File name: | citrioloader-unpacked.rar |
Full analysis: | https://app.any.run/tasks/eb11b66b-9774-42cd-9dab-722fd07988fc |
Verdict: | Malicious activity |
Threats: | Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. |
Analysis date: | May 30, 2020, 06:34:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 50ACD40EB09E10A64DBF8D3B391D9180 |
SHA1: | E9E08329CB03D9AD3C2713BEF00F08B8C41FF1AB |
SHA256: | F759118992AAF80AF3B17F57322FC70C56A55E459D9EBE7BBB35A558DDC60402 |
SSDEEP: | 6144:on/BSkHFpWAhSaSXnxB0eTmjuqsgBRbTXxmGPs5Uo4cOVDjqSRVY1L5spyw:OZbliaSBBzTmNB5xmGPCUxcqzVY1Lu/ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
964 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\citrioloader-unpacked.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
308 | "C:\Users\admin\Desktop\citrioloader-unpacked.exe" | C:\Users\admin\Desktop\citrioloader-unpacked.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.3.0.0 | ||||
1044 | "C:\Users\admin\AppData\Roaming\SubDir\scvhost.exe" | C:\Users\admin\AppData\Roaming\SubDir\scvhost.exe | citrioloader-unpacked.exe | |
User: admin Integrity Level: MEDIUM Version: 1.3.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb964.32771\citrioloader-unpacked.exe | — | |
MD5:— | SHA256:— | |||
1044 | scvhost.exe | C:\Users\admin\AppData\Roaming\bin\05-30-2020 | binary | |
MD5:5063A52AC03819CBDB7EE3908476D647 | SHA256:6F06E1DED8F4E1B1AA4D5577F3323D0934128B20B0B4DA9289B990098B3441D6 | |||
308 | citrioloader-unpacked.exe | C:\Users\admin\AppData\Roaming\SubDir\scvhost.exe | executable | |
MD5:D740B4DE44E5D3FC8B30FEE652C98AB0 | SHA256:5C24BE78F13CE64CD39E8C69BBC66C98C0F09CA5E20EC8D2F22C981AF4FB3402 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1044 | scvhost.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | text | 301 b | shared |
308 | citrioloader-unpacked.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json/ | unknown | text | 301 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1044 | scvhost.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
— | — | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
1044 | scvhost.exe | 3.137.63.131:11461 | 0.tcp.ngrok.io | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
0.tcp.ngrok.io |
| shared |
PID | Process | Class | Message |
---|---|---|---|
308 | citrioloader-unpacked.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
308 | citrioloader-unpacked.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
308 | citrioloader-unpacked.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
1044 | scvhost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
1044 | scvhost.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
1044 | scvhost.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar.RAT IP Lookup |
— | — | Potential Corporate Privacy Violation | ET POLICY DNS Query to a *.ngrok domain (ngrok.io) |
1044 | scvhost.exe | A Network Trojan was detected | REMOTE [PTsecurity] Quasar |