File name:	payload.exe
Full analysis:	https://app.any.run/tasks/f479d646-a56a-493b-a1a7-8911b47a3a27
Verdict:	Malicious activity
Threats:	Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Malware Trends Tracker >>>
Analysis date:	April 12, 2025, 10:55:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github evasion uac golang quasar
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 15 sections
MD5:	CAE4409D8B36C442A10419796086C47F
SHA1:	2C44970C94E5899AFB95B7A77CB9003D9B5E31FA
SHA256:	8AD7D50075F254B758085711870AF8F7172346526662FD1174E48355F776A119
SSDEEP:	98304:krXenLxbam/S4tVl1s4JE7N3maaOhqa5DtiuXOVMvpNCJ6ZSCEKTDOLlMpbKuFBG:fG7yt

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2580480
InitializedDataSize:	304128
UninitializedDataSize:	-
EntryPoint:	0x772a0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line


(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7864) payload.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\payload_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
7864	payload.exe	C:\Users\admin\AppData\Roaming\temp\Client.exe		executable
		MD5:CAE4409D8B36C442A10419796086C47F	SHA256:8AD7D50075F254B758085711870AF8F7172346526662FD1174E48355F776A119

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6404	RUXIMICS.exe	GET	200	23.216.77.30:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8156	Client.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/	unknown	—	—	whitelisted
7864	payload.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/	unknown	—	—	whitelisted
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/XeroxzB/weqeq/main/1update.bin	unknown	binary	443 Kb	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	GET	200	140.82.121.3:443	https://raw.githubusercontent.com/XeroxzB/weqeq/main/1update.bin	unknown	binary	443 Kb	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6404	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7864	payload.exe	185.199.109.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
6404	RUXIMICS.exe	23.216.77.30:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7864	payload.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
8156	Client.exe	185.199.109.133:443	raw.githubusercontent.com	FASTLY	US	whitelisted
8156	Client.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	172.217.18.110	whitelisted
raw.githubusercontent.com	185.199.109.133 185.199.108.133 185.199.111.133 185.199.110.133	whitelisted
crl.microsoft.com	23.216.77.30 23.216.77.25 23.216.77.42 23.216.77.20	whitelisted
ip-api.com	208.95.112.1	whitelisted
go-dramatically.gl.at.ply.gg	147.185.221.27	malicious
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7864	payload.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup ip-api.com
7864	payload.exe	A Network Trojan was detected	ET MALWARE Common RAT Connectivity Check Observed
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
2196	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)

General Info

payload.exe

CAE4409D8B36C442A10419796086C47F

2C44970C94E5899AFB95B7A77CB9003D9B5E31FA

8AD7D50075F254B758085711870AF8F7172346526662FD1174E48355F776A119

98304:krXenLxbam/S4tVl1s4JE7N3maaOhqa5DtiuXOVMvpNCJ6ZSCEKTDOLlMpbKuFBG:fG7yt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

QUASAR has been detected (YARA)

SUSPICIOUS

Checks for external IP

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Changes default file association

Starts itself from another location

Starts CMD.EXE for commands execution

Connects to unusual port

There is functionality for taking screenshot (YARA)

INFO

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Reads the software policy settings

Disables trace logs

Reads Environment values

Checks proxy server information

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Detects GO elliptic curve encryption (YARA)

Application based on Golang

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings