Malicious
Malicious

17f3f6d7fa3a97b0e6a2382b850b4914

PE Executable
|
MD5: 17f3f6d7fa3a97b0e6a2382b850b4914
|
Size: 47.62 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
17f3f6d7fa3a97b0e6a2382b850b4914
Sha1
903ed8224889db783ef4478e15409267aacff1a5
Sha256
f3442a89453f510090b145eb91d40af3ff4fb8041b5a31d18189c8994af9a23a
Sha384
59aaf72c6127322524121171f17a3d4cd9229ab5ec0290bed7775bd88773ea74607e943c3879f11b06a7f494a824b3cf
Sha512
31e630522e53ba8e80f5750bbed24660bd2b5221c04cca5ff14ca7c7fd4c4ed682f10d1a8e2e9e10745d781669f1d6340d2f651f2642a2c434df108ad49f1b0f
SSDeep
768:AuVRJTwsARDAwWU6ci2mo2q9ae/6YE6vkYsPIyzjbegX3iYNhLw4pjo6DUSeisR/:AuVRJTwZZ2ve5EWRy3bhXSYXw4dropoa
TLSH
0923090037E8812BF2BE5F78A8F26145867EF5637603D64E1CC4419B5623FC6DA426FA

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
17f3f6d7fa3a97b0e6a2382b850b4914
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

MUhzZW82YlFpaVZJTjlaMmFEZHkyT0Y0d3N0SE9XeWk=
Pastebin

-
Certificate

MIIE8jCCAtqgAwIBAgIQAMlCbpU7ycGQDVUlIDjhIzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwMTE2MTEwMjIxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKICmfWW/tVt/OzTU+vNr7uiEHdebLMIz2h/GDDdaHlLiLLCuO+5uMIeTt5VzWQAs0ixw0JIv8yQM2JEu+yuNOiDjj3m2mkeBcHMbkI8BDrm1ySINQS9zs4XmJ/AamnVuHQpvY8aPYw94SOa2tPDSLXE0JWmKJYMdt+WdELCquY42fC7sUCjh7VpEKstX0qQKNtx9K5oup9FR1vLLx1fdwSD0w0szIT6m1Ig3DLDFDiGamVlg5/0KcnEPz3n8wejcA/2nXuSp4huKwUJG2vswxJp9AIV7hWu2MqHaTNkYRIleHExefvFA63Z9PAyKdAjToMkHDs6GOoIGsVlbpISXXlS8RP9nffd4slMyiXMf5+JmcVIM9tQg6tCEhf04pS2IrbiuBuqfl9Bt1iXBDXIcbZXfxQNy5JFh4sxHdYiR/umApgC13fCiCRLKb53lYnz4KYxZPVbb1/NtjrDST2y+zOcavzSAxp570PRMqZ71rOyHRsPGt0veYPGohRUoJ018bLvxJK1fRfdSRUlJ9gcEQcAmj8Ms4YfEXPdK30b8cmgsBKv2P3y/pkWiE6iDi8SynRW2/L34422/gOXKId0tJyAkk9ca5l4IIrxOhEj+xxnpu2zW+u6GZt4Ce8mhaf9MFCa2nRciSBI+rIBLWOKJ33RPtqv6sjjDPmWvNpjjTN7AgMBAAGjMjAwMB0GA1UdDgQWBBTd9XanfzaJ/eBYNb/LVM5sCn/C7zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQByoHkrFaHXIR5SwXa5/ndWFO8SwYOY3VdZxb5MTamQwzdtuAnJqtBPaJSfkfqiASBN1XxJoHjnvkRaf1kgovv4c3BNCIf35rOAL+XXvwPnacqAKOmYw451rBVsLZoW34Q7YY3lEZACIlxhkVESLiNe/Mh2tZatgLQ1UGX2kzZpOjc607mTrCPaCxJF8XvnZqqCIlpIR39aJK2rjiofR4wqaET+5wG4NUV6+MPCFpY4D2g6BLMSyI9UyGfRLxUXCUL+xmUpfOROZaB7MJR5nseDxu02UDM9yh3lh45G356MFkazbxlPgM04xFegq9n2jTJ+bDBzuhre7D17Lr6XhAMyjWWKhWPDUCnSAKW0i2e9YqK0u2pca1ZnrgJO1pJkgGsTPQZRvq/C7pZCHa3TPyz7C3d2PV4eKTx3ZRLbPN7NJmaf4UvuC3sLlbcpDdtRfa6p7Bj4gHsQ5O/SlJkbUCi420xCddcLUQkZdDTsvwefbHF9J/XOp9Dx3kT4NIxKy6NJ22qELzB29sZh2dfNnDnsessQeVzA4UWYIgLLZ/kO1TwAWhOc2rzA3O75zcRfxnqxJNIYRGsIPWJd8zsdp/hYmmA+IB7fqImfzjGOzqidLF/l+61YJiBIzVAacn/ft8H90cd4dHjlMtCimgvu+7802HRDkUcT3lg84Grjigbr4Q==
ServerSignature

VYpByJZ6ZUzSuoUasTG5XG3ra/8YmwdQyY1eVooQpDs+Ue9mD8YBWk6DcRqFg3wsHrl2d9g7o33q/IuG1QVp5YvbJBd+pB8VDCWFNNP8RkLByKIfIQ7iWwOZNbkMgPD0VJukPPtKTbz+rnygtyf+mroopjAHqLTN4H78W9Q7U0EWnLiD6NheePy+61oz1Eviltlzc42hXVe23uojd6dectoOTXsV9VMVTtayY2t386KAoRKU5nF3DjL+ChofVv8rkuA0Xd5Yof6LIf/+HMGfsK8x4ayahYaVnxpup6C+cfApOjApxXWOSVf1d0iie5vGRxRHBRBUqBdcTDHGhGDTe1G/VN46mov7lZ9te+XSa8vwCCnmx1bR+AXl7ePSB1z75PT1c0fyZ1beNL1mIdq8QFoeIs6D9XAZUEPpAqm1s5xnzEKE3s27Zt+v7wDQOp1dy3o7Rrccuyg8uTsPZ5ohlqair/VUw9KCkxBdSUv9itFIFq+rkNXdDJyQZ2fm9afClTdSIcDJnJqHyvlSKpPjWKSCT66jRfbEzRiBRIxmMsZ4K+bfryLKUCkBvQg2fQV/imPhcUvIDWBP9NmM/VLA8zVCJcLkqvb1m0fD/W841/by/XMWZC2bgCbDeGP3bFpqbtmZzrNKoZUG5yV8vQd7dkag59oAmz2WtOzsjGr0d2I=
Install

true
BDOS

false
Anti-VM

false
Install File

SFCSPrimeForge.exe
Install-Folder

%AppData%
Hosts

onus.ru.com,tr88.sa.com
Ports

80,443,4444,4782,5555,6060,6606,6666,7707,8080,8808,8848
Mutex

SentinelForgeCyber_EndpointMutex_v2035Prime
Version

0.5.8
Delay

3
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

SFCSPrimeForge_update.exe
Full Name

SFCSPrimeForge_update.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

SFCSPrimeForge_update.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

SFCSPrimeForge_update
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

120
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

51
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0043: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0057: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_006B: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0099: nop pop <null> leave IL_0099: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00AE: leave IL_00B9 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_00B9: ldc.i4 5000 pop <null> leave IL_00B9: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0099: nop
Module Name

SFCSPrimeForge_update.exe
Full Name

SFCSPrimeForge_update.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

SFCSPrimeForge_update.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

SFCSPrimeForge_update
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

120
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

51
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0043: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0057: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_006B: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0099: nop pop <null> leave IL_0099: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00AE: leave IL_00B9 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_00B9: ldc.i4 5000 pop <null> leave IL_00B9: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0099: nop
Artefacts
Name
 Value
Key (AES_256)

MUhzZW82YlFpaVZJTjlaMmFEZHkyT0Y0d3N0SE9XeWk=
CnC

onus.ru.com
CnC

tr88.sa.com
Ports

80
Ports

443
Ports

4444
Ports

4782
Ports

5555
Ports

6060
Ports

6606
Ports

6666
Ports

7707
Ports

8080
Ports

8808
Ports

8848
Mutex

SentinelForgeCyber_EndpointMutex_v2035Prime
17f3f6d7fa3a97b0e6a2382b850b4914 (47.62 KB)
File Structure
17f3f6d7fa3a97b0e6a2382b850b4914
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

MUhzZW82YlFpaVZJTjlaMmFEZHkyT0Y0d3N0SE9XeWk=
Pastebin

-
Certificate

MIIE8jCCAtqgAwIBAgIQAMlCbpU7ycGQDVUlIDjhIzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwMTE2MTEwMjIxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKICmfWW/tVt/OzTU+vNr7uiEHdebLMIz2h/GDDdaHlLiLLCuO+5uMIeTt5VzWQAs0ixw0JIv8yQM2JEu+yuNOiDjj3m2mkeBcHMbkI8BDrm1ySINQS9zs4XmJ/AamnVuHQpvY8aPYw94SOa2tPDSLXE0JWmKJYMdt+WdELCquY42fC7sUCjh7VpEKstX0qQKNtx9K5oup9FR1vLLx1fdwSD0w0szIT6m1Ig3DLDFDiGamVlg5/0KcnEPz3n8wejcA/2nXuSp4huKwUJG2vswxJp9AIV7hWu2MqHaTNkYRIleHExefvFA63Z9PAyKdAjToMkHDs6GOoIGsVlbpISXXlS8RP9nffd4slMyiXMf5+JmcVIM9tQg6tCEhf04pS2IrbiuBuqfl9Bt1iXBDXIcbZXfxQNy5JFh4sxHdYiR/umApgC13fCiCRLKb53lYnz4KYxZPVbb1/NtjrDST2y+zOcavzSAxp570PRMqZ71rOyHRsPGt0veYPGohRUoJ018bLvxJK1fRfdSRUlJ9gcEQcAmj8Ms4YfEXPdK30b8cmgsBKv2P3y/pkWiE6iDi8SynRW2/L34422/gOXKId0tJyAkk9ca5l4IIrxOhEj+xxnpu2zW+u6GZt4Ce8mhaf9MFCa2nRciSBI+rIBLWOKJ33RPtqv6sjjDPmWvNpjjTN7AgMBAAGjMjAwMB0GA1UdDgQWBBTd9XanfzaJ/eBYNb/LVM5sCn/C7zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQByoHkrFaHXIR5SwXa5/ndWFO8SwYOY3VdZxb5MTamQwzdtuAnJqtBPaJSfkfqiASBN1XxJoHjnvkRaf1kgovv4c3BNCIf35rOAL+XXvwPnacqAKOmYw451rBVsLZoW34Q7YY3lEZACIlxhkVESLiNe/Mh2tZatgLQ1UGX2kzZpOjc607mTrCPaCxJF8XvnZqqCIlpIR39aJK2rjiofR4wqaET+5wG4NUV6+MPCFpY4D2g6BLMSyI9UyGfRLxUXCUL+xmUpfOROZaB7MJR5nseDxu02UDM9yh3lh45G356MFkazbxlPgM04xFegq9n2jTJ+bDBzuhre7D17Lr6XhAMyjWWKhWPDUCnSAKW0i2e9YqK0u2pca1ZnrgJO1pJkgGsTPQZRvq/C7pZCHa3TPyz7C3d2PV4eKTx3ZRLbPN7NJmaf4UvuC3sLlbcpDdtRfa6p7Bj4gHsQ5O/SlJkbUCi420xCddcLUQkZdDTsvwefbHF9J/XOp9Dx3kT4NIxKy6NJ22qELzB29sZh2dfNnDnsessQeVzA4UWYIgLLZ/kO1TwAWhOc2rzA3O75zcRfxnqxJNIYRGsIPWJd8zsdp/hYmmA+IB7fqImfzjGOzqidLF/l+61YJiBIzVAacn/ft8H90cd4dHjlMtCimgvu+7802HRDkUcT3lg84Grjigbr4Q==
ServerSignature

VYpByJZ6ZUzSuoUasTG5XG3ra/8YmwdQyY1eVooQpDs+Ue9mD8YBWk6DcRqFg3wsHrl2d9g7o33q/IuG1QVp5YvbJBd+pB8VDCWFNNP8RkLByKIfIQ7iWwOZNbkMgPD0VJukPPtKTbz+rnygtyf+mroopjAHqLTN4H78W9Q7U0EWnLiD6NheePy+61oz1Eviltlzc42hXVe23uojd6dectoOTXsV9VMVTtayY2t386KAoRKU5nF3DjL+ChofVv8rkuA0Xd5Yof6LIf/+HMGfsK8x4ayahYaVnxpup6C+cfApOjApxXWOSVf1d0iie5vGRxRHBRBUqBdcTDHGhGDTe1G/VN46mov7lZ9te+XSa8vwCCnmx1bR+AXl7ePSB1z75PT1c0fyZ1beNL1mIdq8QFoeIs6D9XAZUEPpAqm1s5xnzEKE3s27Zt+v7wDQOp1dy3o7Rrccuyg8uTsPZ5ohlqair/VUw9KCkxBdSUv9itFIFq+rkNXdDJyQZ2fm9afClTdSIcDJnJqHyvlSKpPjWKSCT66jRfbEzRiBRIxmMsZ4K+bfryLKUCkBvQg2fQV/imPhcUvIDWBP9NmM/VLA8zVCJcLkqvb1m0fD/W841/by/XMWZC2bgCbDeGP3bFpqbtmZzrNKoZUG5yV8vQd7dkag59oAmz2WtOzsjGr0d2I=
Install

true
BDOS

false
Anti-VM

false
Install File

SFCSPrimeForge.exe
Install-Folder

%AppData%
Hosts

onus.ru.com,tr88.sa.com
Ports

80,443,4444,4782,5555,6060,6606,6666,7707,8080,8808,8848
Mutex

SentinelForgeCyber_EndpointMutex_v2035Prime
Version

0.5.8
Delay

3
Artefacts
Name
 Value Location
Key (AES_256)

MUhzZW82YlFpaVZJTjlaMmFEZHkyT0Y0d3N0SE9XeWk=

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
CnC

onus.ru.com

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
CnC

tr88.sa.com

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

80

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

443

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

4444

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

4782

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

5555

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

6060

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

6606

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

6666

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

7707

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

8080

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

8808

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Ports

8848

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
Mutex

SentinelForgeCyber_EndpointMutex_v2035Prime

Malicious

17f3f6d7fa3a97b0e6a2382b850b4914
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙