File name:

host.rar

Full analysis: https://app.any.run/tasks/fe94ea0b-746b-427e-b33d-2f8111107f60
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: October 30, 2023, 21:19:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
quasar
sinkhole
evasion
remote
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

546DB3FCD7E65363457A2FB3D10AC617

SHA1:

7B086F07A02EED0C5706B0E9B6824505A0414120

SHA256:

BE89472C81E89FF3FE48FB7AD18489E2F6DB45ABFE118F6EB4EEB6F01977FCDD

SSDEEP:

6144:cfq/cwngD/DQYi7aFTVXRBXwAjMJjJOZIGoQ3qz8:HcrLfkw77gJ9OZIGoQ3qQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops/Copies Quasar RAT executable

      • WinRAR.exe (PID: 1824)
      • host.exe (PID: 3780)

    • Application was dropped or rewritten from another process

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)

    • Drops the executable file immediately after the start

      • host.exe (PID: 3780)

    • Changes the autorun value in the registry

      • host.exe (PID: 2952)

    • QUASAR has been detected (SURICATA)

      • host.exe (PID: 2952)

    • QUASAR has been detected (YARA)

      • host.exe (PID: 2952)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 1824)
      • host.exe (PID: 3780)

    • Reads the Internet Settings

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)

    • Starts itself from another location

      • host.exe (PID: 3780)

    • Checks for external IP

      • host.exe (PID: 2952)

    • Connects to unusual port

      • host.exe (PID: 2952)

  • INFO

    • Checks supported languages

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)

    • Reads the computer name

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)

    • Manual execution by a user

      • host.exe (PID: 3780)

    • Reads the machine GUID from the registry

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)

    • Creates files or folders in the user directory

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1824)

    • Reads Environment values

      • host.exe (PID: 3780)
      • host.exe (PID: 2952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(2952) host.exe
Version1.3.0.0
C2 (2)youtubevideos.duckdns.org:60
Sub_DirSystem32
Install_Namehost.exe
MutexQSR_MUTEX_UW2Q1R9Nhq2Wep6ciM
Startuphost
Tagcrypto new 2
LogDirLogs
Signature
Certificate
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs host.exe #QUASAR host.exe

Process information

PID
CMD
Path
Indicators
Parent process
1824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\host.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
2952"C:\Users\admin\AppData\Roaming\System32\host.exe"C:\Users\admin\AppData\Roaming\System32\host.exe
host.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\roaming\system32\host.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Quasar
(PID) Process(2952) host.exe
Version1.3.0.0
C2 (2)youtubevideos.duckdns.org:60
Sub_DirSystem32
Install_Namehost.exe
MutexQSR_MUTEX_UW2Q1R9Nhq2Wep6ciM
Startuphost
Tagcrypto new 2
LogDirLogs
Signature
Certificate
3780"C:\Users\admin\Desktop\host.exe" C:\Users\admin\Desktop\host.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\desktop\host.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 695
Read events
1 686
Write events
9
Delete events
0

Modification events

(PID) Process:(1824) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2952) host.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:host
Value:
"C:\Users\admin\Desktop\host.exe"
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1824.27848\host.exeexecutable
MD5:E0DC6722A9BC7AF2D3FCF19E894F5043
SHA256:63C22FF05A3D78DD08DEDA98041B693BF13815DF41DA51CAA2DCA1BB991DDDB6
3780host.exeC:\Users\admin\AppData\Roaming\System32\host.exeexecutable
MD5:E0DC6722A9BC7AF2D3FCF19E894F5043
SHA256:63C22FF05A3D78DD08DEDA98041B693BF13815DF41DA51CAA2DCA1BB991DDDB6
2952host.exeC:\Users\admin\AppData\Roaming\Logs\10-30-2023binary
MD5:CF2A793A33860FA0CC3C1F8CED04F7BD
SHA256:95C1A9CCB8F377A1136691475F2AB1BA703F96388730361A4CAC5F8E4A522E38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
host.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
297 b
3780
host.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
binary
297 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
2656
svchost.exe
239.255.255.250:1900
unknown
3780
host.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2952
host.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2952
host.exe
197.166.203.42:60
youtubevideos.duckdns.org
LINKdotNET
EG
unknown
4
System
192.168.100.255:138
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
unknown
youtubevideos.duckdns.org
  • 197.166.203.42
unknown
dns.msftncsi.com
  • 131.107.255.255
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
A Network Trojan was detected
ET MALWARE Common RAT Connectivity Check Observed
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] QuasarRAT Successful Connection (TCP)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
host.rar