Malicious
Malicious

478a1956d73a21b08567fe4ee38b6da2

PE Executable
|
MD5: 478a1956d73a21b08567fe4ee38b6da2
|
Size: 66.05 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
478a1956d73a21b08567fe4ee38b6da2
Sha1
cf16b32b7282fc4ec565945f8043d70776058730
Sha256
5d896a1e7acf19940db5d3dc02f125d84dddcdf8dfd344a87498d5fe157610a6
Sha384
b52aa5745ed74e56ce8164fa44037e0fe7981903e13497ea949c41716f52c202887fcbe4a04b01e08427acea1dbdb8fe
Sha512
ad249aecdb6e560bb47913b591378fe30b9db82b4fd54187dc9de4505004113f51450118d511bfedc8ac40576c99e98c2e5e8e7524008ed90700282e91578db0
SSDeep
768:XhWBkc+d5iPpVei89J+X6BZrPym873tiHyYd1+DSCv7mqb2nSpwHsoFBhLO8G2iI:XUud+e5P8ZiHyYBGbbrwfG2iVclN
TLSH
4C535B003798C965E2AD4AB4BCF2950106B5D5772102DB5E7CC405DBAB9EFC64A133FE

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
478a1956d73a21b08567fe4ee38b6da2
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

S0s4bkxkaGFwZks3cVlOZHEwdnN6T0JBeklTUXlTelY=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVAKLFT7KAMfd661OUJo25Zv9Os1U1MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDMyNzE0MTAyMFoXDTM2MDEwNDE0MTAyMFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIgpnX2soUg4sV1SWCHlfsgfzvf90ztXr9RZe+LhN+2SgmAwE+AjfDfg8BFeBD/h3OFXKufG8PH75iUfL/Ld+gtZKrJdbfJWIViIUi5DFUHGoXYWAOlyoWpAvtkROhm0kgwJH13C6EjpykTxJO9WDHF15WZz2yb8XW+4Pw6qKmVVAgMBAAGjMjAwMB0GA1UdDgQWBBSKWpEwblg9BFzY1ec9fIUZrdPDTTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFjRDXncETVy5S5IO69VGDwc9bp5ZfVt2k9h2PXJ6IXCoKCGr2gqd3bNTJp+Nge10/VwHbBQll2f53wWxHASveiYP/hxIKgMFdYO09gCkW3gkU5+K6lwbj2JIK3EX1gvhv/okaosWXyXz2P29tlm7wlbYlem1ozUo+vUSIIlbYmY
ServerSignature

WfQsae5I4R500x9vce+hj9/Zaf5nuabpEv2R+cIRRRKKCSn9+LHkvYsTUla/r/+s4mh2Kf5u4g+be5m4VuGFjdaGt/fjz6pDW+yEEGHBRb+vGrxqPKki/QlXOMbzprm+D0jl8c2ikrIgAMP5okJOwwGw0esScqt0HOptPBubfoM=
Install

true
BDOS

false
Anti-VM

false
Install File

Shieldbrowser.exe
Install-Folder

%AppData%
Hosts

hy7tpet.uk.com,www.hy7tpet.uk.com,qen.uk.com,www.qen.uk.com,www.rcn.uk.com,rcn.uk.com,www.smileexpress.eu.com,smileexpress.eu.com,www.hrhsw.uk.com,hrhsw.uk.com,gti.uk.com,www.gti.uk.com,www.dug.uk.com,dug.uk.com,www.company-it-technology.ru.com,company-it-technology.ru.com
Ports

80,443,1604,4444,5555,6606,6666,8080,8443
Mutex

Download
Version

1.0.7
Delay

1
Group

Shield
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

Shieldbrowser.exe
Full Name

Shieldbrowser.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

Shieldbrowser.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Shieldbrowser
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Module Name

Shieldbrowser.exe
Full Name

Shieldbrowser.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

Shieldbrowser.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Shieldbrowser
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Artefacts
Name
 Value
Key (AES_256)

S0s4bkxkaGFwZks3cVlOZHEwdnN6T0JBeklTUXlTelY=
CnC

hy7tpet.uk.com
CnC

www.hy7tpet.uk.com
CnC

qen.uk.com
CnC

www.qen.uk.com
CnC

www.rcn.uk.com
CnC

rcn.uk.com
CnC

www.smileexpress.eu.com
CnC

smileexpress.eu.com
CnC

www.hrhsw.uk.com
CnC

hrhsw.uk.com
CnC

gti.uk.com
CnC

www.gti.uk.com
CnC

www.dug.uk.com
CnC

dug.uk.com
CnC

www.company-it-technology.ru.com
CnC

company-it-technology.ru.com
Ports

80
Ports

443
Ports

1604
Ports

4444
Ports

5555
Ports

6606
Ports

6666
Ports

8080
Ports

8443
Mutex

Download
478a1956d73a21b08567fe4ee38b6da2 (66.05 KB)
File Structure
478a1956d73a21b08567fe4ee38b6da2
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

S0s4bkxkaGFwZks3cVlOZHEwdnN6T0JBeklTUXlTelY=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVAKLFT7KAMfd661OUJo25Zv9Os1U1MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDMyNzE0MTAyMFoXDTM2MDEwNDE0MTAyMFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIgpnX2soUg4sV1SWCHlfsgfzvf90ztXr9RZe+LhN+2SgmAwE+AjfDfg8BFeBD/h3OFXKufG8PH75iUfL/Ld+gtZKrJdbfJWIViIUi5DFUHGoXYWAOlyoWpAvtkROhm0kgwJH13C6EjpykTxJO9WDHF15WZz2yb8XW+4Pw6qKmVVAgMBAAGjMjAwMB0GA1UdDgQWBBSKWpEwblg9BFzY1ec9fIUZrdPDTTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAFjRDXncETVy5S5IO69VGDwc9bp5ZfVt2k9h2PXJ6IXCoKCGr2gqd3bNTJp+Nge10/VwHbBQll2f53wWxHASveiYP/hxIKgMFdYO09gCkW3gkU5+K6lwbj2JIK3EX1gvhv/okaosWXyXz2P29tlm7wlbYlem1ozUo+vUSIIlbYmY
ServerSignature

WfQsae5I4R500x9vce+hj9/Zaf5nuabpEv2R+cIRRRKKCSn9+LHkvYsTUla/r/+s4mh2Kf5u4g+be5m4VuGFjdaGt/fjz6pDW+yEEGHBRb+vGrxqPKki/QlXOMbzprm+D0jl8c2ikrIgAMP5okJOwwGw0esScqt0HOptPBubfoM=
Install

true
BDOS

false
Anti-VM

false
Install File

Shieldbrowser.exe
Install-Folder

%AppData%
Hosts

hy7tpet.uk.com,www.hy7tpet.uk.com,qen.uk.com,www.qen.uk.com,www.rcn.uk.com,rcn.uk.com,www.smileexpress.eu.com,smileexpress.eu.com,www.hrhsw.uk.com,hrhsw.uk.com,gti.uk.com,www.gti.uk.com,www.dug.uk.com,dug.uk.com,www.company-it-technology.ru.com,company-it-technology.ru.com
Ports

80,443,1604,4444,5555,6606,6666,8080,8443
Mutex

Download
Version

1.0.7
Delay

1
Group

Shield
Artefacts
Name
 Value Location
Key (AES_256)

S0s4bkxkaGFwZks3cVlOZHEwdnN6T0JBeklTUXlTelY=

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

hy7tpet.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.hy7tpet.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

qen.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.qen.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.rcn.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

rcn.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.smileexpress.eu.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

smileexpress.eu.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.hrhsw.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

hrhsw.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

gti.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.gti.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.dug.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

dug.uk.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

www.company-it-technology.ru.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
CnC

company-it-technology.ru.com

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

80

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

443

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

1604

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

4444

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

5555

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

6606

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

6666

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

8080

Malicious

478a1956d73a21b08567fe4ee38b6da2
Ports

8443

Malicious

478a1956d73a21b08567fe4ee38b6da2
Mutex

Download

Malicious

478a1956d73a21b08567fe4ee38b6da2
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙