Malicious
Malicious

359337df3d9dc4626f3584ff46a257d1

PE Executable
|
MD5: 359337df3d9dc4626f3584ff46a257d1
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
359337df3d9dc4626f3584ff46a257d1
Sha1
c827d9237aa10e44cee83cb196be0a0b6502e20e
Sha256
af6bee1b0900a4eb97a0ee72cbccc92396ca5ec119686b6b4908a0e8740b06b7
Sha384
f5d83ee7236a0d6402b65f7a16fc6ca8a46586bc978a8e04e99eac2770825438ac0fb4cd5190940f7bba4428325109b1
Sha512
8100276e060fad1f04b37863532ede968f9ef3375db44abe46979c57d71fe87d55a105d01964a0d6838db774ab1c98ae5b947dcc1fe1c135fcf130b15f53f464
SSDeep
6144:mrNHXf500MBcKLDipU4hAvNRUSbu+VWBRHrg/0u:Id50181XlPPHrgsu
TLSH
3D849D1373A8E93BD1FE173AF43606194BB1D423B612E38B5A5A55BC2D233868D513B3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
359337df3d9dc4626f3584ff46a257d1
Malicious
[Rebuild from dump]_6a551fe4.exe
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Rsz1tY47GAtf8VeXfa1V
Version

1.3.0.0
Port

hard-jelsoft.gl.
Host

hard-jelsoft.gl.
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

SubDir
InstallName

Client.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_EBoA7O
StartupKey

Quasar Client St
HideFile

0
EnableLogger

1
Tag

Kurban
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

0
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_6a551fe4.exe
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::籚ನᄀ⌨﷧ⴲᬭ豺꧜뗋ᛙ엢㜻〓풼돓౮袀ﲷ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ␰䰯꒛蒜瓅䶊視᳆怅鉗㹗퀮ꕊ垍૏쭀඙嶐㾖ꭆ::폪픆嗘▜넹휕歘ﰆ윘榜ﴹ㚧巒ⱚ�肶⸚繤ꈙ() brfalse.s IL_0040: call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() call System.Boolean 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::컉à侂寊�◜괿䚡텂緜悒㼯赎筥扮爗() brfalse.s IL_0040: call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() call System.Boolean ៾�ﷁ䄩蠫祟袘ފٶ橳∛ﶖ뿫瞾ힸ튃旆쐌쌁::get_Exiting() brtrue.s IL_0040: call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() ldsfld ៾�ﷁ䄩蠫祟袘ފٶ橳∛ﶖ뿫瞾ힸ튃旆쐌쌁 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::︨⩮깛諾圵젙狋톊炔ꇓ礞绋뻣ᷚ萿̦器袻 callvirt System.Void ៾�ﷁ䄩蠫祟袘ފٶ橳∛ﶖ뿫瞾ힸ튃旆쐌쌁::ﶽ歑蝳逌ﱐ䍣質뒲௻ꤧﻝ뿹�꿩슩꧆벝ꃥퟹҺ() call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::璭�먪鈯铫㦢렫ꛪ쓩쫹軂ꌵᶐ噫ꐍ㧡쮈⮫ሃ() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::籚ನᄀ⌨﷧ⴲᬭ豺꧜뗋ᛙ엢㜻〓풼돓౮袀ﲷ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ␰䰯꒛蒜瓅䶊視᳆怅鉗㹗퀮ꕊ垍૏쭀඙嶐㾖ꭆ::폪픆嗘▜넹휕歘ﰆ윘榜ﴹ㚧巒ⱚ�肶⸚繤ꈙ() brfalse.s IL_0040: call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() call System.Boolean 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::컉à侂寊�◜괿䚡텂緜悒㼯赎筥扮爗() brfalse.s IL_0040: call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() call System.Boolean ៾�ﷁ䄩蠫祟袘ފٶ橳∛ﶖ뿫瞾ힸ튃旆쐌쌁::get_Exiting() brtrue.s IL_0040: call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() ldsfld ៾�ﷁ䄩蠫祟袘ފٶ橳∛ﶖ뿫瞾ힸ튃旆쐌쌁 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::︨⩮깛諾圵젙狋톊炔ꇓ礞绋뻣ᷚ萿̦器袻 callvirt System.Void ៾�ﷁ䄩蠫祟袘ފٶ橳∛ﶖ뿫瞾ힸ튃旆쐌쌁::ﶽ歑蝳逌ﱐ䍣質뒲௻ꤧﻝ뿹�꿩슩꧆벝ꃥퟹҺ() call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::ᳵ闗숟ӄ饒䜮㠗옉鎺猏鷒뛜漩₞�煾⇨湘鋓胯() call System.Void 䐓�劁ꁊ쩊ᇕ앞铭䀄셰澒₸䀈﹣ᢳ䝧맰외㡘::璭�먪鈯铫㦢렫ꛪ쓩쫹軂ꌵᶐ噫ꐍ㧡쮈⮫ሃ() ret <null>
Artefacts
Name
 Value
CnC

hard-jelsoft.gl.
Port

hard-jelsoft.gl.
PE Layout

MemoryMapped (process dump suspected)
CnC

hard-jelsoft.gl.
Port

hard-jelsoft.gl.
PE Layout

MemoryMapped (process dump suspected)
359337df3d9dc4626f3584ff46a257d1 (376.84 KB)
File Structure
359337df3d9dc4626f3584ff46a257d1
Malicious
[Rebuild from dump]_6a551fe4.exe
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Rsz1tY47GAtf8VeXfa1V
Version

1.3.0.0
Port

hard-jelsoft.gl.
Host

hard-jelsoft.gl.
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

SubDir
InstallName

Client.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_EBoA7O
StartupKey

Quasar Client St
HideFile

0
EnableLogger

1
Tag

Kurban
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

0
Artefacts
Name
 Value Location
CnC

hard-jelsoft.gl.

Malicious

359337df3d9dc4626f3584ff46a257d1
Port

hard-jelsoft.gl.

Malicious

359337df3d9dc4626f3584ff46a257d1
PE Layout

MemoryMapped (process dump suspected)

359337df3d9dc4626f3584ff46a257d1
CnC

hard-jelsoft.gl.

Malicious

359337df3d9dc4626f3584ff46a257d1 > [Rebuild from dump]_6a551fe4.exe
Port

hard-jelsoft.gl.

Malicious

359337df3d9dc4626f3584ff46a257d1 > [Rebuild from dump]_6a551fe4.exe
PE Layout

MemoryMapped (process dump suspected)

359337df3d9dc4626f3584ff46a257d1 > [Rebuild from dump]_6a551fe4.exe
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙