analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

uc

Full analysis: https://app.any.run/tasks/e37b6039-cdac-43bf-aeb2-51ce063c15a3
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: March 31, 2020, 10:38:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
grandsteal
evasion
rat
quasar
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C66A2E50B863EA4EB7A9C41C424EC388

SHA1:

33F055CAE06B6C5288B30D7660EB77DB5EE58FA7

SHA256:

766E21A9B38D3A8C80733EB9AECF8F39127F9D9F483D253F284BF24C17594D74

SSDEEP:

1536:J/I7opDm5yPPHqVbSHihV7EBLKnUG57pZ1:JAOx3hHivYBLKDP1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Btc2048 Game.exe (PID: 1092)
    • GRANDSTEAL was detected

      • AddInProcess.exe (PID: 3860)
    • Stealing of credential data

      • AddInProcess.exe (PID: 3860)
    • QUASAR was detected

      • AddInProcess.exe (PID: 3860)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2192)
    • Reads Environment values

      • AddInProcess.exe (PID: 3860)
    • Reads the cookies of Google Chrome

      • AddInProcess.exe (PID: 3860)
    • Reads the cookies of Mozilla Firefox

      • AddInProcess.exe (PID: 3860)
    • Starts CMD.EXE for commands execution

      • AddInProcess.exe (PID: 3860)
    • Checks for external IP

      • AddInProcess.exe (PID: 3860)
    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 580)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 580)
    • Searches for installed software

      • AddInProcess.exe (PID: 3860)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe btc2048 game.exe #GRANDSTEAL addinprocess.exe cmd.exe no specs taskkill.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1092"C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.45151\Btc2048 Game.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2192.45151\Btc2048 Game.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
3860C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
Btc2048 Game.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
580cmd /c ""C:\Users\admin\AppData\Local\Temp\Remove.bat" "3860" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe""C:\Windows\system32\cmd.exeAddInProcess.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2868taskkill /F /PID "3860"C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3612choice /C Y /N /D Y /T 3 C:\Windows\system32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 105
Read events
1 055
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
8

Dropped files

PID
Process
Filename
Type
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.5083750+01_002222sqlite
MD5:DD9640AF5F03807CF2E3921CBA16AF0D
SHA256:ECF72C454FEF08C5948A565464839A554567E499F995483D6C8B54B32EA2C5F0
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_48.1177500+01_002222sqlite
MD5:E812B5AAA4AB657D430A930438DD0E7C
SHA256:153A35F475F8B6AB4AE389DA8BE3AB7557250C46CE410C8D2C884C8AB418808F
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_48.1021250+01_002222sqlite
MD5:E812B5AAA4AB657D430A930438DD0E7C
SHA256:153A35F475F8B6AB4AE389DA8BE3AB7557250C46CE410C8D2C884C8AB418808F
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.8990000+01_002121sqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
2192WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2192.45151\Btc2048 Game.exeexecutable
MD5:F763CC12BC5DE62C264714819F5EA9F1
SHA256:D13F06DAD4A0D46EC05CFE9901DDDAC1EB4E8B491CFB5015634BAB8F3A31EF09
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.4771250+01_002121sqlite
MD5:7C426E0FC19063A433349CE713DA84A0
SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.8833750+01_002222sqlite
MD5:EEFF6A10360F51143449247286180D9B
SHA256:6FE703DE675D6AEFC85BCD464049F820A571B56D05667AB329A6D333765CE8D5
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\Remove.battext
MD5:AA5F6A4940898FAD87B5C5CA4897D554
SHA256:BE5A0877F129F752EBB2C0D8E598864A4EE7F220A87BD751E89FC2004B06B48F
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_47.5083750+01_002323sqlite
MD5:AC3CDEEC2CF63B09BFF2D68FF02CAAAF
SHA256:FAC2CA86788C0380D5A61973C16CBF71064A389C6469F41CE84E425311B67BB7
3860AddInProcess.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-03-31T11_38_48.1177500+01_002121text
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3860
AddInProcess.exe
GET
101
151.106.30.147:2012
http://151.106.30.147:2012/websocket
US
malicious
3860
AddInProcess.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
text
321 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3860
AddInProcess.exe
151.106.30.147:2012
US
malicious
1092
Btc2048 Game.exe
81.177.141.72:443
a.plsdmake.ru
JSC RTComm.RU
RU
malicious
3860
AddInProcess.exe
208.95.112.1:80
ip-api.com
IBURST
malicious

DNS requests

Domain
IP
Reputation
a.plsdmake.ru
  • 81.177.141.72
unknown
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
3860
AddInProcess.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3860
AddInProcess.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3860
AddInProcess.exe
A Network Trojan was detected
REMOTE [PTsecurity] Quasar.RAT IP Lookup
2 ETPRO signatures available at the full report
No debug info