0474f309e0b9af5222f03726017b96cc

PE Executable
|
MD5: 0474f309e0b9af5222f03726017b96cc
|
Size: 356.86 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	0474f309e0b9af5222f03726017b96cc
Sha1	994810ebd12f0ab08262c15030b9abf68f33ceaa
Sha256	f02749e9900b95e98dbbb0f9845b7a071869470eea01c76e42bef3d94753bfcb
Sha384	6bd1ee10cafb16bf13875a71dd293b5ff3736817b0ddb021cb0a0ebb8b73179d9dbc17ede2d1cb16de77723c63f60e9f
Sha512	9ee8560d898fd633c6db920defc0e349d5b07d26818606a48e15c119fbf837f1d61db32e13710c2386771db21593fe1bca770637ad5423669e8fba6111c70d63
SSDeep	6144:sLwb/c2L0t+EL2kbyrH8Bx0LvYmS6J9EZGO+:OH2LgS38GBS0EZGO+
TLSH	2A749D1377E8DA3BD1FD173AE43206194BB0D4677612E38B5A5AA5F82D233868D443B3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	mILR4WdDNMh8ulUJyfWN
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port	toptop
Host	toptop
Conf. AES-Key	mILR4WdDNMh8ulUJyfWN
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port	4782
Host	toptoptop3.online
Conf. AES-Key	mILR4WdDNMh8ulUJyfWN
Version	1.3.0.0
Port	4782
Host	37.19.193.217
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	0
Startup	0
Mutex	QSR_MUTEX_YtiKGF
StartupKey	Quasar Client St
HideFile	0
EnableLogger	0
Tag	Aug22
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::೅湟랒Ⱥ킢ꮪȡ㐨ሏ説ᾈ뷺砖᯼쪒蒸걾や(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 쁭린�孈꛴ք㢬쮄ꖥ쪰吳鉵蔳锰퐉佱嚂糎::ٞ띻퍖䎸톶᳢᷎�櫋殫蠦䯳儽�ߴ栎虆ܼኯ() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::薐낒ۄ쁞㱴譚챖ꁥ⽂㡫䕫쭸踊ၙ좝圬ꃸ華() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::get_Exiting() brtrue.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() ldsfld ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃 �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::⯜ᠫﳌ녃͘∛卾跰횼澋㜝撝ꈖ푈믐㜛⇾ callvirt System.Void ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::ᷗ쳵䯯閽칙덦�ꮳⵕ⑩擮醱㉾ᎍ�猞ﴱ鈛矺() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::㚮ꃪࠎꏧ␅䗊囘�펾뛭퉣夿૟曬締㗥敃၄뎙() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::೅湟랒Ⱥ킢ꮪȡ㐨ሏ説ᾈ뷺砖᯼쪒蒸걾や(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 쁭린�孈꛴ք㢬쮄ꖥ쪰吳鉵蔳锰퐉佱嚂糎::ٞ띻퍖䎸톶᳢᷎�櫋殫蠦䯳儽�ߴ栎虆ܼኯ() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::薐낒ۄ쁞㱴譚챖ꁥ⽂㡫䕫쭸踊ၙ좝圬ꃸ華() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::get_Exiting() brtrue.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() ldsfld ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃 �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::⯜ᠫﳌ녃͘∛卾跰횼澋㜝撝ꈖ푈믐㜛⇾ callvirt System.Void ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::ᷗ쳵䯯閽칙덦�ꮳⵕ⑩擮醱㉾ᎍ�猞ﴱ鈛矺() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::㚮ꃪࠎꏧ␅䗊囘�펾뛭퉣夿૟曬締㗥敃၄뎙() ret <null>

Artefacts

Name0	Value
CnC	37.19.193.217
Port	4782
CnC	toptoptop3.online
CnC	toptop
Port	toptop
PE Layout	MemoryMapped (process dump suspected)

0474f309e0b9af5222f03726017b96cc (356.86 KB)