1d2ded396e145566305afaacce9b8e17

PE Executable
|
MD5: 1d2ded396e145566305afaacce9b8e17
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	1d2ded396e145566305afaacce9b8e17
Sha1	c1b4b2cc192dc6698424f12f5edbe428476c93ab
Sha256	bc98013c1d9475dc3bf7eaeae5a74270da0f9d7fe433b4f00a910d93e567450d
Sha384	11c22ddc7bbd954b16443a80d892d3034b05e2864117a13c0b2f149c6530b106b596700a10be934c7a10987300a64b87
Sha512	ce0162ef4bb967f5a38f573d94e7505dba7c02ccd3b772ff443e4a397316b3786fabaaf0acc9afb8a8b60fcf5494abe181074651b0516410d637286ed9e00184
SSDeep	6144:grNHXf500MGO3nVg3P+24LbQhSFnvX9JkdQfQWELBq:Kd50zF2m24QhWnvEWfQWELBq
TLSH	FC849D137798D97BD1FE173AE432061407B0DA9BB612F38B5A5C56B82D133868E513B3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	5NknHMEpf7zM4Stn9Mfq
Version	1.3.0.0
Port
Host	193.106.196.220
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	0
Startup	0
Mutex	QSR_MUTEX_PdkG9u
StartupKey	Quasar Client St
HideFile	0
EnableLogger	1
Tag	Office04
LogDirectory	Logs
HideLogDirectory	1
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_20ac7cbe.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::뗉춘ݜ쯇ꃩ萼쬋ﻏ啨ࢎ扇绻뉱껥⩎릢宭폲(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ﵺš゜쯴综嚾澚䜑掂䢘빙纞礏�햶觙螄::㾍祌피�ﳳ萄鸠㇑�걍鷁ధ巹끔㖙�() brfalse.s IL_0040: call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() call System.Boolean 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::㲁ᑟꄰ⹻塻ᜦ迷렘쒫감䠡糄峵῎稱楫杻䡢() brfalse.s IL_0040: call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() call System.Boolean 趲눲끝㨕ᡈ䌃㼒쉍綾ℏ畊筢Ԩ齐ु手::get_Exiting() brtrue.s IL_0040: call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() ldsfld 趲눲끝㨕ᡈ䌃㼒쉍綾ℏ畊筢Ԩ齐ु手宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::㡂ꎠ棃捿伤髕೘闩뜲꬙岞﫨ﷱ�狳߉啗෩ callvirt System.Void 趲눲끝㨕ᡈ䌃㼒쉍綾ℏ畊筢Ԩ齐ु手::㜆ꌐ攢鍵졩㷬읗卜鼷㦍混ꡪ㉫镆궎�㤯數蓕() call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::ﭼ⻵齎퍪႖陼࿘ﶓ㟏景떠뿭꜔瘧ẽ荘() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::뗉춘ݜ쯇ꃩ萼쬋ﻏ啨ࢎ扇绻뉱껥⩎릢宭폲(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ﵺš゜쯴综嚾澚䜑掂䢘빙纞礏�햶觙螄::㾍祌피�ﳳ萄鸠㇑�걍鷁ధ巹끔㖙�() brfalse.s IL_0040: call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() call System.Boolean 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::㲁ᑟꄰ⹻塻ᜦ迷렘쒫감䠡糄峵῎稱楫杻䡢() brfalse.s IL_0040: call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() call System.Boolean 趲눲끝㨕ᡈ䌃㼒쉍綾ℏ畊筢Ԩ齐ु手::get_Exiting() brtrue.s IL_0040: call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() ldsfld 趲눲끝㨕ᡈ䌃㼒쉍綾ℏ畊筢Ԩ齐ु手宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::㡂ꎠ棃捿伤髕೘闩뜲꬙岞﫨ﷱ�狳߉啗෩ callvirt System.Void 趲눲끝㨕ᡈ䌃㼒쉍綾ℏ畊筢Ԩ齐ु手::㜆ꌐ攢鍵졩㷬읗卜鼷㦍混ꡪ㉫镆궎�㤯數蓕() call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::⋎∼䈯沐솑迱睋ꢔ饰㋑⫐塎ￚ쿄抶넑() call System.Void 宝욼ᢘ﮶ꞻ轻턽늕疷ᣗ鬀丕塉莅㨛冾쉂虐膣::ﭼ⻵齎퍪႖陼࿘ﶓ㟏景떠뿭꜔瘧ẽ荘() ret <null>

Artefacts

Name0	Value
CnC	193.106.196.220
Port
PE Layout	MemoryMapped (process dump suspected)
CnC	193.106.196.220
Port
PE Layout	MemoryMapped (process dump suspected)

1d2ded396e145566305afaacce9b8e17 (376.84 KB)

1d2ded396e145566305afaacce9b8e17

PE Executable | MD5: 1d2ded396e145566305afaacce9b8e17 | Size: 376.84 KB | application/x-dosexec

PE Executable
|
MD5: 1d2ded396e145566305afaacce9b8e17
|
Size: 376.84 KB
|
application/x-dosexec