID: 3476)
  • INFO

    • Checks supported languages

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3132)
      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
      • rce.exe (PID: 3476)
      • rce.exe (PID: 2348)
    • Reads Environment values

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
      • rce.exe (PID: 3476)
    • Reads the computer name

      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3480)
      • SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe (PID: 3132)
      • rce.exe (PID: 2348)
      • rce.exe (PID: 3476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(3476) rce.exe
Certificate
Signature
LogDirLogs
Tagroop
Startuprcr
MutexQSR_MUTEX_baRzVwpXLLWpXWTkLS
Install_Namerce.exe
Sub_Dirrcv
C2 (3)dnuocc.com:64594
www.dnuocc.com:64594
Version1.3.0.0
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Dec-04 16:50:06
Comments: Orl Recovery Application
CompanyName: Orl Recovery
FileDescription: Orl Recovery Application
FileVersion: 5.4.4.6
InternalName: server1.exe
LegalCopyright: Copyright © 2021 Orl Recovery
LegalTrademarks: Orl Recovery Application
OriginalFilename: server1.exe
ProductName: Orl Recovery
ProductVersion: 5.4.4.6
Assembly Version: 7.5.5.9

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2022-Dec-04 16:50:06
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
e\x05Xrqu&d
8192
981628
982016
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9998
.text
991232
42136
42496
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.61871
.rsrc
1040384
436160
436224
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.7065
.reloc
1482752
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0980042
Section_5
1490944
16
512
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0.142636

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.3157
1128
UNKNOWN
UNKNOWN
RT_ICON
2
5.00129
2440
UNKNOWN
UNKNOWN
RT_ICON
3
4.66636
4264
UNKNOWN
UNKNOWN
RT_ICON
4
4.55741
9640
UNKNOWN
UNKNOWN
RT_ICON
5
4.1655
16936
UNKNOWN
UNKNOWN
RT_ICON
6
4.31575
21640
UNKNOWN
UNKNOWN
RT_ICON
7
4.1246
38056
UNKNOWN
UNKNOWN
RT_ICON
8
3.66748
67624
UNKNOWN
UNKNOWN
RT_ICON
9
3.35724
270376
UNKNOWN
UNKNOWN
RT_ICON
32512
3.01226
132
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start securiteinfo.com.susp_net_name_confuserex.10894.12908.exe no specs securiteinfo.com.susp_net_name_confuserex.10894.12908.exe rce.exe no specs #QUASAR rce.exe

Process information

PID
CMD
Path
Indicators
Parent process
3132"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeExplorer.EXE
User:
admin
Company:
Orl Recovery
Integrity Level:
MEDIUM
Description:
Orl Recovery Application
Exit code:
0
Version:
5.4.4.6
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.susp_net_name_confuserex.10894.12908.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3480C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeC:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
User:
admin
Company:
Orl Recovery
Integrity Level:
MEDIUM
Description:
Orl Recovery Application
Exit code:
0
Version:
5.4.4.6
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.susp_net_name_confuserex.10894.12908.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2348"C:\Users\admin\AppData\Roaming\rcv\rce.exe"C:\Users\admin\AppData\Roaming\rcv\rce.exeSecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
User:
admin
Company:
Orl Recovery
Integrity Level:
MEDIUM
Description:
Orl Recovery Application
Exit code:
0
Version:
5.4.4.6
Modules
Images
c:\users\admin\appdata\roaming\rcv\rce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3476C:\Users\admin\AppData\Roaming\rcv\rce.exeC:\Users\admin\AppData\Roaming\rcv\rce.exe
rce.exe
User:
admin
Company:
Orl Recovery
Integrity Level:
MEDIUM
Description:
Orl Recovery Application
Version:
5.4.4.6
Modules
Images
c:\users\admin\appdata\roaming\rcv\rce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Quasar
(PID) Process(3476) rce.exe
Certificate
Signature
LogDirLogs
Tagroop
Startuprcr
MutexQSR_MUTEX_baRzVwpXLLWpXWTkLS
Install_Namerce.exe
Sub_Dirrcv
C2 (3)dnuocc.com:64594
www.dnuocc.com:64594
Version1.3.0.0
Total events
1 152
Read events
1 126
Write events
26
Delete events
0

Modification events

(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3480) SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SecuriteInfo_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3480SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exeC:\Users\admin\AppData\Roaming\rcv\rce.exeexecutable
MD5:372322406B6A5C04F37E4DF210EEEC69
SHA256:3F90A9AAE3458C7E6184EDD089ECB8937E29D5A52649F9EF8A1502313932DE27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
279 b
shared
3476
rce.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
279 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3480
SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
malicious
3476
rce.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
malicious
3476
rce.exe
185.216.71.78:64594
dnuocc.com
Delis LLC
NL
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
dnuocc.com
  • 185.216.71.78
malicious

Threats

PID
Process
Class
Message
3480
SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3480
SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
A Network Trojan was detected
ET TROJAN Common RAT Connectivity Check Observed
3480
SecuriteInfo.com.SUSP_NET_NAME_ConfuserEx.10894.12908.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3476
rce.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3476
rce.exe
A Network Trojan was detected
ET TROJAN Common RAT Connectivity Check Observed
3476
rce.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
No debug info