File name: | Cat.jpg.zip |
Full analysis: | https://app.any.run/tasks/de259f24-2d65-48d4-8eb6-b08b94b3d8bd |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | September 30, 2020, 10:11:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2C0F9DE7626F5C23FE8F4FB271728CE3 |
SHA1: | 3D5A11FC836FBD8113D06FA80D8A03F215ADB639 |
SHA256: | 7FB2335E6267BEC98739BEFFC898A1C2A446798E9AFF044F56ADAB145D201053 |
SSDEEP: | 6144:niCCtcMgxRsSiqtVxYjwJc3B7AJoB68g7MyP6d32niRM7+9tE6BYPTCUYmKl8N2V:niCCyvsSfVxYjwJcKJ2g7MyPLnYM2E6B |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Cat.jpg |
---|---|
ZipUncompressedSize: | 663552 |
ZipCompressedSize: | 380511 |
ZipCRC: | 0x2bcd9bc6 |
ZipModifyDate: | 2020:09:30 10:08:15 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2452 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Cat.jpg.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3160 | "C:\Users\admin\Desktop\Cat.jpg.exe" | C:\Users\admin\Desktop\Cat.jpg.exe | explorer.exe | |
User: admin Company: buffer Integrity Level: MEDIUM Description: combatantdisconnect Exit code: 0 Version: 9.27.71.6 | ||||
3008 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2524 | "C:\Users\admin\AppData\Roaming\$77-WindowsUpdate.exe" | C:\Users\admin\AppData\Roaming\$77-WindowsUpdate.exe | Cat.jpg.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 2.1.0.0 | ||||
980 | "C:\Users\admin\AppData\Roaming\Windows\Windows.exe" | C:\Users\admin\AppData\Roaming\Windows\Windows.exe | $77-WindowsUpdate.exe | |
User: admin Integrity Level: MEDIUM Version: 2.1.0.0 | ||||
2200 | cmd /c ""C:\Users\admin\AppData\Local\Temp\dtA9D1Ec5TM7.bat" " | C:\Windows\system32\cmd.exe | — | $77-WindowsUpdate.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2164 | chcp 65001 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2844 | ping -n 10 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3952 | "C:\Users\admin\AppData\Roaming\$77-WindowsUpdate.exe" | C:\Users\admin\AppData\Roaming\$77-WindowsUpdate.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Version: 2.1.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2452 | WinRAR.exe | C:\Users\admin\Desktop\Cat.jpg | executable | |
MD5:68125A7F390CAE7D4B25FC95C949E3C8 | SHA256:B41C9BD430DCB90F05AB42035D22FB3A4D7040A401E8CB1BC7466146539A801E | |||
3160 | Cat.jpg.exe | C:\Users\admin\AppData\Roaming\576px-Catting.jpg | image | |
MD5:5550738ED85E60534EB2A92CD4B06330 | SHA256:1D5A938D3F066ADE33B44AB068F25B4242CD93F821C4E1076048D6D1F449FD6A | |||
2524 | $77-WindowsUpdate.exe | C:\Users\admin\AppData\Local\Temp\dtA9D1Ec5TM7.bat | text | |
MD5:27161DE4CCFD104618214E5DD4B3AFD5 | SHA256:DAE1C046CA5CB7B938E1BB0B40A9E83E2B7F2E42D5C16F939C240CF44DCBF90B | |||
2524 | $77-WindowsUpdate.exe | C:\Users\admin\AppData\Roaming\Windows\Windows.exe | executable | |
MD5:16BD9B497618025A7D84ED99266587C6 | SHA256:BE036F9D723D01102D62E0545181EC42820E18D14EFE3B8670BB201D879F42CF | |||
3160 | Cat.jpg.exe | C:\Users\admin\AppData\Roaming\$77-WindowsUpdate.exe | executable | |
MD5:16BD9B497618025A7D84ED99266587C6 | SHA256:BE036F9D723D01102D62E0545181EC42820E18D14EFE3B8670BB201D879F42CF | |||
980 | Windows.exe | C:\Users\admin\AppData\Roaming\Logs\09-30-2020 | binary | |
MD5:A440F90B79193597A8ADACEA506D2EC0 | SHA256:7FC2E745C0E6D9568DB7252D7BDEEB68AE216B37FF13043E856DD53B86FE591D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
980 | Windows.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | text | 258 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2524 | $77-WindowsUpdate.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
980 | Windows.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2524 | $77-WindowsUpdate.exe | 145.14.145.179:443 | payloads-poison.000webhostapp.com | Hostinger International Limited | US | shared |
980 | Windows.exe | 193.161.193.99:45152 | — | OOO Bitree Networks | RU | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
payloads-poison.000webhostapp.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
2524 | $77-WindowsUpdate.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2524 | $77-WindowsUpdate.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
2524 | $77-WindowsUpdate.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
2524 | $77-WindowsUpdate.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
980 | Windows.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
980 | Windows.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
980 | Windows.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
980 | Windows.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404 |
980 | Windows.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404 |