File name: | 14.zip |
Full analysis: | https://app.any.run/tasks/3b2d288a-56f9-4ab5-a03b-44840b946148 |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | July 17, 2019, 09:34:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C72823007DAEF4F39CFE02D49CAE4802 |
SHA1: | 8B5465114AE074D2B9DD260272BA9A8B2B9A0D17 |
SHA256: | E98B2BB010C379EBC9E33E83DC094FC83546643FEC117E66475A731A075E51BA |
SSDEEP: | 24576:tTyjaX73W7wM10/lSw+i7bY5PXdGIcl7vsGyQh9s7UDJZ+RF1PC2Vk:tTwGrWMNSw+inYhtGb7vsG3sgaRTk |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:07:16 20:56:07 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | nVPN checker by C0rpz and nadir/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\14.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1772 | "C:\Users\admin\Desktop\nVPN checker by C0rpz and nadir\NordVPN Account checker by C0rpz and Nadir.exe" | C:\Users\admin\Desktop\nVPN checker by C0rpz and nadir\NordVPN Account checker by C0rpz and Nadir.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: Lime-Dropper-1 Exit code: 0 Version: 1.0.0.0 | ||||
840 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2084 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Checker.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Checker.exe | NordVPN Account checker by C0rpz and Nadir.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 | ||||
3116 | "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\admin\Desktop\nVPN checker by C0rpz and nadir\NordVPN Account checker by C0rpz and Nadir.exe" | C:\Windows\System32\cmd.exe | — | NordVPN Account checker by C0rpz and Nadir.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3840 | choice /C Y /N /D Y /T 1 | C:\Windows\system32\choice.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3252 | "C:\Users\admin\AppData\Roaming\SubDir\windefender.exe" | C:\Users\admin\AppData\Roaming\SubDir\windefender.exe | Checker.exe | |
User: admin Integrity Level: MEDIUM Version: 1.3.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2084 | Checker.exe | C:\Users\admin\AppData\Roaming\SubDir\windefender.exe | executable | |
MD5:5015F0193E9625C6A7D72E682C96B698 | SHA256:E383E74D909BB6B29BFD139BFBBCF1422879751E02CB5299416793522B5D078F | |||
1772 | NordVPN Account checker by C0rpz and Nadir.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Checker.exe | executable | |
MD5:5015F0193E9625C6A7D72E682C96B698 | SHA256:E383E74D909BB6B29BFD139BFBBCF1422879751E02CB5299416793522B5D078F | |||
3540 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3540.8193\nVPN checker by C0rpz and nadir\NordVPN Account checker by C0rpz and Nadir.exe | executable | |
MD5:DB0590AB324516D7E51A13E75E3C60C0 | SHA256:C38A706071CAB1D53EC84D88E280351B14113D52EF97396B5F934B314E1E1E09 | |||
3540 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3540.8193\nVPN checker by C0rpz and nadir\Leaf.xNet.dll | executable | |
MD5:B5CB88DE9FE40B6645496F9543CE8E26 | SHA256:A91293829D0A4A0F2F34787FC1BA13B9D3AA4F640D0FCA652B24A88F464BC343 | |||
3540 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3540.8193\nVPN checker by C0rpz and nadir\Colorful.Console.dll | executable | |
MD5:5F3D2CFBC21591B8FEEF1EFA3E59A4D0 | SHA256:F31D4FD7E729FC6CF4ECAB972B6B1EE897918A325B1CA572030966F831E768FB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2084 | Checker.exe | GET | 301 | 104.26.14.73:80 | http://freegeoip.net/xml/ | US | — | — | shared |
2084 | Checker.exe | GET | 403 | 104.26.14.73:80 | http://freegeoip.net/shutdown | US | text | 1.51 Kb | shared |
2084 | Checker.exe | GET | 200 | 50.16.229.140:80 | http://api.ipify.org/ | US | text | 15 b | shared |
3252 | windefender.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json/ | DE | text | 256 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2084 | Checker.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
1772 | NordVPN Account checker by C0rpz and Nadir.exe | 162.159.129.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2084 | Checker.exe | 104.26.14.73:80 | freegeoip.net | Cloudflare Inc | US | shared |
3252 | windefender.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
3252 | windefender.exe | 134.209.92.44:4782 | — | — | US | malicious |
2084 | Checker.exe | 50.16.229.140:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
cdn.discordapp.com |
| shared |
ip-api.com |
| shared |
freegeoip.net |
| shared |
api.ipify.org |
| shared |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2084 | Checker.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
2084 | Checker.exe | A Network Trojan was detected | MALWARE [PTsecurity] Possible W32/Quasar 1.3 RAT Connectivity Check |
3252 | windefender.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3252 | windefender.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3252 | windefender.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer) |
3252 | windefender.exe | A Network Trojan was detected | MALWARE [PTsecurity] Quasar RAT |