File name:	Productlist2025.com.exe
Full analysis:	https://app.any.run/tasks/5440316d-acba-49ac-9792-39ecffdf2002
Verdict:	Malicious activity
Threats:	Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 12:32:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amsi-bypass rat quasar remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	69F3BC0083E17E7C28D06140308B12D8
SHA1:	3D637938626DBB7E63BE9DA10B83A94997F87F5C
SHA256:	95586FA277668206C164BCC7AF2D92602BF6A993B9F7FDA951BBD9FD3342E3EB
SSDEEP:	98304:B3njJWR9I4ETDMRiOiFUJvl0jYelrhro3144e7GS5j1jyDkA0DM8iw3uKwLycqr6:JNmFuM64

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2065:03:26 15:05:23+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	48
CodeSize:	3734016
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x3918ce
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft
FileDescription:	Restau Manager
FileVersion:	1.0.0.0
InternalName:	mvqx.exe
LegalCopyright:	Copyright © Microsoft 2023
LegalTrademarks:	-
OriginalFileName:	mvqx.exe
ProductName:	Restau Manager
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(6344) Productlist2025.com.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MSworkbook
Value: "C:\Users\admin\AppData\Roaming\SubDir\MSworkbooks.exe"
(PID) Process:	(3100) MSworkbooks.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MSworkbook
Value: "C:\Users\admin\AppData\Roaming\SubDir\MSworkbooks.exe"

PID	Process	Filename		Type
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\434E65B61F9D3E2BD9941E4DFA4ED4BB		binary
		MD5:F01A474E7A22D9C41E262B57EBF459DA	SHA256:DA583DB85E1A1FF77B2C790BB0E22F94CC479542761A8DEE4F062DC08FC68073
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4C7F163ED126D5C3CB9457F68EC64E9E		binary
		MD5:B6969A16722D7DA4C71172B2BD9E06AC	SHA256:326229C1E5548A42D0EEFA5BB04714080220897B9AF2C2F52A27F8A7D12283EF
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4C7F163ED126D5C3CB9457F68EC64E9E		binary
		MD5:0C1C4AC9177078DBF59AA8E18D4436BB	SHA256:35ADD4C4718BB396147B338B0D8040556118A5814C0C734E432D102A3300B8C2
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8308086E5659ACD8D33846B02D52E737		binary
		MD5:A5BE62F5C72D02AB16243E46AB028884	SHA256:4DE14EF5CF948E2471D93BB39D1E62BBB4EBC413AD53E2179FC62896F6D2BEDA
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ADAFB71803410A26B9B51A6EDB19CE71		binary
		MD5:0E3B9A4BBF9C81D2184524402E87F017	SHA256:80E0EC81F1815837DA735A614DC5400048955AC90CB1A34522B7D617A9EEF6DA
1512	SIHClient.exe	C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab		compressed
		MD5:ACD24F781C0C8F48A0BD86A0E9F2A154	SHA256:5C0A296B3574D170D69C90B092611646FE8991B8D103D412499DBE7BFDCCCC49
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E94643DE99F5621BC288D045BEA85DD		binary
		MD5:B69C738C71C947FD12B66D6319DF84A5	SHA256:5582F1CB870F1C1801E659399C2295CB131E180893A6E54FC992B0DCD2FB88A2
4488	Productlist2025.com.exe	C:\Users\admin\AppData\Local\Temp\tmp80B.tmp		xml
		MD5:45E23846088072BF0EDD04EE18DB4975	SHA256:5A21C349E24A29E4252265110250CA32613B70D4B1CEE8B45E8013855516F5F7
1512	SIHClient.exe	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ADAFB71803410A26B9B51A6EDB19CE71		binary
		MD5:CE00AB22C984F2CC698BBFB41267AA2F	SHA256:93957FD913D2F2205B95F8378A05DECCC5435299695046A8E7F82B905DF7A7C1
1512	SIHClient.exe	C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP3D84.tmp		compressed
		MD5:1B6460EE0273E97C251F7A67F49ACDB4	SHA256:3158032BAC1A6D278CCC2B7D91E2FBC9F01BEABF9C75D500A7F161E69F2C5F4A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
—	—	POST	400	40.126.31.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	200	20.223.36.55:443	https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T123228Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=4fbaae61d7224e91a6cda0bbcd8b1089&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967471&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358001&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2	unknown	binary	1.31 Kb	whitelisted
—	—	POST	400	40.126.31.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.159.75:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.159.130:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.159.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	20.197.71.89:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	SG	whitelisted
2104	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6544	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5416	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1512	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
google.com	142.250.185.206	whitelisted
client.wns.windows.com	20.197.71.89	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
login.live.com	40.126.32.134 20.190.160.65 20.190.160.3 20.190.160.128 40.126.32.72 40.126.32.136 20.190.160.130 20.190.160.20	whitelisted
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
bz-fnd3.ydns.eu	213.209.150.170	unknown

PID	Process	Class	Message
3100	MSworkbooks.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 55
2196	svchost.exe	Misc activity	INFO [ANY.RUN] Dynamic DNS Service (ydns .eu)
3100	MSworkbooks.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

General Info

Productlist2025.com.exe

69F3BC0083E17E7C28D06140308B12D8

3D637938626DBB7E63BE9DA10B83A94997F87F5C

95586FA277668206C164BCC7AF2D92602BF6A993B9F7FDA951BBD9FD3342E3EB

98304:B3njJWR9I4ETDMRiOiFUJvl0jYelrhro3144e7GS5j1jyDkA0DM8iw3uKwLycqr6:JNmFuM64

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to run other applications

Changes the autorun value in the registry

QUASAR has been detected (SURICATA)

QUASAR has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Possibly patching Antimalware Scan Interface function (YARA)

Starts itself from another location

There is functionality for taking screenshot (YARA)

Contacting a server suspected of hosting an CnC

Connects to unusual port

INFO

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Checks supported languages

Reads the software policy settings

Process checks computer location settings

Malware configuration

Quasar

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Quasar

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings