Malicious
Malicious

2e2fa2485b20be3292cd0bf8eaa0c28b

PE Executable
|
MD5: 2e2fa2485b20be3292cd0bf8eaa0c28b
|
Size: 76.8 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
2e2fa2485b20be3292cd0bf8eaa0c28b
Sha1
f154c9435c96516fd482ae578d83b33d72e912e7
Sha256
01e4135b70712f8222b270b788b755fbda372f56edc8997c0c363dcf541873c7
Sha384
bae7ae454eff755bbbf8d688f0d0f1166a759c3bfcfcdcb99827167d86741d0b63c9cd40c58704719efb0907b6aa72f0
Sha512
39c391c8516810877d3d677bf6efa00c6d99e035ebba27c7c765226c01674fc939e509e28e5cd85344172b62567518b28092abf47ca0f42cdeb80b14beacec4f
SSDeep
1536:GkPhdlmWQYCSk1Gbbww3USakG690+mwVclN:GEdlmWQs0Gbbw5SG+mqY
TLSH
83733A012788C855E1EC4AB4ACE399504AF1F8332001EB5E7DC419DF6BAFFC685162EE

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
2e2fa2485b20be3292cd0bf8eaa0c28b
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

Y1dMMERCdU5QZHVacFJrbFdKa1hNaHNHeG12T1BPdzg=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVAOCDO+R12XZMe6uXMuxCVm+RKUHxMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDQwMTE1MzYxN1oXDTM2MDEwOTE1MzYxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ+2XmvM6KfRSCQuii52BFUoroysRx8Hj8Pv1CFUMqEhJzCWzfPsgSL0EEvwvWw379oFPhbFmiDF7jVJ8+bbWdryqkHcZxjFN5ZwcPjfaeKpFM/CtgbsiBtB16Ng3Bfv2BwTdk95jq0RhUPKvd5yYie1x6jkzrcZhYnFdL3Gufa/AgMBAAGjMjAwMB0GA1UdDgQWBBREGGi9Nwbx6VU4kQdbMRKUI+YKXDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAELkZ1v8dfetQWySR76ssGz+kxgG9QioEnJ0lWC+r3QmOqfnU8N0RXbtu3vyCXQj7ELof89wGfi99WxN8RMlZ4jUdlwkZ+LlG4DLakfyo8CjcoPRTg7tcseQ3/5okdNFaRw1AIGw+180+xj79T2wL3vR7uBO0zFDW8BsTDT/V/ue
ServerSignature

XBuEQA9cXNN6JP8NVyKtql8moJygqtFLTsdjQifDNhsnhPesipfxSLgSd+a8IIY/0O7Mwk/ZrMMoj0+VcwVOGHXdKzr3Ooe+VVqoE0dtMZs+5vYVsPX+eGKUWzLJqGHCXraUXcX9EF9F+ULnsWVDplcdlbU+oyF9RLOD6o18FbQ=
Install

true
BDOS

false
Anti-VM

false
Install File

chorme.exe
Install-Folder

%AppData%
Hosts

baba-asliiiii-20.sa.com,irbjlv.sa.com,knownsmianespecially.sa.com,af88.co.com,58win1.it.com,uco.it.com,www.baba-asliiiii-20.sa.com,www.irbjlv.sa.com,www.knownsmianespecially.sa.com,www.af88.co.com,www.58win1.it.com,www.uco.it.com
Ports

80,443,2053,2083,2087,2096,4782,8080,8848,8888
Mutex

TSCC_ImperiumStrategic_TitanLock_1j2k3l4m
Version

1.0.7
Delay

1
Group

Horizon
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

chorme.exe
Full Name

chorme.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

chorme.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

chorme
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Module Name

chorme.exe
Full Name

chorme.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

chorme.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

chorme
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Artefacts
Name
 Value
Key (AES_256)

Y1dMMERCdU5QZHVacFJrbFdKa1hNaHNHeG12T1BPdzg=
CnC

baba-asliiiii-20.sa.com
CnC

irbjlv.sa.com
CnC

knownsmianespecially.sa.com
CnC

af88.co.com
CnC

58win1.it.com
CnC

uco.it.com
CnC

www.baba-asliiiii-20.sa.com
CnC

www.irbjlv.sa.com
CnC

www.knownsmianespecially.sa.com
CnC

www.af88.co.com
CnC

www.58win1.it.com
CnC

www.uco.it.com
Ports

80
Ports

443
Ports

2053
Ports

2083
Ports

2087
Ports

2096
Ports

4782
Ports

8080
Ports

8848
Ports

8888
Mutex

TSCC_ImperiumStrategic_TitanLock_1j2k3l4m
2e2fa2485b20be3292cd0bf8eaa0c28b (76.8 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙