File name: | New folder (2).zip |
Full analysis: | https://app.any.run/tasks/1dc3566b-7852-4e0f-8fab-42b8d2f5b8c8 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | July 12, 2020, 15:58:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 52DB15D48A6807EDC9A0CE8AF4ADCC46 |
SHA1: | 2E59A16A0D485EA539CDA56163EAA6302C960206 |
SHA256: | C5B861C2995D96F9AC8545FBDE4F2B2E3EBFA0E078B4C839089561240F0DAE5F |
SSDEEP: | 3072:z1DWXjEctaotj9F830BfBwYT0ewkjEqOWyoMjsuojjd0caBTuWpRdAO8qp8u:z1WzEvotj9F8ofc6ENonj5HagA6u |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Subfile.exe |
---|---|
ZipUncompressedSize: | 356352 |
ZipCompressedSize: | 184184 |
ZipCRC: | 0xca7b17ab |
ZipModifyDate: | 2020:04:12 10:49:06 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1816 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New folder (2).zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2252 | "C:\Users\admin\Desktop\Subfile.exe" | C:\Users\admin\Desktop\Subfile.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Version: 1.3.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2252 | Subfile.exe | C:\Users\admin\AppData\Roaming\Logs\07-12-2020 | gpg | |
MD5:0A5DE5D19BF0A824A029B345F2EAD04D | SHA256:7EF8F861F8E7C04456EF2EEB1436292EA4B00119A960065F44F7A3EB0A9DBEBE | |||
1816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1816.36678\Subfile.exe | executable | |
MD5:0FAD3FE9F156F4FC3BE5DDC9B2BE3C45 | SHA256:9575D5672850F340345760AEFEED96CFB260F2C2179F931DBA67712F20875683 | |||
1816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1816.36678\Sys32.exe | executable | |
MD5:B1573E75E10483D930AED66D639877E7 | SHA256:5766A0BFC28184AFE968502F41747010915718E69D90ACEF39D68D459BC0D433 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2252 | Subfile.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | text | 281 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2252 | Subfile.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2252 | Subfile.exe | 45.80.151.39:60002 | — | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2252 | Subfile.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2252 | Subfile.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
2252 | Subfile.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |