Malicious
Malicious

00dac2a767edac928f50b4882b05d91d

PE Executable
|
MD5: 00dac2a767edac928f50b4882b05d91d
|
Size: 376.84 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
00dac2a767edac928f50b4882b05d91d
Sha1
8985ed3a331db1c7631f5fcad66a616cf12ca2e5
Sha256
32efbd73f31140f0644eef37aec518197b5a5abffb8bbe3b41df544917028f4a
Sha384
a6101d00641dd1fb26bc16608127dce7068e3d206adee7c0cd7be7b621e471d9ba919b4230f1f9265ee678733e5f7ca4
Sha512
e55c1c1ff113739d19c057b0227be9ef5bdbb603459dbb113758b4154b4aece018a35157b110a46a8ba3cfcb710f2cbd8a51635bd10db1dd18aabb6ea4684e61
SSDeep
3072:zLrd+wLWODsgb910cEqpyDcsv1BjhTmZGgUgjO23VbIX+rH2dp0b5pEThCbgv7EZ:zPBLrDN9+cE7rq00lpzbdjN4ZcLHCq
TLSH
3B849E1373A8DA7BD1FD2736F43606154BB1D40BB616E38B6A5845F92C233868E913B3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
00dac2a767edac928f50b4882b05d91d
Malicious
[Rebuild from dump]_af64191a.exe
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4
Host

RgNSTMHSnjafPEX.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

VYJjpyHabYhrJDd.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

DqUTFasmBwlEIBT.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

QVggEpcffTSfXLG.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

yPZmTJDDnmJhkwf.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

ytXDZUKKgHETqys.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

ByZBzewBiKXuqUR.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

DGnZQjkVDhsxgVV.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

JDIsOivQCBlbzlN.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

moNxVtjgeWpPVUz.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

QfFaRBPqOoJQqEF.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

FHXvaxLSFIDvieO.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

xMfLSMPKBWsgmUC.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

RHjqJCxmCalXXEe.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

o6tqyui3rxxk2sfghduiypzz7pxlym.ru
Conf. AES-Key

eES6SBulgce4Hs4EBasu
Version

1.3.0.0
Port

4782
Host

jwy1nw4mcx2svbmvgo76.ru
ReconnectDelay

3000
Key

3oFWIvMChM6pJ0Z164JW3w==
AuthKey

wjsDuVxqxDbIHCsxqjlReQrFyVYlgWif3clyw0lzPaOMuhSeCl/tvyYcRpFzvxdYZvHDsa416Bgj5xUtItrQRA==
SubDirectory

SubDir
InstallName

Client.exe
Install

0
Startup

0
Mutex

DSmEzhVMjvXkI01E
StartupKey

Quasar Client St
HideFile

0
EnableLogger

0
Tag

XXXxsnews
LogDirectory

Logs
HideLogDirectory

0
HideLogSubdirectory

0
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_af64191a.exe
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::툮͌䧛Ꮩ麳�친苊镽ൄ⁲죽Ꮎ䫐Ỽ⽹쓫몝(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 舲割ᤓ庿侌䇫쿽᜙�許잞泓轥젍忙筃뎕훚::瑶�侩狁靦噦귎羭ľ墥淼䧗뚩혾ꈼ㉬() brfalse.s IL_0040: call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() call System.Boolean 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::ၐ췭�琦᠍誜룯㺸펶퀙฿탦䐚惁륫ἕ깓鰷() brfalse.s IL_0040: call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() call System.Boolean �腌깙䫩損육㥮Ử⪫䞯蹢䦺䒸ઈ᩟ᛦᢳ옳ࡕ::get_Exiting() brtrue.s IL_0040: call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() ldsfld �腌깙䫩損육㥮Ử⪫䞯蹢䦺䒸ઈ᩟ᛦᢳ옳ࡕ 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::炸弜㼋糠蒿拰馒ꣴŢ鲣丠┝쟹㩞옏빼蟺쭺☶ callvirt System.Void �腌깙䫩損육㥮Ử⪫䞯蹢䦺䒸ઈ᩟ᛦᢳ옳ࡕ::쐦軚鋈烜�ꦭ晑滚さ闧㔍椈ଘ퀕끁() call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::옙墅￐텉輰䴭倮溹荜�鹂鸷楹꺟똛訣() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::툮͌䧛Ꮩ麳�친苊镽ൄ⁲죽Ꮎ䫐Ỽ⽹쓫몝(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 舲割ᤓ庿侌䇫쿽᜙�許잞泓轥젍忙筃뎕훚::瑶�侩狁靦噦귎羭ľ墥淼䧗뚩혾ꈼ㉬() brfalse.s IL_0040: call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() call System.Boolean 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::ၐ췭�琦᠍誜룯㺸펶퀙฿탦䐚惁륫ἕ깓鰷() brfalse.s IL_0040: call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() call System.Boolean �腌깙䫩損육㥮Ử⪫䞯蹢䦺䒸ઈ᩟ᛦᢳ옳ࡕ::get_Exiting() brtrue.s IL_0040: call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() ldsfld �腌깙䫩損육㥮Ử⪫䞯蹢䦺䒸ઈ᩟ᛦᢳ옳ࡕ 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::炸弜㼋糠蒿拰馒ꣴŢ鲣丠┝쟹㩞옏빼蟺쭺☶ callvirt System.Void �腌깙䫩損육㥮Ử⪫䞯蹢䦺䒸ઈ᩟ᛦᢳ옳ࡕ::쐦軚鋈烜�ꦭ晑滚さ闧㔍椈ଘ퀕끁() call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::턻疗亀籲臲⥄ᴀ긽紕䱽遏꾘鶕歫殳㑦曮はẺᄨ() call System.Void 砭ⴈ꛲〃ӽ࣢בֿ○邝৫ᔕ鴚Ⱛᛂ�⟊岱䅃::옙墅￐텉輰䴭倮溹荜�鹂鸷楹꺟똛訣() ret <null>
Artefacts
Name
 Value
CnC

jwy1nw4mcx2svbmvgo76.ru
Port

4782
CnC

o6tqyui3rxxk2sfghduiypzz7pxlym.ru
CnC

RHjqJCxmCalXXEe.ru
CnC

xMfLSMPKBWsgmUC.ru
CnC

FHXvaxLSFIDvieO.ru
CnC

QfFaRBPqOoJQqEF.ru
CnC

moNxVtjgeWpPVUz.ru
CnC

JDIsOivQCBlbzlN.ru
CnC

DGnZQjkVDhsxgVV.ru
CnC

ByZBzewBiKXuqUR.ru
CnC

ytXDZUKKgHETqys.ru
CnC

yPZmTJDDnmJhkwf.ru
CnC

QVggEpcffTSfXLG.ru
CnC

DqUTFasmBwlEIBT.ru
CnC

VYJjpyHabYhrJDd.ru
CnC

RgNSTMHSnjafPEX.ru
Port

4
PE Layout

MemoryMapped (process dump suspected)
CnC

jwy1nw4mcx2svbmvgo76.ru
Port

4782
CnC

o6tqyui3rxxk2sfghduiypzz7pxlym.ru
CnC

RHjqJCxmCalXXEe.ru
CnC

xMfLSMPKBWsgmUC.ru
CnC

FHXvaxLSFIDvieO.ru
CnC

QfFaRBPqOoJQqEF.ru
CnC

moNxVtjgeWpPVUz.ru
CnC

JDIsOivQCBlbzlN.ru
CnC

DGnZQjkVDhsxgVV.ru
CnC

ByZBzewBiKXuqUR.ru
CnC

ytXDZUKKgHETqys.ru
CnC

yPZmTJDDnmJhkwf.ru
CnC

QVggEpcffTSfXLG.ru
CnC

DqUTFasmBwlEIBT.ru
CnC

VYJjpyHabYhrJDd.ru
CnC

RgNSTMHSnjafPEX.ru
Port

4
PE Layout

MemoryMapped (process dump suspected)
00dac2a767edac928f50b4882b05d91d (376.84 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙