File name:

MalwareBytes.exe

Full analysis: https://app.any.run/tasks/a50ce23c-c19e-413d-a7a2-b34f2c6f2050
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: January 06, 2025, 18:52:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
quasar
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

1AF2519E38937542EC6ECA9BD1509026

SHA1:

00F3D3E74FA6FE2E2299ADD76DB4211DE41996FA

SHA256:

9431C0EDB66C91B824E87F2576C0329056838518CCCEA37C58F2CCECD5A78CD0

SSDEEP:

49152:VfEcsT90z2NkvSCmRf7uY1+DVlYZ+hHjGmt/3DgAmxtEhI/fsbWqzqhLoGdnIHHP:l2NkKCmRf7uY1+DVlYZ+hHaIDgoWpc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MalwareBytes.exe (PID: 6252)
      • Client.exe (PID: 6340)

    • QUASAR has been detected (YARA)

      • Client.exe (PID: 6340)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MalwareBytes.exe (PID: 6252)

    • Starts itself from another location

      • MalwareBytes.exe (PID: 6252)

  • INFO

    • Checks supported languages

      • MalwareBytes.exe (PID: 6252)
      • Client.exe (PID: 6340)

    • Creates files or folders in the user directory

      • MalwareBytes.exe (PID: 6252)

    • Reads Environment values

      • MalwareBytes.exe (PID: 6252)
      • Client.exe (PID: 6340)

    • Reads the computer name

      • MalwareBytes.exe (PID: 6252)
      • Client.exe (PID: 6340)

    • Reads the machine GUID from the registry

      • MalwareBytes.exe (PID: 6252)
      • Client.exe (PID: 6340)

    • The process uses the downloaded file

      • MalwareBytes.exe (PID: 6252)
      • Client.exe (PID: 6340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(6340) Client.exe
Version1.4.1
C2 (2)192.168.1.145:4782
Sub_DirSubDir
Install_NameClient.exe
Mutex9d952f82-b8b7-4948-b2b7-53c225a63ebb
StartupQuasar Client Startup
TagOffice04
LogDirLogs
SignaturencoHLRGY2P3vuoJ33G5Wyjjtf0utARRZ0MUL6FxSZLQHFjmDHKM2X+9i1n6AXb5jmA2xjcuausnwosF4otRoLjlmF/Jj2NvpNebPJb7zfo+nURifneusdVlP+JEYqxvA+Z4+Hz/KQka5VJLUC4V1O38p/PGJ1urMrr43nhRZNQu6vPu6oEKBH1DVe2jJKamrIJt2AaS/oMnSKrgWArv2vA221Y64QOpsaehpMztDpM7ZZsm4G6lTQLgJqJ3O//QlIjC0RE1nXTv9GfZifuZ6GDUKqiIic9xvbQaw2ZxVlESU...
CertificateMIIE9DCCAtygAwIBAgIQANlXFJ48E9feCOaBgO4jyzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwMzE0NTkyMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApCpBIKkjsC5VZZ48JbEAyua9wnIU/K3umNqmoRPb95oqIU5t3BoQxbs26dqCRPd1KVRFcn4a...
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:12 16:16:39+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 3261952
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x31e44e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.1.0
ProductVersionNumber: 1.4.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Quasar Client
FileVersion: 1.4.1
InternalName: Client.exe
LegalCopyright: Copyright © MaxXor 2023
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: Quasar
ProductVersion: 1.4.1
AssemblyVersion: 1.4.1.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start malwarebytes.exe #QUASAR client.exe

Process information

PID
CMD
Path
Indicators
Parent process
6252"C:\Users\admin\Desktop\MalwareBytes.exe" C:\Users\admin\Desktop\MalwareBytes.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
3
Version:
1.4.1
Modules
Images
c:\users\admin\desktop\malwarebytes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6340"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"C:\Users\admin\AppData\Roaming\SubDir\Client.exe
MalwareBytes.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\roaming\subdir\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Quasar
(PID) Process(6340) Client.exe
Version1.4.1
C2 (2)192.168.1.145:4782
Sub_DirSubDir
Install_NameClient.exe
Mutex9d952f82-b8b7-4948-b2b7-53c225a63ebb
StartupQuasar Client Startup
TagOffice04
LogDirLogs
SignaturencoHLRGY2P3vuoJ33G5Wyjjtf0utARRZ0MUL6FxSZLQHFjmDHKM2X+9i1n6AXb5jmA2xjcuausnwosF4otRoLjlmF/Jj2NvpNebPJb7zfo+nURifneusdVlP+JEYqxvA+Z4+Hz/KQka5VJLUC4V1O38p/PGJ1urMrr43nhRZNQu6vPu6oEKBH1DVe2jJKamrIJt2AaS/oMnSKrgWArv2vA221Y64QOpsaehpMztDpM7ZZsm4G6lTQLgJqJ3O//QlIjC0RE1nXTv9GfZifuZ6GDUKqiIic9xvbQaw2ZxVlESU...
CertificateMIIE9DCCAtygAwIBAgIQANlXFJ48E9feCOaBgO4jyzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI1MDEwMzE0NTkyMFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApCpBIKkjsC5VZZ48JbEAyua9wnIU/K3umNqmoRPb95oqIU5t3BoQxbs26dqCRPd1KVRFcn4a...
Total events
553
Read events
551
Write events
2
Delete events
0

Modification events

(PID) Process:(6252) MalwareBytes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Quasar Client Startup
Value:
"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"
(PID) Process:(6340) Client.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Quasar Client Startup
Value:
"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6252MalwareBytes.exeC:\Users\admin\AppData\Roaming\SubDir\Client.exeexecutable
MD5:1AF2519E38937542EC6ECA9BD1509026
SHA256:9431C0EDB66C91B824E87F2576C0329056838518CCCEA37C58F2CCECD5A78CD0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
1536
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
973 b
whitelisted
1536
RUXIMICS.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
973 b
whitelisted
3560
svchost.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
1536
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3560
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.21.65.132:443
www.bing.com
Akamai International B.V.
NL
whitelisted
192.168.100.255:138
whitelisted
1536
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1536
RUXIMICS.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4712
MoUsoCoreWorker.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.21.65.132
  • 2.21.65.154
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 184.30.230.103
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MalwareBytes.exe