Malicious
Malicious

47bb14b0f01f6b8cc063ef578bbd3615

PE Executable
|
MD5: 47bb14b0f01f6b8cc063ef578bbd3615
|
Size: 57.34 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
47bb14b0f01f6b8cc063ef578bbd3615
Sha1
a9083e1c83d0bae46a71a220b5639640d9e091e8
Sha256
99528e9923716d980c54fef240fde7fb6463a2cc13b1e7bf3de09d0635e04c66
Sha384
368be10860b9a05a58f4040484b569e1162262b0c97ffe92944080c63f8952005bd212bcefeeb56358ce96bd4ba13b3d
Sha512
cbc59ff655040f21cf9e1fa23edfca6f246c22ae28d05c87ca90b58739bc246cdf6c683c92e823357230b2edaf79f0658da9acbaa0b0de69e2d86da37e442b8c
SSDeep
1536:KunHpTJZ+2slVJjMbgXSQ3Xv7sdty0S1lv2XzB:KunJTJZ+2gTjMbgxDsv7Sfv2jB
TLSH
83435D003BE9813BF1BE4F78A8F21141467AF6677603E54E1C8452DB5613FC69A42BFA

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
47bb14b0f01f6b8cc063ef578bbd3615
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

VTZIb2swN1RGN2tkRWlMN2YzdEJ3VnQ0RXdSMVFmcWE=
Pastebin

-
Certificate

MIIE5DCCAsygAwIBAgIQAOc250/jBXH7PusRfV4KKzANBgkqhkiG9w0BAQ0FADATMREwDwYDVQQDDAhBc3luY1JBVDAgFw0yNTEyMTQxNTM0MjFaGA85OTk5MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQXN5bmNSQVQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3hbrOJGE/Ncxr2hD4zwR5WwrlT40PQHZSYRdpnqR2/7/cw8e4m6IS/kPj2TSnF3yYhOkR08loqxZDE8g9vaF8pLg+pyFwXjs8+Tjb6rGW2uRjpX92Pyhjh8LBpkQ8ZVWmHgnrg6rG0F60rBKz4ew8WXbKcUo3Q+oz/td4gqFQDlhw1kKoLeUmr+9QKyInnm/2UOlpU4DY3Vpgw9RKXcNYyUemiFybYORXhX5itphsOy7VNGbmDGcokwXemsR8Dxtx/fxqxdTSIJt2+bnMbPPCL05l7xkOyVQMnLIGcsDBoQXotDfeKlpluqyut2YjHGluh/uIUb/c37ZW17RCI+CtrNRGQjB8ErSBSWGtlxKh6a7DtgUD3Ixy87tueEKyeiHIjKNGM2DeeYpPp94vQ1L9omOqV6XBPRIlE8dZG2wIEh9U7nAbyILI5CsDNK3ZKIo9rFYVDCqRpjSpDW6EE3X+megquYTgBmYwz0wc3Nm7DyXpYWw9M6ubgwJOY4IuNEV3JNHsxHdX457CHJ1B3pvyDSRoD4GGQWzFrod/rSdbc6h0Znk520NtZ7qkP+AA3KumXQoREuIENMqFyEeb4jAL/o+NLZJ2s25y37AhIULalSXUWRpFFN4afCogVBX2Lq5fTnARunBy+iM0cTCITKg1PzdagOzpIYZ1301QYewT1wIDAQABozIwMDAdBgNVHQ4EFgQUwIO7jdsbGYhuyUURLCnL8u8aCiswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAPXoIXK5CvTxz3g1MuFheFwcA6CSzDoKFPW4zVdDtZTjVtAd9wnPaH7HpQXLwpPUb3WM8iEX/zgdze8q36+IWIv7LOpMKCDr3+dyeR5dyuSF0HNggANxw64nb8ggfquNYXofQDR8B2fp/c1iXT3NQcZ4CsM37nMLyvKC7n2hWWArrhshFMKZ/AnT+3r996JaT0BopXowQsSIzBNFez3KrBQ2fKj8HuJPZ3VJKnAH+sUBvTup/5qk5+aijalDJU/APvTFLKBom0ifAqZoYgwI/B9H0mEO7qYXokEVtEPX9LS41ALFQl/naWldHpnhmMgpN3Y30HgI+CJIyUxR9k7f0AIYXdGHdXeqc+MhZa25H+ESwSwI7N7FMyxkdzkikWAXIYoKK3o1mdb9+0s1/CstbjWs8QAzUYmZTb1vUAg9tUMhL2LqaWlpnzOOXdQUhRqk1JuYoBAvlesZ5qsgrZxzaQtDZ7hq6oWsqdDScXGUt7SrPvtXFjFXHjdCrfVHISH0RcEsmaSSV6+cjvcSZe3gb/t5lfjmaDMgWvlIHtKONjneUbCKzoYY2OHU/gy4DkWdt4q8SX1a0jLYXkYr7KPKFaDR/oc85PRUsCKg/vhCtRIbTAJ1CCf0RCk61CuONfs18uIvo08JwHJgWVwN/1lq94mdsEzo1SPA5mE4FFr/APuY=
ServerSignature

J0J7eYvmXVDfaiDIAJSn7ACi0ZJYD36qyqGsCzEpQtneYlVfByc8BVJ5aG1WRu3RKLHCAT+3ZUvrVJ0b93U5k9Z0U4/edIzufVgKN6MBXwJN3ZPevf7ijcFNcZGvCtNLNPyd27OYMBaujNInA5OQr8FByyIHPjeK7Pz3qaebsz2Gr5E6H4xNeUBis/cRMThxMOACrhbXWyFP0WMFDgU1n0ENld29RGuM/XsRwfWX0B8kCalw/T7HqPo4sDj5hHwhP06ssiRAp7EHszLyYnoxumWR5+1kGGA5LsnqYhdEhHPEZaGoajccHMmFGN4s0Q2FHlG6KsLcVk6hr62P2fcC+xeEBdUo6/ftaQE3Pzpx3hf00v9bxk1401JtoJWapoeKUQBhHZgWfXV2DGwhA87hew/XgCJP1CoE3s8eaJ0fDcJK6Nj7zcZrNbbV4dYinryNWEF7XhBJZJI2Kpk36miF5fZaSShJm7zA3I7fFS/oJ+E/95j9iFt90Xo/AIsjqL8YqyQ9QGPbpMdMoHzk57DfbFB/PuV6Njd0n4Lg61koD+DwOAyWzi6ZcLuEbQbJkwzAawdV3nMhHJQyWpf326WzBgM5sULvuZW2EAYOFUTaO7Rd3SnGhQeY7TKHpJ2Ocftpa87pUSjbEHFkNIoi6BioyABMUZIdb3vLjQNwXhohyGo=
Install

true
BDOS

false
Anti-VM

false
Install File

AWS.exe
Install-Folder

%AppData%
Hosts

tourne.eu.com,www.tourne.eu.com,davidwilliam.uk.com,www.davidwilliam.uk.com,allclean.jp.net,www.allclean.jp.net,gemwin.me,www.gemwin.me
Ports

80,443,1604,4444,5555,6606,7707,8080,8808
Mutex

CZIkhwQj4NKa
Version

0.5.8
Delay

3
Group

Meta
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

AWS.exe
Full Name

AWS.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

AWS.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

AWS
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

120
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

51
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0043: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0057: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_006B: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0099: nop pop <null> leave IL_0099: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00AE: leave IL_00B9 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_00B9: ldc.i4 5000 pop <null> leave IL_00B9: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0099: nop
Module Name

AWS.exe
Full Name

AWS.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

AWS.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

AWS
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

120
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

51
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0043: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0057: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_006B: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0099: nop pop <null> leave IL_0099: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00AE: leave IL_00B9 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_00B9: ldc.i4 5000 pop <null> leave IL_00B9: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0099: nop
Artefacts
Name
 Value
Key (AES_256)

VTZIb2swN1RGN2tkRWlMN2YzdEJ3VnQ0RXdSMVFmcWE=
CnC

tourne.eu.com
CnC

www.tourne.eu.com
CnC

davidwilliam.uk.com
CnC

www.davidwilliam.uk.com
CnC

allclean.jp.net
CnC

www.allclean.jp.net
CnC

gemwin.me
CnC

www.gemwin.me
Ports

80
Ports

443
Ports

1604
Ports

4444
Ports

5555
Ports

6606
Ports

7707
Ports

8080
Ports

8808
Mutex

CZIkhwQj4NKa
47bb14b0f01f6b8cc063ef578bbd3615 (57.34 KB)
File Structure
47bb14b0f01f6b8cc063ef578bbd3615
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

VTZIb2swN1RGN2tkRWlMN2YzdEJ3VnQ0RXdSMVFmcWE=
Pastebin

-
Certificate

MIIE5DCCAsygAwIBAgIQAOc250/jBXH7PusRfV4KKzANBgkqhkiG9w0BAQ0FADATMREwDwYDVQQDDAhBc3luY1JBVDAgFw0yNTEyMTQxNTM0MjFaGA85OTk5MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQXN5bmNSQVQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3hbrOJGE/Ncxr2hD4zwR5WwrlT40PQHZSYRdpnqR2/7/cw8e4m6IS/kPj2TSnF3yYhOkR08loqxZDE8g9vaF8pLg+pyFwXjs8+Tjb6rGW2uRjpX92Pyhjh8LBpkQ8ZVWmHgnrg6rG0F60rBKz4ew8WXbKcUo3Q+oz/td4gqFQDlhw1kKoLeUmr+9QKyInnm/2UOlpU4DY3Vpgw9RKXcNYyUemiFybYORXhX5itphsOy7VNGbmDGcokwXemsR8Dxtx/fxqxdTSIJt2+bnMbPPCL05l7xkOyVQMnLIGcsDBoQXotDfeKlpluqyut2YjHGluh/uIUb/c37ZW17RCI+CtrNRGQjB8ErSBSWGtlxKh6a7DtgUD3Ixy87tueEKyeiHIjKNGM2DeeYpPp94vQ1L9omOqV6XBPRIlE8dZG2wIEh9U7nAbyILI5CsDNK3ZKIo9rFYVDCqRpjSpDW6EE3X+megquYTgBmYwz0wc3Nm7DyXpYWw9M6ubgwJOY4IuNEV3JNHsxHdX457CHJ1B3pvyDSRoD4GGQWzFrod/rSdbc6h0Znk520NtZ7qkP+AA3KumXQoREuIENMqFyEeb4jAL/o+NLZJ2s25y37AhIULalSXUWRpFFN4afCogVBX2Lq5fTnARunBy+iM0cTCITKg1PzdagOzpIYZ1301QYewT1wIDAQABozIwMDAdBgNVHQ4EFgQUwIO7jdsbGYhuyUURLCnL8u8aCiswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAPXoIXK5CvTxz3g1MuFheFwcA6CSzDoKFPW4zVdDtZTjVtAd9wnPaH7HpQXLwpPUb3WM8iEX/zgdze8q36+IWIv7LOpMKCDr3+dyeR5dyuSF0HNggANxw64nb8ggfquNYXofQDR8B2fp/c1iXT3NQcZ4CsM37nMLyvKC7n2hWWArrhshFMKZ/AnT+3r996JaT0BopXowQsSIzBNFez3KrBQ2fKj8HuJPZ3VJKnAH+sUBvTup/5qk5+aijalDJU/APvTFLKBom0ifAqZoYgwI/B9H0mEO7qYXokEVtEPX9LS41ALFQl/naWldHpnhmMgpN3Y30HgI+CJIyUxR9k7f0AIYXdGHdXeqc+MhZa25H+ESwSwI7N7FMyxkdzkikWAXIYoKK3o1mdb9+0s1/CstbjWs8QAzUYmZTb1vUAg9tUMhL2LqaWlpnzOOXdQUhRqk1JuYoBAvlesZ5qsgrZxzaQtDZ7hq6oWsqdDScXGUt7SrPvtXFjFXHjdCrfVHISH0RcEsmaSSV6+cjvcSZe3gb/t5lfjmaDMgWvlIHtKONjneUbCKzoYY2OHU/gy4DkWdt4q8SX1a0jLYXkYr7KPKFaDR/oc85PRUsCKg/vhCtRIbTAJ1CCf0RCk61CuONfs18uIvo08JwHJgWVwN/1lq94mdsEzo1SPA5mE4FFr/APuY=
ServerSignature

J0J7eYvmXVDfaiDIAJSn7ACi0ZJYD36qyqGsCzEpQtneYlVfByc8BVJ5aG1WRu3RKLHCAT+3ZUvrVJ0b93U5k9Z0U4/edIzufVgKN6MBXwJN3ZPevf7ijcFNcZGvCtNLNPyd27OYMBaujNInA5OQr8FByyIHPjeK7Pz3qaebsz2Gr5E6H4xNeUBis/cRMThxMOACrhbXWyFP0WMFDgU1n0ENld29RGuM/XsRwfWX0B8kCalw/T7HqPo4sDj5hHwhP06ssiRAp7EHszLyYnoxumWR5+1kGGA5LsnqYhdEhHPEZaGoajccHMmFGN4s0Q2FHlG6KsLcVk6hr62P2fcC+xeEBdUo6/ftaQE3Pzpx3hf00v9bxk1401JtoJWapoeKUQBhHZgWfXV2DGwhA87hew/XgCJP1CoE3s8eaJ0fDcJK6Nj7zcZrNbbV4dYinryNWEF7XhBJZJI2Kpk36miF5fZaSShJm7zA3I7fFS/oJ+E/95j9iFt90Xo/AIsjqL8YqyQ9QGPbpMdMoHzk57DfbFB/PuV6Njd0n4Lg61koD+DwOAyWzi6ZcLuEbQbJkwzAawdV3nMhHJQyWpf326WzBgM5sULvuZW2EAYOFUTaO7Rd3SnGhQeY7TKHpJ2Ocftpa87pUSjbEHFkNIoi6BioyABMUZIdb3vLjQNwXhohyGo=
Install

true
BDOS

false
Anti-VM

false
Install File

AWS.exe
Install-Folder

%AppData%
Hosts

tourne.eu.com,www.tourne.eu.com,davidwilliam.uk.com,www.davidwilliam.uk.com,allclean.jp.net,www.allclean.jp.net,gemwin.me,www.gemwin.me
Ports

80,443,1604,4444,5555,6606,7707,8080,8808
Mutex

CZIkhwQj4NKa
Version

0.5.8
Delay

3
Group

Meta
Artefacts
Name
 Value Location
Key (AES_256)

VTZIb2swN1RGN2tkRWlMN2YzdEJ3VnQ0RXdSMVFmcWE=

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

tourne.eu.com

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

www.tourne.eu.com

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

davidwilliam.uk.com

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

www.davidwilliam.uk.com

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

allclean.jp.net

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

www.allclean.jp.net

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

gemwin.me

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
CnC

www.gemwin.me

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

80

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

443

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

1604

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

4444

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

5555

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

6606

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

7707

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

8080

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Ports

8808

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
Mutex

CZIkhwQj4NKa

Malicious

47bb14b0f01f6b8cc063ef578bbd3615
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙