File name: | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4 |
Full analysis: | https://app.any.run/tasks/7f7ba9da-08d6-4aff-8f5d-60565085d8d2 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | October 05, 2022, 04:01:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS |
MD5: | 68BDCFEBBAF69A608A897BA4953B00C4 |
SHA1: | DEC72D5F75F5EF39AE9DFC0F33AE4BE651711C46 |
SHA256: | 8ACD197DBF6D137ACB5929A693166A2731EF4D6427DF26A14B3C9127708841D4 |
SSDEEP: | 3072:TWKPaurkkakHDetyLMZyJitMe5QPIpTh/XQtZDuxKIgnrjiP:iKPFkbkjsyyrWeyCQtZSxKIgi |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2010-Dec-09 18:58:13 |
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.3.0.0 |
InternalName: | Client.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | Client.exe |
ProductName: | - |
ProductVersion: | 1.3.0.0 |
Assembly Version: | 1.3.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 64 |
e_cp: | 1 |
e_crlc: | - |
e_cparhdr: | 2 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | 46080 |
e_oeminfo: | 52489 |
e_lfanew: | 64 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2010-Dec-09 18:58:13 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 3684 | 4096 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.25826 |
.rsrc | 16384 | 2048 | 2048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.81773 |
.reloc | 24576 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.39349 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.17881 | 724 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.18749 | 1144 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3176 | "C:\Users\admin\Desktop\8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe" | C:\Users\admin\Desktop\8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 Modules
| |||||||||||||||
1228 | "C:\Users\admin\AppData\Roaming\SubDir\svchost.exe" | C:\Users\admin\AppData\Roaming\SubDir\svchost.exe | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 1.3.0.0 Modules
Quasar(PID) Process(1228) svchost.exe Certificate Signature LogDirLogs TagOffice04 StartupQuasar Client Startup Mutex2bAat10kmKEjUFevvg Install_Namesvchost.exe Sub_DirSubDir C2 (2)thedroidomania.ddns.net:1337 Version1.4.0.0 | |||||||||||||||
2680 | "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\admin\AppData\Roaming\SubDir\svchost.exe" /sc MINUTE /MO 1 | C:\Windows\System32\schtasks.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
808 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
4092 | C:\Users\admin\AppData\Roaming\SubDir\svchost.exe | C:\Users\admin\AppData\Roaming\SubDir\svchost.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 Modules
| |||||||||||||||
3776 | "C:\Users\admin\Desktop\8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe" | C:\Users\admin\Desktop\8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.3.0.0 Modules
| |||||||||||||||
2004 | C:\Users\admin\AppData\Roaming\SubDir\svchost.exe | C:\Users\admin\AppData\Roaming\SubDir\svchost.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 Modules
|
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3176) 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3176 | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | C:\Users\admin\AppData\Roaming\SubDir\svchost.exe | executable | |
MD5:68BDCFEBBAF69A608A897BA4953B00C4 | SHA256:8ACD197DBF6D137ACB5929A693166A2731EF4D6427DF26A14B3C9127708841D4 | |||
1228 | svchost.exe | C:\Users\admin\AppData\Roaming\Logs\10-05-2022 | ini | |
MD5:1BA786FA5FAEB088819E32849C184119 | SHA256:27DF2DB4821424A62F1908848A0D084A21677282E455BB8888F180DB5761E652 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1228 | svchost.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 257 b | shared |
3176 | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 257 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1228 | svchost.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | malicious |
1228 | svchost.exe | 103.31.103.32:1337 | thedroidomania.ddns.net | Cyber Internet Services Pvt Ltd. | PK | unknown |
3176 | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | 208.95.112.1:80 | ip-api.com | TUT-AS | US | malicious |
— | — | 103.31.103.32:1337 | thedroidomania.ddns.net | Cyber Internet Services Pvt Ltd. | PK | unknown |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
thedroidomania.ddns.net |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3176 | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3176 | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | A Network Trojan was detected | ET TROJAN Common RAT Connectivity Check Observed |
3176 | 8acd197dbf6d137acb5929a693166a2731ef4d6427df26a14b3c9127708841d4.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
1228 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
1228 | svchost.exe | A Network Trojan was detected | ET TROJAN Common RAT Connectivity Check Observed |
1228 | svchost.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |