analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FortniteChecker.rar

Full analysis: https://app.any.run/tasks/b22caef9-a90d-4bc0-a79e-691ea95be88f
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Analysis date: December 18, 2018, 07:29:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
rat
quasar
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

18B0B88DDF8FB6003F08C6392769A3A0

SHA1:

A44FC6298C396A4CC6710581F92E6D398D678130

SHA256:

76C6A181283B9FEACB7B5DE97FFA058DEF26F1601730EB58CA5CE8FE02D7ABF3

SSDEEP:

49152:rr6BbKzjqFy598QleW5ACALWzTKIoExYJ5EivVJCs/S4a:rWBbsjqFy5IWS9WzRuFvLHS4a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tcmChecker.exe (PID: 3292)
      • WindowsDefender.exe (PID: 3296)
      • tcmChecker.exe (PID: 3120)
      • WindowsDefender.exe (PID: 3920)
      • tcmChecker.exe (PID: 4088)
      • tcmChecker.exe (PID: 3032)
      • tcmChecker.exe (PID: 2476)
      • tcmChecker.exe (PID: 340)
      • tcmChecker.exe (PID: 3364)
      • tcmChecker.exe (PID: 2940)
      • tcmChecker.exe (PID: 3428)
      • tcmChecker.exe (PID: 3460)
      • tcmChecker.exe (PID: 2844)
      • tcmChecker.exe (PID: 3396)
      • tcmChecker.exe (PID: 3240)
      • tcmChecker.exe (PID: 1360)
      • tcmChecker.exe (PID: 3480)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1472)
      • explorer.exe (PID: 116)
    • QUASAR was detected

      • Regasm.exe (PID: 2720)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tcmChecker.exe (PID: 3292)
      • WinRAR.exe (PID: 2956)
      • tcmChecker.exe (PID: 4088)
    • Creates files in the user directory

      • tcmChecker.exe (PID: 3292)
    • Starts itself from another location

      • tcmChecker.exe (PID: 3292)
      • tcmChecker.exe (PID: 4088)
    • Checks for external IP

      • Regasm.exe (PID: 2720)
    • Connects to unusual port

      • Regasm.exe (PID: 2720)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 126261
UncompressedSize: 338944
OperatingSystem: Win32
ModifyDate: 2018:09:21 17:39:00
PackingMethod: Normal
ArchivedFileName: FortniteChecker\api.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
36
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs tcmchecker.exe windowsdefender.exe #QUASAR regasm.exe explorer.exe no specs tcmchecker.exe windowsdefender.exe tcmchecker.exe regasm.exe no specs regasm.exe no specs regasm.exe no specs tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe tcmchecker.exe regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FortniteChecker.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1472"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3292"C:\Users\admin\Desktop\FortniteChecker\tcmChecker.exe" C:\Users\admin\Desktop\FortniteChecker\tcmChecker.exe
explorer.exe
User:
admin
Company:
VLC media player
Integrity Level:
MEDIUM
Description:
vlc
Exit code:
0
Version:
3.0.3.0
3296"C:\Users\admin\AppData\Roaming\WindowsDefender.exe" C:\Users\admin\AppData\Roaming\WindowsDefender.exe
tcmChecker.exe
User:
admin
Company:
VLC media player
Integrity Level:
MEDIUM
Description:
vlc
Exit code:
0
Version:
3.0.3.0
2720"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
WindowsDefender.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.6.1055.0 built by: NETFXREL2
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4088"C:\Users\admin\Desktop\FortniteChecker\tcmChecker.exe" C:\Users\admin\Desktop\FortniteChecker\tcmChecker.exe
explorer.exe
User:
admin
Company:
VLC media player
Integrity Level:
MEDIUM
Description:
vlc
Exit code:
0
Version:
3.0.3.0
3920"C:\Users\admin\AppData\Roaming\WindowsDefender.exe" C:\Users\admin\AppData\Roaming\WindowsDefender.exe
tcmChecker.exe
User:
admin
Company:
VLC media player
Integrity Level:
MEDIUM
Description:
vlc
Exit code:
0
Version:
3.0.3.0
3120"C:\Users\admin\Desktop\FortniteChecker\tcmChecker.exe" C:\Users\admin\Desktop\FortniteChecker\tcmChecker.exe
explorer.exe
User:
admin
Company:
VLC media player
Integrity Level:
MEDIUM
Description:
vlc
Exit code:
0
Version:
3.0.3.0
2620"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exeWindowsDefender.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.6.1055.0 built by: NETFXREL2
Total events
2 931
Read events
2 796
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.18409\FortniteChecker\tcmChecker.exeexecutable
MD5:D6F96F55CFCCC4CB07DA27193EBC026F
SHA256:02B9BA599573DC50C40BB07B7226DB2E85F71DE3D4EB995531D5147D07A852BF
116explorer.exeC:\Users\admin\Desktop\FortniteChecker\Connection.dllexecutable
MD5:8152E9D15C022E601EFA9DA3A3BEFD71
SHA256:4457EF2BA0D3B802CDC5384F044C9CBDDAB6FC8B25AAD794B4BCE3249D106054
116explorer.exeC:\Users\admin\Desktop\FortniteChecker\api.dllexecutable
MD5:8152E9D15C022E601EFA9DA3A3BEFD71
SHA256:4457EF2BA0D3B802CDC5384F044C9CBDDAB6FC8B25AAD794B4BCE3249D106054
3292tcmChecker.exeC:\Users\admin\AppData\Roaming\WindowsDefender.exeexecutable
MD5:D6F96F55CFCCC4CB07DA27193EBC026F
SHA256:02B9BA599573DC50C40BB07B7226DB2E85F71DE3D4EB995531D5147D07A852BF
4088tcmChecker.exeC:\Users\admin\AppData\Roaming\WindowsDefender.exeexecutable
MD5:D6F96F55CFCCC4CB07DA27193EBC026F
SHA256:02B9BA599573DC50C40BB07B7226DB2E85F71DE3D4EB995531D5147D07A852BF
116explorer.exeC:\Users\admin\Desktop\FortniteChecker\tcmChecker.exeexecutable
MD5:D6F96F55CFCCC4CB07DA27193EBC026F
SHA256:02B9BA599573DC50C40BB07B7226DB2E85F71DE3D4EB995531D5147D07A852BF
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.18409\FortniteChecker\api.dllexecutable
MD5:8152E9D15C022E601EFA9DA3A3BEFD71
SHA256:4457EF2BA0D3B802CDC5384F044C9CBDDAB6FC8B25AAD794B4BCE3249D106054
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.18409\FortniteChecker\Connection.dllexecutable
MD5:8152E9D15C022E601EFA9DA3A3BEFD71
SHA256:4457EF2BA0D3B802CDC5384F044C9CBDDAB6FC8B25AAD794B4BCE3249D106054
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.18409\FortniteChecker\xNet.dllexecutable
MD5:3DF8D87A482EFAD957D83819ADB3020F
SHA256:2AC175B4D44245EE8E7AEE9CC36DF86925EF903D8516F20A2C51D84E35F23DA4
116explorer.exeC:\Users\admin\Desktop\FortniteChecker\SkinSoft.VisualStyler.dllexecutable
MD5:2D84A619D4BD339F860CB48AF0C9B6C8
SHA256:365FFDE7DF914840EB21C96F34C39912A4B031E3814B8E902B67ACEE6DFF65A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2720
Regasm.exe
GET
200
185.194.141.58:80
http://ip-api.com/json/
DE
text
347 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
Regasm.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
2720
Regasm.exe
5.2.67.66:3124
Liteserver VOF
NL
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 185.194.141.58
shared
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2720
Regasm.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2720
Regasm.exe
A Network Trojan was detected
MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer)
1 ETPRO signatures available at the full report
Process
Message
tcmChecker.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
tcmChecker.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
tcmChecker.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
tcmChecker.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
tcmChecker.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
tcmChecker.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
tcmChecker.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
tcmChecker.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
WindowsDefender.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
WindowsDefender.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391