File name:	SOLARAV3.exe
Full analysis:	https://app.any.run/tasks/a9399043-bc73-4798-a6c6-5cba57603810
Verdict:	Malicious activity
Threats:	Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	August 18, 2024, 14:28:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	quasar rat remote
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	E7F36D061CA7ED589B64C53C49AE7652
SHA1:	6EBE935D1F6BEBC21F99D1FF44295A1BE31973E1
SHA256:	A85316296BA9C6594BBD38E5DF013B44F455D32473A3898F45E5FB884B2E3DB6
SSDEEP:	98304:h2NkKCmRf7uY1+DVlYZ+hHaIDgpCe9YGgpL:vXg6

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:03:12 16:16:39+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	3261952
InitializedDataSize:	3584
UninitializedDataSize:	-
EntryPoint:	0x31e3fe
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.4.1.0
ProductVersionNumber:	1.4.1.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	Quasar Client
FileVersion:	1.4.1
InternalName:	Client.exe
LegalCopyright:	Copyright © MaxXor 2023
LegalTrademarks:	-
OriginalFileName:	Client.exe
ProductName:	Quasar
ProductVersion:	1.4.1
AssemblyVersion:	1.4.1.0


(PID) Process:	(6472) SOLARAV3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Mailstealer
Value: "C:\Users\admin\AppData\Roaming\SubDir\Mailstealer.exe"
(PID) Process:	(6500) Mailstealer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Mailstealer
Value: "C:\Users\admin\AppData\Roaming\SubDir\Mailstealer.exe"

PID	Process	Filename		Type
6472	SOLARAV3.exe	C:\Users\admin\AppData\Roaming\SubDir\Mailstealer.exe		executable
		MD5:E7F36D061CA7ED589B64C53C49AE7652	SHA256:A85316296BA9C6594BBD38E5DF013B44F455D32473A3898F45E5FB884B2E3DB6

PID	Process	IP	Domain	ASN	CN	Reputation
1292	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5056	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6500	Mailstealer.exe	193.161.193.99:46018	Dejvo213455-46018.portmap.host	OOO Bitree Networks	RU	malicious
5056	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
Dejvo213455-46018.portmap.host	193.161.193.99	malicious

PID	Process	Class	Message
2256	svchost.exe	Potential Corporate Privacy Violation	ET POLICY DNS Query to a Reverse Proxy Service Observed
2256	svchost.exe	Misc activity	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
6500	Mailstealer.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

General Info

SOLARAV3.exe

E7F36D061CA7ED589B64C53C49AE7652

6EBE935D1F6BEBC21F99D1FF44295A1BE31973E1

A85316296BA9C6594BBD38E5DF013B44F455D32473A3898F45E5FB884B2E3DB6

98304:h2NkKCmRf7uY1+DVlYZ+hHaIDgpCe9YGgpL:vXg6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

QUASAR has been detected (YARA)

Connects to the CnC server

QUASAR has been detected (SURICATA)

SUSPICIOUS

Drops the executable file immediately after the start

Contacting a server suspected of hosting an CnC

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Starts itself from another location

Connects to unusual port

Executable content was dropped or overwritten

INFO

Reads the computer name

Creates files or folders in the user directory

Checks supported languages

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

Quasar

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Quasar

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings