Malicious
Malicious

48de33adfc768d0771cbce2e8ffc4352

PE Executable
|
MD5: 48de33adfc768d0771cbce2e8ffc4352
|
Size: 311.31 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
48de33adfc768d0771cbce2e8ffc4352
Sha1
713e2a01452945a044c84542fa202a960b96beb1
Sha256
3c36199f3ef466a270b479f0599781fc76d196a6f2eb7a153e1e2d86bc61607d
Sha384
c340ff9c56229a6f2f5ed5a243d1531e5079e09d53cf722d659fc20210d2133767c77040683247449c0f89c2d98e8d42
Sha512
55fdad65c4c97a77a39bd5d9109395c2ae9fc917f0f3ddaf379dac354ce4dc7f7c8b382507d0d156a746687b147d9c3da07723acc6363486a47f3841562b2e87
SSDeep
6144:FKJuiyEnCGnhJlMP5Kq+SMv0VGb7bDcllbkfC:czCGL69zVGkllbka
TLSH
25645A2527F8A93BD9BE17B4F43141094BB6FC07B557F38E6A5818B82C1A38985437E3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
48de33adfc768d0771cbce2e8ffc4352
Malicious
[Rebuild from dump]_0d636ffb.exe
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

wB9FFjvH9SpePZHS82zr
Version

1.4.0.0
Port

Host

wifilan.ydns.eu
ReconnectDelay

3000
SubDirectory

1WvgEMPjdwfqIMeM9MclyQ==
InstallName

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
Install

Onedrives
Startup

Drivers.exe
Mutex

0
StartupKey

0
HideFile

CC8HGJjBq8p8aMfY
EnableLogger

Quasar Client St
Tag

1
LogDirectory

1
ServerSignature

wifiwifi
ServerCertificate

Logs
InstallPath

1
LogsPath

1
UnattendedMod

0
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_0d636ffb.exe
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void xClient.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

1062
Main Method

System.Void xClient.Program::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void xClient.Program::HandleUnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean xClient.Config.Settings::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Program::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Core.Networking.QuasarClient::get_Exiting() brtrue.s IL_0040: call System.Void xClient.Program::Cleanup() ldsfld xClient.Core.Networking.QuasarClient xClient.Program::ConnectClient callvirt System.Void xClient.Core.Networking.QuasarClient::Connect() call System.Void xClient.Program::Cleanup() call System.Void xClient.Program::Exit() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void xClient.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

1062
Main Method

System.Void xClient.Program::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void xClient.Program::HandleUnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean xClient.Config.Settings::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Program::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Core.Networking.QuasarClient::get_Exiting() brtrue.s IL_0040: call System.Void xClient.Program::Cleanup() ldsfld xClient.Core.Networking.QuasarClient xClient.Program::ConnectClient callvirt System.Void xClient.Core.Networking.QuasarClient::Connect() call System.Void xClient.Program::Cleanup() call System.Void xClient.Program::Exit() ret <null>
Artefacts
Name
 Value
CnC

wifilan.ydns.eu
Port

PE Layout

MemoryMapped (process dump suspected)
CnC

wifilan.ydns.eu
Port

PE Layout

MemoryMapped (process dump suspected)
48de33adfc768d0771cbce2e8ffc4352 (311.31 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙