Malicious
Malicious

143e96b74e979c51ebd8f9f082c9a812

PE Executable
|
MD5: 143e96b74e979c51ebd8f9f082c9a812
|
Size: 319.49 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
143e96b74e979c51ebd8f9f082c9a812
Sha1
91c587d57766aa6a65dd0c8e525542385590b327
Sha256
f1fe3f793ad91f0be6a2574b98423ad51e5d38eb226be004c1004478d5d8c386
Sha384
eab4b01564270b7d024bd6d4ec521ab612e9c9da715b90b48f2bfb19f3f50a7b63dc4ef58f2d422171c6b320abf1c322
Sha512
9d2afea58037636c64687ec62b1462dc8e5d904199bb3523967c1dcc1f089edc3516cee15008ca8681013975d37c823e2b8f4b4b3ae8a42529b0309fc595a1e8
SSDeep
6144:P7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbkhn:XlJtTF9zVGkllbk1
TLSH
8A644A2527F8A93BD8BE17B4F53141094B76FC07B517F38E6A5818B82C1A38985937E3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
143e96b74e979c51ebd8f9f082c9a812
Malicious
[Rebuild from dump]_f602975a.exe
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

bT3bwOcJoInMFZkyiDJt
Version

1.4.0.0
Port

Host

135.181.121.237
ReconnectDelay

3000
SubDirectory

1WvgEMPjdwfqIMeM9MclyQ==
InstallName

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
Install

SubDir
Startup

csrss.exe
Mutex

0
StartupKey

0
HideFile

YcJjuuRAiRpShmri
EnableLogger

NET framework
Tag

1
LogDirectory

1
ServerSignature

Office
ServerCertificate

Logs
InstallPath

1
LogsPath

1
UnattendedMod

0
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_f602975a.exe
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void xClient.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

1062
Main Method

System.Void xClient.Program::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void xClient.Program::HandleUnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean xClient.Config.Settings::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Program::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Core.Networking.QuasarClient::get_Exiting() brtrue.s IL_0040: call System.Void xClient.Program::Cleanup() ldsfld xClient.Core.Networking.QuasarClient xClient.Program::ConnectClient callvirt System.Void xClient.Core.Networking.QuasarClient::Connect() call System.Void xClient.Program::Cleanup() call System.Void xClient.Program::Exit() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void xClient.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

1062
Main Method

System.Void xClient.Program::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void xClient.Program::HandleUnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean xClient.Config.Settings::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Program::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Core.Networking.QuasarClient::get_Exiting() brtrue.s IL_0040: call System.Void xClient.Program::Cleanup() ldsfld xClient.Core.Networking.QuasarClient xClient.Program::ConnectClient callvirt System.Void xClient.Core.Networking.QuasarClient::Connect() call System.Void xClient.Program::Cleanup() call System.Void xClient.Program::Exit() ret <null>
Artefacts
Name
 Value
CnC

135.181.121.237
Port

PE Layout

MemoryMapped (process dump suspected)
CnC

135.181.121.237
Port

PE Layout

MemoryMapped (process dump suspected)
143e96b74e979c51ebd8f9f082c9a812 (319.49 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙