Malicious
Malicious

4e0ffe2e522134b84adf341b9d569908

PE Executable
|
MD5: 4e0ffe2e522134b84adf341b9d569908
|
Size: 368.04 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
4e0ffe2e522134b84adf341b9d569908
Sha1
1d2666747f8b5708d80749bd0fe6bc278cd7c956
Sha256
b31328873503433ff493ae5e5895d6e0a63d2fddff613ccaced427d86292255e
Sha384
d5cc6f36c2a2a974e38f31de132a8726182fdac13efb866babc6e82898c11e1aa3af0000f03ebc8ac1ac91402102ec63
Sha512
be48e0ffa0a61a2fb2caff18c8dde19c588f637678959d67dd0dd7da072cdb64e2ecab2035d423dbaf924337444a85460de59b9a04be717fd1531b4f8f9421bd
SSDeep
6144:EbqQ4i1FFiEKRBtpqoAlcboWFfHCLXmRY69JGGIea:2plidoo8GH62R/Jsea
TLSH
53747B1373A4D63BD1FE177AE43206184BB1D457F616E38B5A5A55F82E2338A8D803B3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
4e0ffe2e522134b84adf341b9d569908
Malicious
Overlay_e35661c8.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

12
Host

12
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

127.0.0.2
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Version

1.3.0.0
Port

4782
Host

127.0.0.1
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

NVIDIA
InstallName

Client.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_JNmto3
StartupKey

NVIDIA Client St
HideFile

1
EnableLogger

1
Tag

Test0123
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_e35661c8.bin (11688 bytes)
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::ᒲ锦潸맷�駃殊袭詪摧呧汢�眄谼䇕镬⾳氙(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⱌ雇㺭克喾盎줁罁襊䓤㍶猏푅仚趘⺚⻠薎눩::捙ᾒŋ䯟ꋳ쫋퍽ዧ�ख़ꗠ諣֫ዽ⿠阫葐() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::頥௜叝객㇦㮠㛽돉꿓铐셍毝捯琐딘తđ㑈�() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::get_Exiting() brtrue.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() ldsfld 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬 ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::鑜ȧꐙ鵵Ɛ၈勩嬱䅻揅鐰䅟勏帎࿘猱㏓랉嫡׼ callvirt System.Void 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::銳�搆⢒侍㉤옋䂼ꨅ챭䭿䜉利除쭁ꀉ躷擞() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::㪩缝찪濈莈缅룛裌⬔髓ꎐ碇ṅ㙍흰핀ᄎ䦟() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::ᒲ锦潸맷�駃殊袭詪摧呧汢�眄谼䇕镬⾳氙(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⱌ雇㺭克喾盎줁罁襊䓤㍶猏푅仚趘⺚⻠薎눩::捙ᾒŋ䯟ꋳ쫋퍽ዧ�ख़ꗠ諣֫ዽ⿠阫葐() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::頥௜叝객㇦㮠㛽돉꿓铐셍毝捯琐딘తđ㑈�() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::get_Exiting() brtrue.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() ldsfld 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬 ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::鑜ȧꐙ鵵Ɛ၈勩嬱䅻揅鐰䅟勏帎࿘猱㏓랉嫡׼ callvirt System.Void 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::銳�搆⢒侍㉤옋䂼ꨅ챭䭿䜉利除쭁ꀉ躷擞() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::㪩缝찪濈莈缅룛裌⬔髓ꎐ碇ṅ㙍흰핀ᄎ䦟() ret <null>
Artefacts
Name
 Value
CnC

127.0.0.1
Port

4782
CnC

127.0.0.2
CnC

12
Port

12
4e0ffe2e522134b84adf341b9d569908 (368.04 KB)
File Structure
4e0ffe2e522134b84adf341b9d569908
Malicious
Overlay_e35661c8.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

12
Host

12
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

127.0.0.2
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Version

1.3.0.0
Port

4782
Host

127.0.0.1
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

NVIDIA
InstallName

Client.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_JNmto3
StartupKey

NVIDIA Client St
HideFile

1
EnableLogger

1
Tag

Test0123
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Artefacts
Name
 Value Location
CnC

127.0.0.1

Malicious

4e0ffe2e522134b84adf341b9d569908
Port

4782

Malicious

4e0ffe2e522134b84adf341b9d569908
CnC

127.0.0.2

Malicious

4e0ffe2e522134b84adf341b9d569908
CnC

12

Malicious

4e0ffe2e522134b84adf341b9d569908
Port

12

Malicious

4e0ffe2e522134b84adf341b9d569908
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙