analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

rust-scripts.exe

Full analysis: https://app.any.run/tasks/85b5ca13-e2fe-41ad-a9fb-d2a471f45043
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: November 16, 2019, 08:35:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
quasar
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

A6118F3E574747A2C03AFF4F69D09C14

SHA1:

8AFBE5BC6F197ECC70B64EA79C73F707744E6DFC

SHA256:

B3CD2D9C111002D130AE7A09744A416E86E2917D5D55BBFC3092F0647C490632

SSDEEP:

6144:AbqQ4i1FFiEK+pbKnewRabKvvsEn9ZOapsk2Io2q:6pliOOnekLHTnbO+2Idq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • QUASAR was detected

      • rust-scripts.exe (PID: 2176)
      • Client.exe (PID: 3976)
      • Client.exe (PID: 920)
      • Client.exe (PID: 1780)

    • Drops/Copies Quasar RAT executable

      • rust-scripts.exe (PID: 2176)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 272)
      • cmd.exe (PID: 4084)
      • cmd.exe (PID: 3748)

  • SUSPICIOUS

    • Starts itself from another location

      • rust-scripts.exe (PID: 2176)

    • Executable content was dropped or overwritten

      • rust-scripts.exe (PID: 2176)

    • Creates files in the user directory

      • rust-scripts.exe (PID: 2176)
      • Client.exe (PID: 920)

    • Checks for external IP

      • rust-scripts.exe (PID: 2176)
      • Client.exe (PID: 920)
      • Client.exe (PID: 3976)
      • Client.exe (PID: 1780)

    • Starts CMD.EXE for commands execution

      • Client.exe (PID: 920)
      • Client.exe (PID: 3976)
      • Client.exe (PID: 1780)

    • Starts application with an unusual extension

      • cmd.exe (PID: 272)
      • cmd.exe (PID: 4084)
      • cmd.exe (PID: 3748)

  • INFO

    • Application was crashed

      • Client.exe (PID: 920)
      • Client.exe (PID: 3976)
      • Client.exe (PID: 1780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:05 20:21:07+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 352768
InitializedDataSize: 3072
UninitializedDataSize: -
EntryPoint: 0x581be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.3.0.0
InternalName: Client.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: -
ProductVersion: 1.3.0.0
AssemblyVersion: 1.3.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Aug-2019 18:21:07
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.3.0.0
InternalName: Client.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFilename: Client.exe
ProductName: -
ProductVersion: 1.3.0.0
Assembly Version: 1.3.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 05-Aug-2019 18:21:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x000561C4
0x00056200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44493
.rsrc
0x0005A000
0x00000A00
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.23597
.reloc
0x0005C000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.22615
1171
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
14
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start #QUASAR rust-scripts.exe #QUASAR client.exe cmd.exe no specs chcp.com no specs ping.exe no specs #QUASAR client.exe cmd.exe no specs chcp.com no specs ping.exe no specs #QUASAR client.exe cmd.exe no specs chcp.com no specs ping.exe no specs client.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2176"C:\Users\admin\AppData\Local\Temp\rust-scripts.exe" C:\Users\admin\AppData\Local\Temp\rust-scripts.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
920"C:\Users\admin\AppData\Roaming\SubDir\Client.exe"C:\Users\admin\AppData\Roaming\SubDir\Client.exe
rust-scripts.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Version:
1.3.0.0
272cmd /c ""C:\Users\admin\AppData\Local\Temp\OmWFOKTzCD8u.bat" "C:\Windows\system32\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2424chcp 65001C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3980ping -n 10 localhost C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3976"C:\Users\admin\AppData\Roaming\SubDir\Client.exe" C:\Users\admin\AppData\Roaming\SubDir\Client.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Version:
1.3.0.0
4084cmd /c ""C:\Users\admin\AppData\Local\Temp\UbrGzZxh6gQ7.bat" "C:\Windows\system32\cmd.exeClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2812chcp 65001C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3616ping -n 10 localhost C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1780"C:\Users\admin\AppData\Roaming\SubDir\Client.exe" C:\Users\admin\AppData\Roaming\SubDir\Client.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.3.0.0
Total events
1 306
Read events
1 270
Write events
36
Delete events
0

Modification events

(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2176) rust-scripts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rust-scripts_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
1
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
920Client.exeC:\Users\admin\AppData\Local\Temp\OmWFOKTzCD8u.battext
MD5:BF3777DC42C39685EAB690AC2F544B10
SHA256:98A88F4A30B2F7858F9C7101851917C85AD34F4FE3785D344C795C299442014F
1780Client.exeC:\Users\admin\AppData\Local\Temp\Rv1br8lOM8WE.battext
MD5:E6D7D69A62D115EBF27DEB572C2FE2F4
SHA256:1DF1FE94DD97318FEE125085357A8C6D82F7C3F55F0804BCA297B933EC280D45
2176rust-scripts.exeC:\Users\admin\AppData\Roaming\SubDir\Client.exeexecutable
MD5:A6118F3E574747A2C03AFF4F69D09C14
SHA256:B3CD2D9C111002D130AE7A09744A416E86E2917D5D55BBFC3092F0647C490632
3976Client.exeC:\Users\admin\AppData\Roaming\KeyLogger\11-16-2019binary
MD5:1BD488FFC8BF3F6E6249E1199A583E4F
SHA256:D451C94BC1424E709A837245D7664F9ED95FBD4FD5D8A1A0308ED581797F9A7B
1780Client.exeC:\Users\admin\AppData\Roaming\KeyLogger\11-16-2019binary
MD5:DA2D3FDD7A9656696F74E1EA3A755A4B
SHA256:523D58164260D908F1E332C04A68A90E710A0944E805AB892F92BCB50BED6859
920Client.exeC:\Users\admin\AppData\Roaming\KeyLogger\11-16-2019binary
MD5:2A88DAB216C932958CD748EF258125B0
SHA256:D83B29FA0094D5D187C5C80CE7C8EE2C7157732546B5D7CF7E9B686F88062875
3976Client.exeC:\Users\admin\AppData\Local\Temp\UbrGzZxh6gQ7.battext
MD5:2F25D46D0A1333A7016506D0130229B0
SHA256:AEFBA7308B322FCE4E1D7986FD79BE9A625B51572257CB5CF246A49C16492CDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
Client.exe
GET
208.95.112.1:80
http://ip-api.com/json/
unknown
shared
3976
Client.exe
GET
54.235.187.248:80
http://api.ipify.org/
US
shared
3976
Client.exe
GET
301
104.26.15.73:80
http://freegeoip.net/xml/
US
shared
2176
rust-scripts.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
text
260 b
shared
3976
Client.exe
GET
403
104.26.15.73:80
http://freegeoip.net/shutdown
US
text
1.51 Kb
shared
920
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
text
260 b
shared
1780
Client.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
text
260 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2176
rust-scripts.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
3976
Client.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
920
Client.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
208.95.112.1:80
ip-api.com
IBURST
malicious
3976
Client.exe
54.235.187.248:80
api.ipify.org
Amazon.com, Inc.
US
shared
3976
Client.exe
104.26.15.73:80
freegeoip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
freegeoip.net
  • 104.26.15.73
  • 104.26.14.73
shared
api.ipify.org
  • 54.235.187.248
  • 23.21.72.212
  • 23.23.73.124
  • 23.23.229.94
  • 54.225.92.64
  • 50.19.218.16
  • 23.23.83.153
  • 174.129.199.232
shared

Threats

PID
Process
Class
Message
2176
rust-scripts.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2176
rust-scripts.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2176
rust-scripts.exe
A Network Trojan was detected
REMOTE [PTsecurity] Quasar.RAT IP Lookup
920
Client.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
920
Client.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
920
Client.exe
A Network Trojan was detected
REMOTE [PTsecurity] Quasar.RAT IP Lookup
3976
Client.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3976
Client.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3976
Client.exe
A Network Trojan was detected
REMOTE [PTsecurity] Quasar.RAT IP Lookup
3976
Client.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
rust-scripts.exe