download: | uc |
Full analysis: | https://app.any.run/tasks/e37b6039-cdac-43bf-aeb2-51ce063c15a3 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | March 31, 2020, 10:38:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | C66A2E50B863EA4EB7A9C41C424EC388 |
SHA1: | 33F055CAE06B6C5288B30D7660EB77DB5EE58FA7 |
SHA256: | 766E21A9B38D3A8C80733EB9AECF8F39127F9D9F483D253F284BF24C17594D74 |
SSDEEP: | 1536:J/I7opDm5yPPHqVbSHihV7EBLKnUG57pZ1:JAOx3hHivYBLKDP1 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2192 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1092 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.45151\Btc2048 Game.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.45151\Btc2048 Game.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3860 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe | Btc2048 Game.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: AddInProcess.exe Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
580 | cmd /c ""C:\Users\admin\AppData\Local\Temp\Remove.bat" "3860" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"" | C:\Windows\system32\cmd.exe | — | AddInProcess.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2868 | taskkill /F /PID "3860" | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3612 | choice /C Y /N /D Y /T 3 | C:\Windows\system32\choice.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.5083750+01_002222 | sqlite | |
MD5:DD9640AF5F03807CF2E3921CBA16AF0D | SHA256:ECF72C454FEF08C5948A565464839A554567E499F995483D6C8B54B32EA2C5F0 | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_48.1177500+01_002222 | sqlite | |
MD5:E812B5AAA4AB657D430A930438DD0E7C | SHA256:153A35F475F8B6AB4AE389DA8BE3AB7557250C46CE410C8D2C884C8AB418808F | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_48.1021250+01_002222 | sqlite | |
MD5:E812B5AAA4AB657D430A930438DD0E7C | SHA256:153A35F475F8B6AB4AE389DA8BE3AB7557250C46CE410C8D2C884C8AB418808F | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.8990000+01_002121 | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
2192 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.45151\Btc2048 Game.exe | executable | |
MD5:F763CC12BC5DE62C264714819F5EA9F1 | SHA256:D13F06DAD4A0D46EC05CFE9901DDDAC1EB4E8B491CFB5015634BAB8F3A31EF09 | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.4771250+01_002121 | sqlite | |
MD5:7C426E0FC19063A433349CE713DA84A0 | SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.8833750+01_002222 | sqlite | |
MD5:EEFF6A10360F51143449247286180D9B | SHA256:6FE703DE675D6AEFC85BCD464049F820A571B56D05667AB329A6D333765CE8D5 | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\Remove.bat | text | |
MD5:AA5F6A4940898FAD87B5C5CA4897D554 | SHA256:BE5A0877F129F752EBB2C0D8E598864A4EE7F220A87BD751E89FC2004B06B48F | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.5083750+01_002323 | sqlite | |
MD5:AC3CDEEC2CF63B09BFF2D68FF02CAAAF | SHA256:FAC2CA86788C0380D5A61973C16CBF71064A389C6469F41CE84E425311B67BB7 | |||
3860 | AddInProcess.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_48.1177500+01_002121 | text | |
MD5:E7CE898AADD69F4E4280010B7808116E | SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3860 | AddInProcess.exe | GET | 101 | 151.106.30.147:2012 | http://151.106.30.147:2012/websocket | US | — | — | malicious |
3860 | AddInProcess.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | text | 321 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3860 | AddInProcess.exe | 151.106.30.147:2012 | — | — | US | malicious |
1092 | Btc2048 Game.exe | 81.177.141.72:443 | a.plsdmake.ru | JSC RTComm.RU | RU | malicious |
3860 | AddInProcess.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
Domain | IP | Reputation |
---|---|---|
a.plsdmake.ru |
| unknown |
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3860 | AddInProcess.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3860 | AddInProcess.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3860 | AddInProcess.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |