File name:

COM Surrogate.exe

Full analysis: https://app.any.run/tasks/a84e85a0-42cd-42b5-85fe-3c902704aed0
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: February 04, 2024, 03:38:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
asyncrat
remote
quasar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C0FDF0FC584BDA99F48F78E5C6B29CFF

SHA1:

4DB8246CBA69692853A80966AB225FE558AD34CF

SHA256:

AE1DBF0BB42007BEDE6E780E60A52C43A510651CB5FF299AE9EBD4059EB5BF1A

SSDEEP:

49152:PkEcsT90z2NkvSCmRf7uY1+DVlYZ+hHjGmt/3Dg5EpoP+GKAUsoZCEXRHm/zj4Z3:k2NkKCmRf7uY1+DVlYZ+hHaIDgGHmE3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • COM Surrogate.exe (PID: 1264)

    • ASYNCRAT has been detected (SURICATA)

      • COM Surrogate.exe (PID: 1632)

    • Changes the autorun value in the registry

      • COM Surrogate.exe (PID: 1632)

    • Steals credentials from Web Browsers

      • COM Surrogate.exe (PID: 1632)

    • QUASAR has been detected (YARA)

      • COM Surrogate.exe (PID: 1632)

    • QUASAR has been detected (SURICATA)

      • COM Surrogate.exe (PID: 1632)

    • Connects to the CnC server

      • COM Surrogate.exe (PID: 1632)

    • Actions looks like stealing of personal data

      • COM Surrogate.exe (PID: 1632)

  • SUSPICIOUS

    • Connects to unusual port

      • COM Surrogate.exe (PID: 1632)

    • Reads the Internet Settings

      • COM Surrogate.exe (PID: 1632)

    • Loads DLL from Mozilla Firefox

      • COM Surrogate.exe (PID: 1632)

    • Starts itself from another location

      • COM Surrogate.exe (PID: 1264)

    • Executable content was dropped or overwritten

      • COM Surrogate.exe (PID: 1264)

    • Reads settings of System Certificates

      • COM Surrogate.exe (PID: 1632)

  • INFO

    • Checks supported languages

      • COM Surrogate.exe (PID: 1264)
      • COM Surrogate.exe (PID: 1632)

    • Reads the computer name

      • COM Surrogate.exe (PID: 1264)
      • COM Surrogate.exe (PID: 1632)

    • Reads Environment values

      • COM Surrogate.exe (PID: 1264)
      • COM Surrogate.exe (PID: 1632)

    • Creates files or folders in the user directory

      • COM Surrogate.exe (PID: 1264)

    • Create files in a temporary directory

      • COM Surrogate.exe (PID: 1632)

    • Reads the machine GUID from the registry

      • COM Surrogate.exe (PID: 1632)
      • COM Surrogate.exe (PID: 1264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(1632) COM Surrogate.exe
Version1.4.1
C2 (2)37.120.233.226:3451
Sub_DirSubDir
Install_NameCOM Surrogate.exe
Mutexee9720c2-123c-45dc-aece-ad1fcdf1004e
StartupCOM Surrogate
TagOffice04
LogDirLogs
SignaturecLBGh5IvRZF+XmwmP13rsdi/NGqUdSNtL3/XZqkVsbkplDsMF6FlzcAXTw8nsMfg1dNK/L545PwsXZRDI5nwJyHzAlEdqOn9xkdMZTXgEkgBs1zkgw8P22tAn8f98ToaqzBwiuRV8A49tGnkG2sLIJv8tD/PINJeg5q0L54P5Rfn5jZ6KkdMlXhi+4XYHH/LlVURWjnJU76mGLilwj36fSGsmk8WN//9uuMslrwDUm178UGeCfkyOGhkp8ZjZ+HVfFFCvHXEJ7GcYQNLKzOFTdC+Y/FpZcRaDRHMYtuKYbrS...
CertificateMIIE9DCCAtygAwIBAgIQALsLkFcyIKqp3L9NZyk1VzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDIwMTA2MzQ0MFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiXkaE/ZeS90riyS1o0wYxwyy2VDD3CrGIcJoHmikCHnKTRnqlM2JiFcQNVNSFR6MnzCHwWGS...
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:12 17:16:39+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 3261440
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x31e3de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.1.0
ProductVersionNumber: 1.4.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Quasar Client
FileVersion: 1.4.1
InternalName: Client.exe
LegalCopyright: Copyright © MaxXor 2023
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: Quasar
ProductVersion: 1.4.1
AssemblyVersion: 1.4.1.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start com surrogate.exe #QUASAR com surrogate.exe

Process information

PID
CMD
Path
Indicators
Parent process
1264"C:\Users\admin\AppData\Local\Temp\COM Surrogate.exe" C:\Users\admin\AppData\Local\Temp\COM Surrogate.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
3
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\local\temp\com surrogate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1632"C:\Users\admin\AppData\Roaming\SubDir\COM Surrogate.exe"C:\Users\admin\AppData\Roaming\SubDir\COM Surrogate.exe
COM Surrogate.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
0
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\roaming\subdir\com surrogate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Quasar
(PID) Process(1632) COM Surrogate.exe
Version1.4.1
C2 (2)37.120.233.226:3451
Sub_DirSubDir
Install_NameCOM Surrogate.exe
Mutexee9720c2-123c-45dc-aece-ad1fcdf1004e
StartupCOM Surrogate
TagOffice04
LogDirLogs
SignaturecLBGh5IvRZF+XmwmP13rsdi/NGqUdSNtL3/XZqkVsbkplDsMF6FlzcAXTw8nsMfg1dNK/L545PwsXZRDI5nwJyHzAlEdqOn9xkdMZTXgEkgBs1zkgw8P22tAn8f98ToaqzBwiuRV8A49tGnkG2sLIJv8tD/PINJeg5q0L54P5Rfn5jZ6KkdMlXhi+4XYHH/LlVURWjnJU76mGLilwj36fSGsmk8WN//9uuMslrwDUm178UGeCfkyOGhkp8ZjZ+HVfFFCvHXEJ7GcYQNLKzOFTdC+Y/FpZcRaDRHMYtuKYbrS...
CertificateMIIE9DCCAtygAwIBAgIQALsLkFcyIKqp3L9NZyk1VzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDIwMTA2MzQ0MFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAiXkaE/ZeS90riyS1o0wYxwyy2VDD3CrGIcJoHmikCHnKTRnqlM2JiFcQNVNSFR6MnzCHwWGS...
Total events
5 629
Read events
5 598
Write events
31
Delete events
0

Modification events

(PID) Process:(1264) COM Surrogate.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1632) COM Surrogate.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1632) COM Surrogate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:COM Surrogate
Value:
"C:\Users\admin\AppData\Roaming\SubDir\COM Surrogate.exe"
(PID) Process:(1632) COM Surrogate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1632) COM Surrogate.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1264COM Surrogate.exeC:\Users\admin\AppData\Roaming\SubDir\COM Surrogate.exeexecutable
MD5:C0FDF0FC584BDA99F48F78E5C6B29CFF
SHA256:AE1DBF0BB42007BEDE6E780E60A52C43A510651CB5FF299AE9EBD4059EB5BF1A
1632COM Surrogate.exeC:\Users\admin\AppData\Local\Temp\Cab4626.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1632COM Surrogate.exeC:\Users\admin\AppData\Local\Temp\Tar4627.tmpbinary
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
1632COM Surrogate.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1632COM Surrogate.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:A14D267C96C26947D2E4CB3BE4B580B2
SHA256:9EBAAE542D865BB0DB87136C5E13547C0F602EBFEACDCDFDBC98B973DFF25434
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
2
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1632
COM Surrogate.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cd18005bfc182779
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1632
COM Surrogate.exe
37.120.233.226:3451
M247 Ltd
GB
unknown
1632
COM Surrogate.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1632
COM Surrogate.exe
195.201.57.90:443
ipwho.is
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ipwho.is
  • 195.201.57.90
malicious

Threats

PID
Process
Class
Message
1632
COM Surrogate.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
1632
COM Surrogate.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
1080
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
1632
COM Surrogate.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] QuasarRAT Successful Connection (GCM_SHA384)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
COM Surrogate.exe