Malicious
Malicious

044011bd4f8ff29f900d646d831202b0

PE Executable
|
MD5: 044011bd4f8ff29f900d646d831202b0
|
Size: 48.64 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
044011bd4f8ff29f900d646d831202b0
Sha1
cf1cce93c256d8c313e2b55f005057256a7fa66c
Sha256
a22628f18c66034193ebf0a6d9fd6b50a6b86f700b29549b87dc4d545c111463
Sha384
beea4bfa3977cb25908080545f144c5d140fc6777ed7b53ac55fcfa20b2bd1de0ae78cb4cdba10a5c4997d547936085c
Sha512
512783eced3d4a960cb243d47d717743cc4ad4cf7d16d2cb5d85e8bc3f9ded3ce2c0d9816346f06bfe1fc6a273295917483c8050092f25f05b0204db7606e77a
SSDeep
768:MIPaTqPRCpGPSwwRq1D5MLXayt/jbdg65XwMYuRXjNTfZGgCqsf+:MIPaTb6m5LbK6ZwMzRXjNThHDsf+
TLSH
C1233C003BE8422AF6BE5FB958F231494A79F6576503D65E1CC401DA1A23BC6DE01BFE

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
044011bd4f8ff29f900d646d831202b0
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

UlZ2c2wyVlJmRTZoSERWVlExdFJraHFKbVhYSUNvUW8=
Pastebin

-
Certificate

MIIE8jCCAtqgAwIBAgIQAJ/3QC6BbWfIjCVNrWED9zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwMTAyMTkwNTQ2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIrAyOsb6Zr9dtkvGH+8TBd+LCD8Bi3dQoaD0oNC4via2QOdEf0Qyu/qjBu61lF082WqkEhP3nBPkJB5/PbaVIp+BwJoRPsqxFh0P1VGoGrY+aBCFIrDDTKjBhG7HjCakMzJGmkWSTC9iiYkWRVDwIW8Xi1hHhqmFU+rh+8cj8GpXk/5VxYG0wbevIy906ZI02lwo5ru/MHYUQf3NyGdHpvSvshouTiv5zRs5z9MqpsuaoifqIYRetq6CJUBKvs1FlB3cgY3SjGmeogOBuLU4O+7oGLAmtlhMprHF4rQJFv2qwhFrqisp6OtklnNcmitHemD8JkzLZuwntpGa4G90DbNOOfs13Ol+bGUrQf/aZeb5zV4YCRtyfAHbbK5kQQ3v34oafr56K2A1nf1KvwtsSqcjWJCTUoRo9CKBdUblu77FyqR+sCdB4DPDWyx6hL8w+AT3vSgwl02O3zuB4ozoXN6WOL/VZQ2Z8a/pEvpXvILiAezp5yJ4NkoTV7JQ+l9iRQoP82elh/S/7YIStgCn9ob/RVSE3rGUIj0PxzuiWZ0RXQarfjlFeFFtBsTXKRkbLMm10g9reqhwsBRTyVYIm7GV95ToIY5GxMVKHdkP9wlD4XhGqMGp1Pt0R7aK87eLXimWhp4MJD9Kxa9kr+LE/cNnwO7/Vjjpgo8GaME20rBAgMBAAGjMjAwMB0GA1UdDgQWBBS2H1EUwI14oTDgfRnsaW91TJZO6zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCKCWKMKesHn+Jnqmz+VP89UgDgd6YoGyK6BEx5JepyDuM/Ys0FdI56EoNaflaLkwMbs+cDZXtmeIX3rO5s9kNyCY7PXgA/UqXqg8Aj2qqZu0+XnhLUnm+fghkHDEodvhW15v7rneL58ICIlpR0hbTJ7W/MmRW+Y6pNosj1tXUDTlfr01XzZTs08rSIOa/Ty25QxTeE9Yr9dq0KE9sq0dkRuE/NSJnOTsUrkcBY1NwR0Rf8CQ8s3Lhfzza4FfmA5MtPF/pi9tgiCu3y7X1/AVjfM79Exm/oT0f8y/iVCsbj9XiMB9RVQamLtHViYwuhSUXeHuqmHiO0NJJO9LXMsOAWgqtb/XO+bAuPbCEmyMQMKeDLxAqhn9hsBIDXrG/JqKulJ1LXtPU/4PDJ7/xEvfWN6eWwY+7v6jLz3v8V8y9cVV7T8gG5mMXwD6TuSxB3mLVOlWjYbaVpGMkXEe+ALlhdlCh8QKsWXC8PgJAq0rd6staGsIlbFyWTYhoiXfFZIbkClZM2jej+qdLBRmluJUJgmc6YaiGX+eteo+OwY2hCypAKH64xbVr7TQCi8UKWzFQtSEKQNKeQfkBATxSEq7nkpe/4dCMsItyosKt+eqnfAOJDlmMu3kmqSwl8QzJuvGDKMKjdFBuHjT484SWZNm29bheDMdVA4yQBOl//pYBKJg==
ServerSignature

OV/M+2FqG9XFkthzh+m2Xp3fLDYqIGk5gWl0AUzohmXmjXnYFiZbJfOgJ4Y01rdDAm9j8Wu0VuYeJ925b/qxQtYAOVm9atXTwt3QEdRsy/hGAWDxPgKU084n3xGVU0/n8MMCjGREnSJDtg02+o4CMp5NypcZtTiIS3zFL9SmqjMNaXiBr8i3XfoZYdDX970NvVEWfF4184n3nfgE/Y4thN/uo6fiX7JTmt+bPA5yCzIMGM4uB5q8mUaNdQcyN8h+6u//z4rv/uZGQVP5QZVZIxo7Ea5awY7qNGKJpa1K0o/kE4m0whjQ7s4O5k4YZLO4dPjr6F5IHxPdAD6EaItSIWnY5gsbWgG7o2+RzzOpIes5Zsoeo7vrkzsYDBmKIP1zCsxYCl+m0i4glt8lRPKdTyFe0IEjGMWDoQElb7Hxcl/jL/da2MsVcN5MG653xG/bN61ML3TERyTz7omo8yi58fwbya3b6x7rJoKJOizCTf97ixaeiUXyOFjJBFLwAs2OHYm9biiM0ydzyP3VKbPefhZaonRbuixIhBExs9z102eHaqbWUYOKIXAPcweX/wRGdz/mi0pHUqrcF/r0AIh/EqD1Xi7m6WfasnZd9a0+XKksdg/7mlSyjZTQAE/UkM9ufgVvj2AXyYHfycy8qY2dz6x2dW7uqRje4kB5tWS6q3c=
Install

true
BDOS

false
Anti-VM

false
Install File

yandex.async.exe
Install-Folder

%AppData%
Hosts

127.0.0.1,196.251.107.94
Ports

6606,7707,8808
Mutex

63ioG8Rs92Yk
Version

0.5.8
Delay

3
Group

Default
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

AsyncClient.exe
Full Name

AsyncClient.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

AsyncClient.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

AsyncClient
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

171
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

180
Main IL

newobj System.Void Client.Program/<>c__DisplayClass3_0::.ctor() stloc.0 <null> call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() stloc.1 <null> ldloc.0 <null> ldloc.1 <null> callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() stfld System.String Client.Program/<>c__DisplayClass3_0::currentPath ldloc.1 <null> callvirt System.String System.Diagnostics.Process::get_ProcessName() call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldloc.0 <null> ldftn System.Boolean Client.Program/<>c__DisplayClass3_0::<Main>b__0(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) call System.Int32 System.Linq.Enumerable::Count<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) ldc.i4.1 <null> ble IL_0045: ldsfld System.Action Client.Program/<>c::<>9__3_1 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.Action Client.Program/<>c::<>9__3_1 dup <null> brtrue IL_0067: call System.Threading.Tasks.Task System.Threading.Tasks.Task::Run(System.Action) pop <null> ldsfld Client.Program/<>c Client.Program/<>c::<>9 ldftn System.Void Client.Program/<>c::<Main>b__3_1() newobj System.Void System.Action::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Action Client.Program/<>c::<>9__3_1 call System.Threading.Tasks.Task System.Threading.Tasks.Task::Run(System.Action) pop <null> ldc.i4.0 <null> stloc.2 <null> br IL_0082: ldloc.2 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.2 <null> ldc.i4.1 <null> add <null> stloc.2 <null> ldloc.2 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0074: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_009F: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_00B0: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00C4: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D8: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00F6: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F6: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0106: ldc.i4.1 pop <null> leave IL_0106: ldc.i4.1 ldc.i4.1 <null> stloc.3 <null> nop <null> ldsfld System.Boolean Client.Program::taskmgr_active brtrue IL_0140: call System.Boolean Client.Connection.ClientSocket::get_IsConnected() ldloc.3 <null> brtrue IL_0127: call System.Boolean Client.Connection.ClientSocket::get_IsConnected() ldstr Task Manager isn't running call System.Void Client.Handle_Packet.Packet::Info(System.String) ldloc.3 <null> ldc.i4.1 <null> add <null> stloc.3 <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0258: leave IL_0263 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() br IL_0258: leave IL_0263 call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brfalse IL_0258: leave IL_0263 ldsfld System.Boolean Client.Program::taskmgr_active brfalse IL_0258: leave IL_0263 ldstr Task Manager is running call System.Void Client.Handle_Packet.Packet::Info(System.String) ldc.i4.0 <null> stloc.3 <null> ldsfld System.Boolean Client.Program::cmenir_active brtrue IL_0174: ldstr "nnsapi" ldsfld System.Boolean Client.Program::gmenir_active brfalse IL_0258: leave IL_0263 ldstr nnsapi call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) pop <null> ldstr APIaudioDSGPU call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) pop <null> ldstr nnsapi call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_5 br IL_01E9: ldloc.s V_5 ldloc.s V_4 ldloc.s V_5 ldelem System.Diagnostics.Process stloc.s V_6 ldloc.s V_6 callvirt System.Void System.Diagnostics.Process::Kill() ldloc.s V_6 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr Terminated process nnsapi call System.Void Client.Handle_Packet.Packet::Info(System.String) leave IL_01E3: ldloc.s V_5 stloc.s V_7 ldstr Error terminating process: ldloc.s V_7 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void Client.Handle_Packet.Packet::Error(System.String) leave IL_01E3: ldloc.s V_5 ldloc.s V_5 ldc.i4.1 <null> add <null> stloc.s V_5 ldloc.s V_5 ldloc.s V_4 ldlen <null> conv.i4 <null> blt.s IL_019E: ldloc.s V_4 ldstr APIaudioDSGPU call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_5 br IL_0250: ldloc.s V_5 ldloc.s V_4 ldloc.s V_5 ldelem System.Diagnostics.Process stloc.s V_8 ldloc.s V_8 callvirt System.Void System.Diagnostics.Process::Kill() ldloc.s V_8 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr Terminated process APIaudioDSGPU call System.Void Client.Handle_Packet.Packet::Info(System.String) leave IL_024A: ldloc.s V_5 stloc.s V_9 ldstr Error terminating process: ldloc.s V_9 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void Client.Handle_Packet.Packet::Error(System.String) leave IL_024A: ldloc.s V_5 ldloc.s V_5 ldc.i4.1 <null> add <null> stloc.s V_5 ldloc.s V_5 ldloc.s V_4 ldlen <null> conv.i4 <null> blt.s IL_0205: ldloc.s V_4 leave IL_0263: ldsfld System.String Client.Settings::Delay pop <null> leave IL_0263: ldsfld System.String Client.Settings::Delay ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) call System.Void System.Threading.Thread::Sleep(System.Int32) br IL_0108: nop
Module Name

AsyncClient.exe
Full Name

AsyncClient.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

AsyncClient.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

AsyncClient
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

171
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

180
Main IL

newobj System.Void Client.Program/<>c__DisplayClass3_0::.ctor() stloc.0 <null> call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() stloc.1 <null> ldloc.0 <null> ldloc.1 <null> callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() stfld System.String Client.Program/<>c__DisplayClass3_0::currentPath ldloc.1 <null> callvirt System.String System.Diagnostics.Process::get_ProcessName() call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldloc.0 <null> ldftn System.Boolean Client.Program/<>c__DisplayClass3_0::<Main>b__0(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) call System.Int32 System.Linq.Enumerable::Count<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) ldc.i4.1 <null> ble IL_0045: ldsfld System.Action Client.Program/<>c::<>9__3_1 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.Action Client.Program/<>c::<>9__3_1 dup <null> brtrue IL_0067: call System.Threading.Tasks.Task System.Threading.Tasks.Task::Run(System.Action) pop <null> ldsfld Client.Program/<>c Client.Program/<>c::<>9 ldftn System.Void Client.Program/<>c::<Main>b__3_1() newobj System.Void System.Action::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Action Client.Program/<>c::<>9__3_1 call System.Threading.Tasks.Task System.Threading.Tasks.Task::Run(System.Action) pop <null> ldc.i4.0 <null> stloc.2 <null> br IL_0082: ldloc.2 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.2 <null> ldc.i4.1 <null> add <null> stloc.2 <null> ldloc.2 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0074: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_009F: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_00B0: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00C4: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D8: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00F6: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F6: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0106: ldc.i4.1 pop <null> leave IL_0106: ldc.i4.1 ldc.i4.1 <null> stloc.3 <null> nop <null> ldsfld System.Boolean Client.Program::taskmgr_active brtrue IL_0140: call System.Boolean Client.Connection.ClientSocket::get_IsConnected() ldloc.3 <null> brtrue IL_0127: call System.Boolean Client.Connection.ClientSocket::get_IsConnected() ldstr Task Manager isn't running call System.Void Client.Handle_Packet.Packet::Info(System.String) ldloc.3 <null> ldc.i4.1 <null> add <null> stloc.3 <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0258: leave IL_0263 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() br IL_0258: leave IL_0263 call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brfalse IL_0258: leave IL_0263 ldsfld System.Boolean Client.Program::taskmgr_active brfalse IL_0258: leave IL_0263 ldstr Task Manager is running call System.Void Client.Handle_Packet.Packet::Info(System.String) ldc.i4.0 <null> stloc.3 <null> ldsfld System.Boolean Client.Program::cmenir_active brtrue IL_0174: ldstr "nnsapi" ldsfld System.Boolean Client.Program::gmenir_active brfalse IL_0258: leave IL_0263 ldstr nnsapi call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) pop <null> ldstr APIaudioDSGPU call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) pop <null> ldstr nnsapi call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_5 br IL_01E9: ldloc.s V_5 ldloc.s V_4 ldloc.s V_5 ldelem System.Diagnostics.Process stloc.s V_6 ldloc.s V_6 callvirt System.Void System.Diagnostics.Process::Kill() ldloc.s V_6 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr Terminated process nnsapi call System.Void Client.Handle_Packet.Packet::Info(System.String) leave IL_01E3: ldloc.s V_5 stloc.s V_7 ldstr Error terminating process: ldloc.s V_7 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void Client.Handle_Packet.Packet::Error(System.String) leave IL_01E3: ldloc.s V_5 ldloc.s V_5 ldc.i4.1 <null> add <null> stloc.s V_5 ldloc.s V_5 ldloc.s V_4 ldlen <null> conv.i4 <null> blt.s IL_019E: ldloc.s V_4 ldstr APIaudioDSGPU call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_5 br IL_0250: ldloc.s V_5 ldloc.s V_4 ldloc.s V_5 ldelem System.Diagnostics.Process stloc.s V_8 ldloc.s V_8 callvirt System.Void System.Diagnostics.Process::Kill() ldloc.s V_8 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr Terminated process APIaudioDSGPU call System.Void Client.Handle_Packet.Packet::Info(System.String) leave IL_024A: ldloc.s V_5 stloc.s V_9 ldstr Error terminating process: ldloc.s V_9 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void Client.Handle_Packet.Packet::Error(System.String) leave IL_024A: ldloc.s V_5 ldloc.s V_5 ldc.i4.1 <null> add <null> stloc.s V_5 ldloc.s V_5 ldloc.s V_4 ldlen <null> conv.i4 <null> blt.s IL_0205: ldloc.s V_4 leave IL_0263: ldsfld System.String Client.Settings::Delay pop <null> leave IL_0263: ldsfld System.String Client.Settings::Delay ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) call System.Void System.Threading.Thread::Sleep(System.Int32) br IL_0108: nop
Artefacts
Name
 Value
Key (AES_256)

UlZ2c2wyVlJmRTZoSERWVlExdFJraHFKbVhYSUNvUW8=
CnC

127.0.0.1
CnC

196.251.107.94
Ports

6606
Ports

7707
Ports

8808
Mutex

63ioG8Rs92Yk
044011bd4f8ff29f900d646d831202b0 (48.64 KB)
File Structure
044011bd4f8ff29f900d646d831202b0
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

UlZ2c2wyVlJmRTZoSERWVlExdFJraHFKbVhYSUNvUW8=
Pastebin

-
Certificate

MIIE8jCCAtqgAwIBAgIQAJ/3QC6BbWfIjCVNrWED9zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwMTAyMTkwNTQ2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIrAyOsb6Zr9dtkvGH+8TBd+LCD8Bi3dQoaD0oNC4via2QOdEf0Qyu/qjBu61lF082WqkEhP3nBPkJB5/PbaVIp+BwJoRPsqxFh0P1VGoGrY+aBCFIrDDTKjBhG7HjCakMzJGmkWSTC9iiYkWRVDwIW8Xi1hHhqmFU+rh+8cj8GpXk/5VxYG0wbevIy906ZI02lwo5ru/MHYUQf3NyGdHpvSvshouTiv5zRs5z9MqpsuaoifqIYRetq6CJUBKvs1FlB3cgY3SjGmeogOBuLU4O+7oGLAmtlhMprHF4rQJFv2qwhFrqisp6OtklnNcmitHemD8JkzLZuwntpGa4G90DbNOOfs13Ol+bGUrQf/aZeb5zV4YCRtyfAHbbK5kQQ3v34oafr56K2A1nf1KvwtsSqcjWJCTUoRo9CKBdUblu77FyqR+sCdB4DPDWyx6hL8w+AT3vSgwl02O3zuB4ozoXN6WOL/VZQ2Z8a/pEvpXvILiAezp5yJ4NkoTV7JQ+l9iRQoP82elh/S/7YIStgCn9ob/RVSE3rGUIj0PxzuiWZ0RXQarfjlFeFFtBsTXKRkbLMm10g9reqhwsBRTyVYIm7GV95ToIY5GxMVKHdkP9wlD4XhGqMGp1Pt0R7aK87eLXimWhp4MJD9Kxa9kr+LE/cNnwO7/Vjjpgo8GaME20rBAgMBAAGjMjAwMB0GA1UdDgQWBBS2H1EUwI14oTDgfRnsaW91TJZO6zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCKCWKMKesHn+Jnqmz+VP89UgDgd6YoGyK6BEx5JepyDuM/Ys0FdI56EoNaflaLkwMbs+cDZXtmeIX3rO5s9kNyCY7PXgA/UqXqg8Aj2qqZu0+XnhLUnm+fghkHDEodvhW15v7rneL58ICIlpR0hbTJ7W/MmRW+Y6pNosj1tXUDTlfr01XzZTs08rSIOa/Ty25QxTeE9Yr9dq0KE9sq0dkRuE/NSJnOTsUrkcBY1NwR0Rf8CQ8s3Lhfzza4FfmA5MtPF/pi9tgiCu3y7X1/AVjfM79Exm/oT0f8y/iVCsbj9XiMB9RVQamLtHViYwuhSUXeHuqmHiO0NJJO9LXMsOAWgqtb/XO+bAuPbCEmyMQMKeDLxAqhn9hsBIDXrG/JqKulJ1LXtPU/4PDJ7/xEvfWN6eWwY+7v6jLz3v8V8y9cVV7T8gG5mMXwD6TuSxB3mLVOlWjYbaVpGMkXEe+ALlhdlCh8QKsWXC8PgJAq0rd6staGsIlbFyWTYhoiXfFZIbkClZM2jej+qdLBRmluJUJgmc6YaiGX+eteo+OwY2hCypAKH64xbVr7TQCi8UKWzFQtSEKQNKeQfkBATxSEq7nkpe/4dCMsItyosKt+eqnfAOJDlmMu3kmqSwl8QzJuvGDKMKjdFBuHjT484SWZNm29bheDMdVA4yQBOl//pYBKJg==
ServerSignature

OV/M+2FqG9XFkthzh+m2Xp3fLDYqIGk5gWl0AUzohmXmjXnYFiZbJfOgJ4Y01rdDAm9j8Wu0VuYeJ925b/qxQtYAOVm9atXTwt3QEdRsy/hGAWDxPgKU084n3xGVU0/n8MMCjGREnSJDtg02+o4CMp5NypcZtTiIS3zFL9SmqjMNaXiBr8i3XfoZYdDX970NvVEWfF4184n3nfgE/Y4thN/uo6fiX7JTmt+bPA5yCzIMGM4uB5q8mUaNdQcyN8h+6u//z4rv/uZGQVP5QZVZIxo7Ea5awY7qNGKJpa1K0o/kE4m0whjQ7s4O5k4YZLO4dPjr6F5IHxPdAD6EaItSIWnY5gsbWgG7o2+RzzOpIes5Zsoeo7vrkzsYDBmKIP1zCsxYCl+m0i4glt8lRPKdTyFe0IEjGMWDoQElb7Hxcl/jL/da2MsVcN5MG653xG/bN61ML3TERyTz7omo8yi58fwbya3b6x7rJoKJOizCTf97ixaeiUXyOFjJBFLwAs2OHYm9biiM0ydzyP3VKbPefhZaonRbuixIhBExs9z102eHaqbWUYOKIXAPcweX/wRGdz/mi0pHUqrcF/r0AIh/EqD1Xi7m6WfasnZd9a0+XKksdg/7mlSyjZTQAE/UkM9ufgVvj2AXyYHfycy8qY2dz6x2dW7uqRje4kB5tWS6q3c=
Install

true
BDOS

false
Anti-VM

false
Install File

yandex.async.exe
Install-Folder

%AppData%
Hosts

127.0.0.1,196.251.107.94
Ports

6606,7707,8808
Mutex

63ioG8Rs92Yk
Version

0.5.8
Delay

3
Group

Default
Artefacts
Name
 Value Location
Key (AES_256)

UlZ2c2wyVlJmRTZoSERWVlExdFJraHFKbVhYSUNvUW8=

Malicious

044011bd4f8ff29f900d646d831202b0
CnC

127.0.0.1

Malicious

044011bd4f8ff29f900d646d831202b0
CnC

196.251.107.94

Malicious

044011bd4f8ff29f900d646d831202b0
Ports

6606

Malicious

044011bd4f8ff29f900d646d831202b0
Ports

7707

Malicious

044011bd4f8ff29f900d646d831202b0
Ports

8808

Malicious

044011bd4f8ff29f900d646d831202b0
Mutex

63ioG8Rs92Yk

Malicious

044011bd4f8ff29f900d646d831202b0
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙