File name: | ConsoleSniffer v3 - Password is bob |
Full analysis: | https://app.any.run/tasks/e4483d43-e35d-4f81-bfb3-cefa687b4317 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | May 20, 2022, 16:10:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | FEC028CA2FB7F3342B756F26FA329D92 |
SHA1: | C4B83D141DBE3116CD2B1CE71F2C1A45CBBF12BD |
SHA256: | 746BB20E63673B15720E6430186EA787422E4DE6E3A7FBA1D9B8799A30970754 |
SSDEEP: | 196608:yts0F/7CrHvJW+0sdG1pV4TA7wkdtnv3baSqPoI6KJ:EZFCLy7WTA7wOcSqQI6KJ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2992 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v3 - Password is bob.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
1780 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\ConsoleSniffer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\ConsoleSniffer.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1632 | "C:\Users\admin\AppData\Local\Temp\boom.exe" | C:\Users\admin\AppData\Local\Temp\boom.exe | ConsoleSniffer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
908 | "C:\Users\admin\AppData\Local\Temp\test.exe" | C:\Users\admin\AppData\Local\Temp\test.exe | boom.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2344 | "C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v3.exe" | C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v3.exe | — | test.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: IP Grabber Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
3040 | "C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v3.exe" | C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v3.exe | test.exe | ||||||||||||
User: admin Company: Microsoft Integrity Level: HIGH Description: IP Grabber Exit code: 3762504530 Version: 1.0.0.0 Modules
| |||||||||||||||
3000 | "C:\Users\admin\AppData\Local\Temp\WindowsStartup.exe" | C:\Users\admin\AppData\Local\Temp\WindowsStartup.exe | test.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 Modules
| |||||||||||||||
3316 | "regedit.exe" "C:\Users\admin\AppData\Local\Temp\Defender.reg" | C:\Windows\regedit.exe | — | test.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3832 | "regedit.exe" "C:\Users\admin\AppData\Local\Temp\Defender.reg" | C:\Windows\regedit.exe | test.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2036 | "C:\Users\admin\AppData\Roaming\WindowsRep\WindowsRun.exe" | C:\Users\admin\AppData\Roaming\WindowsRep\WindowsRun.exe | WindowsStartup.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.3.0.0 Modules
Quasar(PID) Process(2036) WindowsRun.exe Certificate Signature LogDirLogs TagTarget StartupWindowsRuntiime MutexQSR_MUTEX_mXJYTiCQWK23RFk8eh Install_NameWindowsRun.exe Sub_DirWindowsRep C2 (2)185.217.1.170:56098 Version1.3.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\PS3Lib.dll | executable | |
MD5:E2591C9BE92CD8F098027885306833AA | SHA256:F7E015454587C29AFF65C82569E629955EB5E52A3A85B4F3677F9F1BC8AB7500 | |||
908 | test.exe | C:\Users\admin\AppData\Local\Temp\WindowsStartup.exe | executable | |
MD5:AA52E7CD8B83AE71AE42F3652F8CD46E | SHA256:93B8D133BEAAD4361ADCF0B800D0001D187EC7BA33678DC93E678729CF345775 | |||
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\INFORMATIONS by lB_U_Z_Z_A_R_Dl.txt | text | |
MD5:4F28D7FDB3DFA2A177C76389A4DD1CC3 | SHA256:84C7DAA41D0B65F1D0AE6AD2813F1E7D6FD3565C78E9CBFA2D9C59100181045A | |||
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\ConsoleSniffer.exe | executable | |
MD5:DF5A226B6C70691C85CBF776A17FD221 | SHA256:7E5E87FAF066201221548D5A8912582D7CDFF43DAC06331B68AA81A072F8BD21 | |||
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\PcapDotNet.Packets.dll | executable | |
MD5:8CC42BD7D00F047ED71A5BAE500F4EC9 | SHA256:C91619C54D3783DB57C6ED446049BEBBE04D42D90304A30B098DCA6E6E546BBF | |||
1632 | boom.exe | C:\Users\admin\AppData\Local\Temp\test.exe | executable | |
MD5:6D7B4A02338F2DB020D064BE2DA34F4B | SHA256:0926E4FA50CEF7D9A7F3E58F31E7FD312F1691AC3E31B16D912F698A8F089C57 | |||
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\PcapDotNet.Analysis.dll | executable | |
MD5:894D0649D55E0813BF5D0F0FB96F3C99 | SHA256:1F4F96A4DCED09133AEE3BD028CC35B5FBD3D642190ABF5611016920CD9CE260 | |||
908 | test.exe | C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v3.exe | executable | |
MD5:C9D05CC5FDF23E5D067AF249072D2163 | SHA256:F74852B1CABF3A967BBF7CFCE1DC5560275FD170F84BD79061A3A6C043B1DCB9 | |||
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\OPEN ME IF HAVING ERROR\ndp48-web.exe | executable | |
MD5:86482F2F623A52B8344B00968ADC7B43 | SHA256:2C7530EDBF06B08A0B9F4227C24EC37D95F3998EE7E6933AE22A9943D0ADFA57 | |||
2992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2992.23360\ConsoleSniffer v3\ConsoleSniffer\Win10Pcap-v10.2-5002.msi | executable | |
MD5:4B68F0C956907999AB9B7DCA9B23FB94 | SHA256:CE1169C7CAC4BC9BC45E159CEC069F0AB57C42FC3F636456A2E404CC6B91E855 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3000 | WindowsStartup.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 286 b | shared |
2036 | WindowsRun.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 286 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2036 | WindowsRun.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
3000 | WindowsStartup.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2036 | WindowsRun.exe | 185.217.1.170:56098 | — | Icme Limited | SE | malicious |
— | — | 185.217.1.170:56098 | — | Icme Limited | SE | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3000 | WindowsStartup.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3000 | WindowsStartup.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
2036 | WindowsRun.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2036 | WindowsRun.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |