File name: | Netchecker.rar |
Full analysis: | https://app.any.run/tasks/85816a49-9140-407a-bddc-7761191ad26c |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | December 18, 2018, 17:20:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 1CC4C0534F0B0259A8D4279613C124FC |
SHA1: | EC92A47A752B159B6655FC58D3C3AC600D5CD934 |
SHA256: | 9B02799BD0A87ED93BD59FFC2BFB43E35B91A96FFB0C03F471D9994A9F6E0280 |
SSDEEP: | 49152:Fr6vbKQh0+JctQ9Y7Wse5PwhinjE94Z69jqFy598QleN:FWvblhjiiI5jqFy5IN |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
CompressedSize: | 126256 |
---|---|
UncompressedSize: | 338944 |
OperatingSystem: | Win32 |
ModifyDate: | 2018:09:21 17:39:00 |
PackingMethod: | Normal |
ArchivedFileName: | Netchecker\api.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Netchecker.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2152 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Netchecker.rar" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1936 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3328 | "C:\Users\admin\Desktop\Netchecker\NetChecker.exe" | C:\Users\admin\Desktop\Netchecker\NetChecker.exe | explorer.exe | |
User: admin Company: GitHub Integrity Level: MEDIUM Description: Update.exe Exit code: 0 Version: 1.1.1.0 | ||||
3152 | "C:\Users\admin\AppData\Roaming\WindowsDefender.exe" | C:\Users\admin\AppData\Roaming\WindowsDefender.exe | NetChecker.exe | |
User: admin Company: GitHub Integrity Level: MEDIUM Description: Update.exe Exit code: 0 Version: 1.1.1.0 | ||||
2608 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | WindowsDefender.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2152 | WinRAR.exe | C:\Users\admin\Desktop\Netchecker\NetChecker.exe | executable | |
MD5:86E6E0051619E301E3CC1740E9BA1DA4 | SHA256:E61E3CF3F799DE14684DF5B20C01DFBC5FCD0ADD0AED80D2C4D6FB5523C57378 | |||
2152 | WinRAR.exe | C:\Users\admin\Desktop\Netchecker\api.dll | executable | |
MD5:8152E9D15C022E601EFA9DA3A3BEFD71 | SHA256:4457EF2BA0D3B802CDC5384F044C9CBDDAB6FC8B25AAD794B4BCE3249D106054 | |||
2152 | WinRAR.exe | C:\Users\admin\Desktop\Netchecker\Connection.dll | executable | |
MD5:8152E9D15C022E601EFA9DA3A3BEFD71 | SHA256:4457EF2BA0D3B802CDC5384F044C9CBDDAB6FC8B25AAD794B4BCE3249D106054 | |||
3328 | NetChecker.exe | C:\Users\admin\AppData\Roaming\WindowsDefender.exe | executable | |
MD5:86E6E0051619E301E3CC1740E9BA1DA4 | SHA256:E61E3CF3F799DE14684DF5B20C01DFBC5FCD0ADD0AED80D2C4D6FB5523C57378 | |||
2152 | WinRAR.exe | C:\Users\admin\Desktop\Netchecker\SkinSoft.VisualStyler.dll | executable | |
MD5:2D84A619D4BD339F860CB48AF0C9B6C8 | SHA256:365FFDE7DF914840EB21C96F34C39912A4B031E3814B8E902B67ACEE6DFF65A1 | |||
2152 | WinRAR.exe | C:\Users\admin\Desktop\Netchecker\xNet.dll | executable | |
MD5:3DF8D87A482EFAD957D83819ADB3020F | SHA256:2AC175B4D44245EE8E7AEE9CC36DF86925EF903D8516F20A2C51D84E35F23DA4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2608 | Regasm.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 282 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2608 | Regasm.exe | 5.2.67.66:3124 | nicereverse.ooguy.com | Liteserver VOF | NL | malicious |
2608 | Regasm.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
nicereverse.ooguy.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2608 | Regasm.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2608 | Regasm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer) |
2608 | Regasm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |
Process | Message |
---|---|
NetChecker.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
NetChecker.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NetChecker.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NetChecker.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NetChecker.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
NetChecker.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
NetChecker.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
NetChecker.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|
WindowsDefender.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1391
|
WindowsDefender.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\identityauthority.cpp, line 278
|