File name: | monaco guck.exe |
Full analysis: | https://app.any.run/tasks/445c19e9-2548-43ab-a5aa-ec0b7a8a6efe |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | June 27, 2022, 10:53:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | C9730861A855C2360BC1C610874CDA86 |
SHA1: | 221BF41D5A328C3690C8AD268CFB819CC7397FBA |
SHA256: | 90CA44F5D63436A70D023AE571F42C332D88BC468ADED2F9ACF3E9B84A6FB7AC |
SSDEEP: | 6144:MpNHXf500M8knHTWJbO2SbL1CafH60dcCVVFy2:8d50ZqJbFa1tH6nCVVFy2 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
AssemblyVersion: | 1.3.0.0 |
---|---|
ProductVersion: | 1.3.0.0 |
ProductName: | - |
OriginalFileName: | Client.exe |
LegalTrademarks: | - |
LegalCopyright: | - |
InternalName: | Client.exe |
FileVersion: | 1.3.0.0 |
FileDescription: | - |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.3.0.0 |
FileVersionNumber: | 1.3.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x581be |
UninitializedDataSize: | - |
InitializedDataSize: | 3072 |
CodeSize: | 352768 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2022:06:27 12:21:54+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Jun-2022 10:21:54 |
Comments: | - |
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.3.0.0 |
InternalName: | Client.exe |
LegalCopyright: | - |
LegalTrademarks: | - |
OriginalFilename: | Client.exe |
ProductName: | - |
ProductVersion: | 1.3.0.0 |
Assembly Version: | 1.3.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 27-Jun-2022 10:21:54 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x000561C4 | 0x00056200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44471 |
.rsrc | 0x0005A000 | 0x00000A00 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.23597 |
.reloc | 0x0005C000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.22615 | 1171 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2636 | "C:\Users\admin\AppData\Local\Temp\monaco guck.exe" | C:\Users\admin\AppData\Local\Temp\monaco guck.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 | ||||
3140 | "C:\Users\admin\AppData\Roaming\SubDir\Client.exe" | C:\Users\admin\AppData\Roaming\SubDir\Client.exe | monaco guck.exe | |
User: admin Integrity Level: MEDIUM Version: 1.3.0.0 Quasar(PID) Process(3140) Client.exe Certificate Signature LogDirLogs Tagwdadsa Startupruntime brocker MutexQSR_MUTEX_q2Tul7nBUKmd8SX6eg Install_NameClient.exe Sub_DirSubDir C2 (2)niggahunter88-33934.portmap.io:33934 Version1.3.0.0 | ||||
188 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2956 | "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/tipico | C:\Program Files\Internet Explorer\iexplore.exe | Client.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3564 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3564 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\076a8c1a0cc790ebd989[1].js | — | |
MD5:— | SHA256:— | |||
3564 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:FC887F7C5EF1EEAE3FB3BA651F77AC36 | SHA256:5F98609231B96FC1ECFEFF757089F66D6A74BBE8FED6B33D83A799790484AA56 | |||
3564 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\tipico[1].htm | html | |
MD5:769FCD1AC8AE8B137D7C43E18BCD6FA0 | SHA256:E8D8D98766E7BE4CF5B5BD429BDAE89F188F38EEF7EECB361FE701E2AF4F8FC7 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F | binary | |
MD5:4DDF9E562F60411AA7228F881336BB37 | SHA256:2E040ED534F445FF3D60D33E2E7D1EA8A331A9565BC6FEC33A4347B5B6F58A54 | |||
3564 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:8A30561EC9A37BD64836948F2900D386 | SHA256:BE7890B91E0FC82FED13C1D7909D5C1C15B6A6AE31B04AC1F241E2496953871C | |||
3564 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Q7V411NH.txt | text | |
MD5:A346A2A1484EFB384E30C5FC845DFA79 | SHA256:A43EA9A32B6A6EA256C705D932C77CDF07C2E0452B877CBDCD03A88B1631F607 | |||
2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.dat | binary | |
MD5:C3725F04F47AF19CB103B4915615C631 | SHA256:9941C0442FB94961E83EE0F4CF915E010014D3B660EB0CA8AD4768BFA8480C70 | |||
3564 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\8cdf600873d1c69152ae[1].js | text | |
MD5:6C824994BB4F362AE607336983EF2B1F | SHA256:DDDA32E12184108B60D3BBA652E3443733DDAD88FE5779BB0A47039F37CC8FC9 | |||
3564 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:665A37CDCFCA197B5B66911F883F02AB | SHA256:022CA395E35F2B1B3D5F9C089037E5899C4CC8AF6F8F2DD8B7B7E1AAB7C1A7A7 | |||
2636 | monaco guck.exe | C:\Users\admin\AppData\Roaming\SubDir\Client.exe | executable | |
MD5:C9730861A855C2360BC1C610874CDA86 | SHA256:90CA44F5D63436A70D023AE571F42C332D88BC468ADED2F9ACF3E9B84A6FB7AC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2636 | monaco guck.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 279 b | shared |
3140 | Client.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | binary | 279 b | shared |
3564 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
3564 | iexplore.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bd37142251af9be6 | US | compressed | 4.70 Kb | whitelisted |
2956 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3140 | Client.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2636 | monaco guck.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
3564 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
3140 | Client.exe | 193.161.193.99:33934 | niggahunter88-33934.portmap.io | OOO Bitree Networks | RU | malicious |
3564 | iexplore.exe | 162.159.134.234:443 | discord.gg | Cloudflare Inc | — | shared |
2956 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3564 | iexplore.exe | 162.159.138.232:443 | discord.com | Cloudflare Inc | — | malicious |
2956 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2956 | iexplore.exe | 162.159.138.232:443 | discord.com | Cloudflare Inc | — | malicious |
3564 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
niggahunter88-33934.portmap.io |
| malicious |
discord.gg |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
discord.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2636 | monaco guck.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2636 | monaco guck.exe | A Network Trojan was detected | ET TROJAN Common RAT Connectivity Check Observed |
2636 | monaco guck.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3140 | Client.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3140 | Client.exe | A Network Trojan was detected | ET TROJAN Common RAT Connectivity Check Observed |
3140 | Client.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a Reverse Proxy Service Observed |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
3564 | iexplore.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
3564 | iexplore.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |