File name:

winsub.exe

Full analysis: https://app.any.run/tasks/55fef245-21eb-463c-8165-63007a1edee2
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: August 24, 2024, 17:53:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
quasar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

228C54CCA938C28F4C6EE3B3DC11BC9A

SHA1:

A6BFA3EC3EA9A74602174ABBE1D44962DCBA7E7B

SHA256:

5D52A49FB099109E20C5DEA2BBD103AD4B14BB395380DCE636251D54AA4EEDAF

SSDEEP:

49152:CYEcsT90z2NkvSCmRf7uY1+DVlYZ+hHjGmt/3DgfgIzvrjLJ7SX48VtO9+zvLRoU:j2NkKCmRf7uY1+DVlYZ+hHaIDgP9uh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QUASAR has been detected (YARA)

      • winsub.exe (PID: 6688)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • winsub.exe (PID: 6688)

  • INFO

    • Reads the computer name

      • winsub.exe (PID: 6688)

    • Checks supported languages

      • winsub.exe (PID: 6688)

    • Reads the machine GUID from the registry

      • winsub.exe (PID: 6688)

    • Reads Environment values

      • winsub.exe (PID: 6688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(6688) winsub.exe
Version1.4.1
C2 (2)tech11.ddns.net:4782
Sub_DirSubSystem
Install_NameSysUp.exe
Mutex81587dfc-35c6-4916-b3d6-30fe9b25d8bb
StartupWindows Subsystem
TagOffice04
LogDirLogs
SignatureObjdJZ3cQFTZMcBOBa8DkG9YaLuHVDYyo9+cTyJQ0H1B+4VHy3CRLOnJ2sjNLuynrusRHIo+h1nPGiu8t0wnn00kkAtrk3Za7A1OsfYcao7aIYNfsw5+puPJuEtkn+IGRCvU2ZF08vX4Qwdd8R5iHRBvgujdQqTESkdkqlyye+M1J3uUTdgFbGl3/dK1RvCkHA2WeXXZ8rjtCtM2ShptMQWBqhpJZbUYwKrn2OnYmSWHAuywnUph/j2ggVczrwnPX9PzqVwS5vQ/hwAN4JoONxdLUoKjXQT0ppO8GVOckp2v...
CertificateMIIE9DCCAtygAwIBAgIQAN9o7PcA2GY7fF2crVxM1zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQxNTIxMDQxMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjFmR//aHm7pISUOpKsBUKxh6V+P0kXo6DD9xbyL6FzPuSsdws76qS/UwDReD7ZnWSQC1M+Rn...
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:12 16:16:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 3261952
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x31e40e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.1.0
ProductVersionNumber: 1.4.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Quasar Client
FileVersion: 1.4.1
InternalName: Client.exe
LegalCopyright: Copyright © MaxXor 2023
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: Quasar
ProductVersion: 1.4.1
AssemblyVersion: 1.4.1.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QUASAR winsub.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6688"C:\Users\admin\Desktop\winsub.exe" C:\Users\admin\Desktop\winsub.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Version:
1.4.1
Modules
Images
c:\users\admin\desktop\winsub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Quasar
(PID) Process(6688) winsub.exe
Version1.4.1
C2 (2)tech11.ddns.net:4782
Sub_DirSubSystem
Install_NameSysUp.exe
Mutex81587dfc-35c6-4916-b3d6-30fe9b25d8bb
StartupWindows Subsystem
TagOffice04
LogDirLogs
SignatureObjdJZ3cQFTZMcBOBa8DkG9YaLuHVDYyo9+cTyJQ0H1B+4VHy3CRLOnJ2sjNLuynrusRHIo+h1nPGiu8t0wnn00kkAtrk3Za7A1OsfYcao7aIYNfsw5+puPJuEtkn+IGRCvU2ZF08vX4Qwdd8R5iHRBvgujdQqTESkdkqlyye+M1J3uUTdgFbGl3/dK1RvCkHA2WeXXZ8rjtCtM2ShptMQWBqhpJZbUYwKrn2OnYmSWHAuywnUph/j2ggVczrwnPX9PzqVwS5vQ/hwAN4JoONxdLUoKjXQT0ppO8GVOckp2v...
CertificateMIIE9DCCAtygAwIBAgIQAN9o7PcA2GY7fF2crVxM1zANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDQxNTIxMDQxMVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAjFmR//aHm7pISUOpKsBUKxh6V+P0kXo6DD9xbyL6FzPuSsdws76qS/UwDReD7ZnWSQC1M+Rn...
Total events
347
Read events
347
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6000
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.74.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winsub.exe