Hello Everyone!
Crax.pro member you are hereby advised to be cautious when downloading btc flashing softwares either from here or any other platforms, as recently i encountered a scammer who had remote access to my pc who probably came from one of users uploaded software, luckily i did not had any my personal photos, data on my pc and got saved to be blackmailed by him, but he did added 2 factor authentication to my telegram which i have access to luckily because i was logged in on my phone, below is the information of the malware and softwares used to manipulate and control your pc
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
Crax.pro member you are hereby advised to be cautious when downloading btc flashing softwares either from here or any other platforms, as recently i encountered a scammer who had remote access to my pc who probably came from one of users uploaded software, luckily i did not had any my personal photos, data on my pc and got saved to be blackmailed by him, but he did added 2 factor authentication to my telegram which i have access to luckily because i was logged in on my phone, below is the information of the malware and softwares used to manipulate and control your pc
General Info
| File name: | BTCflasher 5.1 pro.rar |
| Full analysis: | https://app.any.run/tasks/84ba3bd1-8819-4682-8344-b9de412cdb80 |
| Verdict: | Malicious activity |
| Threats: | Quasar RAT Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Malware Trends Tracker >>> |
| Analysis date: | October 05, 2023 at 23:14:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | evasion quasar rat remote |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | A5971E2152127475A137092B2F0FBC74 |
| SHA1: | 2B9456E21C375F90E8DFB9B5F05CD4ADA7539A24 |
| SHA256: | DA528385BE08955C71D4E7F082F1C9175630E033E055072FCD2000E76F0D8B36 |
| SSDEEP: | 98304:EXfTv5JBaYiOqs7cVbSGOBL1HhsfbXdh3Vx/LHKQC8vUdZVnNhaCmGfegoNPjCDx:oSD5NPKgNPPmQyohValgXQl |
Software environment set and analysis options
Behavior activities
MALICIOUS:
Drops the executable file immediately after the start
- BTCFlasher Pro V-5.1.exe (PID: 680)
- ._cache_BTCFlasher Pro V-5.1.exe (PID: 2264)
- 1.exe (PID: 3824)
- 2.exe (PID: 3964)
- ._cache_2.exe (PID: 584)
- ._cache_1.exe (PID: 2372)
Application was dropped or rewritten from another process
- BTCFlasher Pro V-5.1.exe (PID: 680)
- 1.exe (PID: 3824)
- Synaptics.exe (PID: 988)
- 2.exe (PID: 3964)
- ._cache_2.exe (PID: 3144)
- ._cache_1.exe (PID: 2372)
- ._cache_2.exe (PID: 584)
- Synaptics.exe (PID: 1120)
- HydraFlasher Pro V-5.1.exe (PID: 3008)
- Client.exe (PID: 3636)
- Client.exe (PID: 2040)
Changes the autorun value in the registry
- 2.exe (PID: 3964)
- Client.exe (PID: 3636)
Uses Task Scheduler to run other applications
- Client.exe (PID: 3636)
QUASAR has been detected (YARA)
- Client.exe (PID: 3636)
Actions looks like stealing of personal data
- Client.exe (PID: 3636)
Steals credentials from Web Browsers
- Client.exe (PID: 3636)
Connects to the CnC server
- Synaptics.exe (PID: 988)
QUASAR was detected
- Client.exe (PID: 3636)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 2252)
Reads the Internet Settings
- BTCFlasher Pro V-5.1.exe (PID: 680)
- ._cache_BTCFlasher Pro V-5.1.exe (PID: 2264)
- 1.exe (PID: 3824)
- 2.exe (PID: 3964)
- ._cache_2.exe (PID: 584)
- Synaptics.exe (PID: 988)
- Client.exe (PID: 3636)
- ._cache_1.exe (PID: 2372)
- HydraFlasher Pro V-5.1.exe (PID: 3008)
Start notepad (likely ransomware note)
- WinRAR.exe (PID: 2252)
Starts itself from another location
- ._cache_1.exe (PID: 2372)
Loads DLL from Mozilla Firefox
- Client.exe (PID: 3636)
Checks for external IP
- ._cache_1.exe (PID: 2372)
- Client.exe (PID: 3636)
Connects to unusual port
- Client.exe (PID: 3636)
Reads Mozilla Firefox installation path
- Client.exe (PID: 3636)
Reads settings of System Certificates
- HydraFlasher Pro V-5.1.exe (PID: 3008)
- Synaptics.exe (PID: 988)
Checks Windows Trust Settings
- Synaptics.exe (PID: 988)
Adds/modifies Windows certificates
- ._cache_2.exe (PID: 584)
The process executes via Task Scheduler
- Client.exe (PID: 2040)
Reads security settings of Internet Explorer
- Synaptics.exe (PID: 988)
INFO
Checks supported languages
- BTCFlasher Pro V-5.1.exe (PID: 680)
- ._cache_BTCFlasher Pro V-5.1.exe (PID: 2264)
- 1.exe (PID: 3824)
- 2.exe (PID: 3964)
- ._cache_1.exe (PID: 2372)
- Synaptics.exe (PID: 988)
- ._cache_2.exe (PID: 584)
- Synaptics.exe (PID: 1120)
- HydraFlasher Pro V-5.1.exe (PID: 3008)
- Client.exe (PID: 3636)
- Client.exe (PID: 2040)
Reads the computer name
- BTCFlasher Pro V-5.1.exe (PID: 680)
- ._cache_BTCFlasher Pro V-5.1.exe (PID: 2264)
- 2.exe (PID: 3964)
- 1.exe (PID: 3824)
- Synaptics.exe (PID: 988)
- ._cache_1.exe (PID: 2372)
- ._cache_2.exe (PID: 584)
- HydraFlasher Pro V-5.1.exe (PID: 3008)
- Synaptics.exe (PID: 1120)
- Client.exe (PID: 3636)
- Client.exe (PID: 2040)
Creates files in the program directory
- BTCFlasher Pro V-5.1.exe (PID: 680)
- Synaptics.exe (PID: 988)
Create files in a temporary directory
- BTCFlasher Pro V-5.1.exe (PID: 680)
- 2.exe (PID: 3964)
- ._cache_BTCFlasher Pro V-5.1.exe (PID: 2264)
- 1.exe (PID: 3824)
- ._cache_2.exe (PID: 584)
- Synaptics.exe (PID: 988)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2252)
Reads the machine GUID from the registry
- BTCFlasher Pro V-5.1.exe (PID: 680)
- ._cache_1.exe (PID: 2372)
- 2.exe (PID: 3964)
- Client.exe (PID: 3636)
- Synaptics.exe (PID: 988)
- HydraFlasher Pro V-5.1.exe (PID: 3008)
- Client.exe (PID: 2040)
Reads Environment values
- ._cache_1.exe (PID: 2372)
- Client.exe (PID: 3636)
- HydraFlasher Pro V-5.1.exe (PID: 3008)
Creates files or folders in the user directory
- ._cache_1.exe (PID: 2372)
- Client.exe (PID: 3636)
- Synaptics.exe (PID: 988)
Checks proxy server information
- Synaptics.exe (PID: 988
