Malicious
Malicious
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
0a94a76d6000269f4db3b6bcd06d4def
Sha1
d94ecd90996bd27ea95a81c56ec1074933551b7c
Sha256
aeaea1fb6584e08b536a83866f2dfbf28b343098bf9c186c9b75642a60867ed8
Sha384
aa2b252f27c91bff4ec516cbf093ae6f679eff25e33441f4a63dd2ea336fdafffc46071330328f74a7f47a86b4a27f07
Sha512
b496c6d15eebc7e18024711bd1a5e6239b1cdf54ea0870f7f9b6d026990bf618a89e9372ddb226b049984d6d446e4df6fabe3195cd611462d100d8fb12362f5f
SSDeep
12288:HqL2Swb6Cm5GZ6OIJzckfGGv5KTpEyxW/yFot2wkda7EGgkNG3M2UHrnH4wlH:H62SwbIxJzck+uGW/yFoBkkA2Ln1H
TLSH
F815D090B7F8860BE1FF5BB8E47608444B73B6569976C74F098864AD0FA3790CE513A3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
0a94a76d6000269f4db3b6bcd06d4def
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Pulsar.Client.FrmRemoteChat.resources
costura.messagepack.dll.compressed
costura.messagepack.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.messagepack.annotations.dll.compressed
costura.messagepack.annotations.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.buffers.dll.compressed
costura.system.buffers.dll
[Authenticode]_8c38879e.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Buffers.SR.resources
costura.system.collections.immutable.dll.compressed
costura.system.collections.immutable.dll
[Authenticode]_937eee08.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Collections.Immutable.SR.resources
ILLink.Substitutions.xml
costura.system.memory.dll.compressed
costura.system.memory.dll
[Authenticode]_15ab3250.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Memory.SR.resources
costura.system.numerics.vectors.dll.compressed
costura.system.numerics.vectors.dll
[Authenticode]_ae030d4d.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Numerics.Vectors.SR.resources
costura.system.runtime.compilerservices.unsafe.dll.compressed
costura.system.runtime.compilerservices.unsafe.dll
[Authenticode]_e61c97b9.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.threading.tasks.extensions.dll.compressed
costura.system.threading.tasks.extensions.dll
[Authenticode]_7121b905.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.pulsar.common.dll.compressed
costura.pulsar.common.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Version

ObjectLength
Port

ChainingModeGCM
Host

ChainingModeGCM
ReconnectDelay

AuthTagLength
Key

ChainingMode
SubDirectory

KeyDataBlob
InstallName

AES
Install

Microsoft Primitive Provider
Startup

1
Mutex

1
StartupKey

-1073700862
HideFile

M+UDD+LD9apc4NJuhc9Uxqhm7/pQEE3p1x+O+NDksUEX
EnableLogger

hwX/1LYFBTdtF4MBkv8auTN0rFPx2yN1Le4JKRA/5Fxw4LpxGUoR5Hq+OftZEf3gF5K3uSDUDnxJHbx+zw==
EncryptionKey

3000
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: ?
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void nktdhkmhprvmxdibhkqeotdcfbamm.4L2xrWZuAtW1lRQaK::Main()
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

2.3.2.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8.1
Total Strings

1612
Main Method

System.Void nktdhkmhprvmxdibhkqeotdcfbamm.4L2xrWZuAtW1lRQaK::Main()
Main IL Instruction Count

11
Main IL

ldc.i4 3072 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) ldc.i4.2 <null> call System.Void System.Windows.Forms.Application::SetUnhandledExceptionMode(System.Windows.Forms.UnhandledExceptionMode) call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.Void nktdhkmhprvmxdibhkqeotdcfbamm.4L2xrWZuAtW1lRQaK::Nr76D48PzJxD1DTa0CN1h52yO18Pn() newobj System.Void nktdhkmhprvmxdibhkqeotdcfbamm.j7phyctz4OYEVcmMIsxtxXk2Z::.ctor() call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.Form) ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void nktdhkmhprvmxdibhkqeotdcfbamm.4L2xrWZuAtW1lRQaK::Main()
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

2.3.2.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8.1
Total Strings

1612
Main Method

System.Void nktdhkmhprvmxdibhkqeotdcfbamm.4L2xrWZuAtW1lRQaK::Main()
Main IL Instruction Count

11
Main IL

ldc.i4 3072 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) ldc.i4.2 <null> call System.Void System.Windows.Forms.Application::SetUnhandledExceptionMode(System.Windows.Forms.UnhandledExceptionMode) call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.Void nktdhkmhprvmxdibhkqeotdcfbamm.4L2xrWZuAtW1lRQaK::Nr76D48PzJxD1DTa0CN1h52yO18Pn() newobj System.Void nktdhkmhprvmxdibhkqeotdcfbamm.j7phyctz4OYEVcmMIsxtxXk2Z::.ctor() call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.Form) ret <null>
Artefacts
Name
 Value
CnC

ChainingModeGCM
Port

ChainingModeGCM
0a94a76d6000269f4db3b6bcd06d4def (911.87 KB)
File Structure
0a94a76d6000269f4db3b6bcd06d4def
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Pulsar.Client.FrmRemoteChat.resources
costura.messagepack.dll.compressed
costura.messagepack.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.messagepack.annotations.dll.compressed
costura.messagepack.annotations.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.buffers.dll.compressed
costura.system.buffers.dll
[Authenticode]_8c38879e.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Buffers.SR.resources
costura.system.collections.immutable.dll.compressed
costura.system.collections.immutable.dll
[Authenticode]_937eee08.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Collections.Immutable.SR.resources
ILLink.Substitutions.xml
costura.system.memory.dll.compressed
costura.system.memory.dll
[Authenticode]_15ab3250.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Memory.SR.resources
costura.system.numerics.vectors.dll.compressed
costura.system.numerics.vectors.dll
[Authenticode]_ae030d4d.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Numerics.Vectors.SR.resources
costura.system.runtime.compilerservices.unsafe.dll.compressed
costura.system.runtime.compilerservices.unsafe.dll
[Authenticode]_e61c97b9.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.threading.tasks.extensions.dll.compressed
costura.system.threading.tasks.extensions.dll
[Authenticode]_7121b905.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.pulsar.common.dll.compressed
costura.pulsar.common.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Version

ObjectLength
Port

ChainingModeGCM
Host

ChainingModeGCM
ReconnectDelay

AuthTagLength
Key

ChainingMode
SubDirectory

KeyDataBlob
InstallName

AES
Install

Microsoft Primitive Provider
Startup

1
Mutex

1
StartupKey

-1073700862
HideFile

M+UDD+LD9apc4NJuhc9Uxqhm7/pQEE3p1x+O+NDksUEX
EnableLogger

hwX/1LYFBTdtF4MBkv8auTN0rFPx2yN1Le4JKRA/5Fxw4LpxGUoR5Hq+OftZEf3gF5K3uSDUDnxJHbx+zw==
EncryptionKey

3000
Artefacts
Name
 Value Location
CnC

ChainingModeGCM

Malicious

0a94a76d6000269f4db3b6bcd06d4def
Port

ChainingModeGCM

Malicious

0a94a76d6000269f4db3b6bcd06d4def
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙