Malicious
Malicious

4e0ffe2e522134b84adf341b9d569908

PE Executable
|
MD5: 4e0ffe2e522134b84adf341b9d569908
|
Size: 368.04 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
4e0ffe2e522134b84adf341b9d569908
Sha1
1d2666747f8b5708d80749bd0fe6bc278cd7c956
Sha256
b31328873503433ff493ae5e5895d6e0a63d2fddff613ccaced427d86292255e
Sha384
d5cc6f36c2a2a974e38f31de132a8726182fdac13efb866babc6e82898c11e1aa3af0000f03ebc8ac1ac91402102ec63
Sha512
be48e0ffa0a61a2fb2caff18c8dde19c588f637678959d67dd0dd7da072cdb64e2ecab2035d423dbaf924337444a85460de59b9a04be717fd1531b4f8f9421bd
SSDeep
6144:EbqQ4i1FFiEKRBtpqoAlcboWFfHCLXmRY69JGGIea:2plidoo8GH62R/Jsea
TLSH
53747B1373A4D63BD1FE177AE43206184BB1D457F616E38B5A5A55F82E2338A8D803B3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
4e0ffe2e522134b84adf341b9d569908
Malicious
Overlay_e35661c8.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

12
Host

12
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

4782
Host

127.0.0.2
Conf. AES-Key

ZtohN2lfKvYgyPzNSDu2
Version

1.3.0.0
Port

4782
Host

127.0.0.1
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

NVIDIA
InstallName

Client.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_JNmto3
StartupKey

NVIDIA Client St
HideFile

1
EnableLogger

1
Tag

Test0123
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_e35661c8.bin (11688 bytes)
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::ᒲ锦潸맷�駃殊袭詪摧呧汢�眄谼䇕镬⾳氙(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⱌ雇㺭克喾盎줁罁襊䓤㍶猏푅仚趘⺚⻠薎눩::捙ᾒŋ䯟ꋳ쫋퍽ዧ�ख़ꗠ諣֫ዽ⿠阫葐() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::頥௜叝객㇦㮠㛽돉꿓铐셍毝捯琐딘తđ㑈�() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::get_Exiting() brtrue.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() ldsfld 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬 ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::鑜ȧꐙ鵵Ɛ၈勩嬱䅻揅鐰䅟勏帎࿘猱㏓랉嫡׼ callvirt System.Void 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::銳�搆⢒侍㉤옋䂼ꨅ챭䭿䜉利除쭁ꀉ躷擞() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::㪩缝찪濈莈缅룛裌⬔髓ꎐ碇ṅ㙍흰핀ᄎ䦟() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::ᒲ锦潸맷�駃殊袭詪摧呧汢�眄谼䇕镬⾳氙(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⱌ雇㺭克喾盎줁罁襊䓤㍶猏푅仚趘⺚⻠薎눩::捙ᾒŋ䯟ꋳ쫋퍽ዧ�ख़ꗠ諣֫ዽ⿠阫葐() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::頥௜叝객㇦㮠㛽돉꿓铐셍毝捯琐딘తđ㑈�() brfalse.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Boolean 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::get_Exiting() brtrue.s IL_0040: call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() ldsfld 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬 ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::鑜ȧꐙ鵵Ɛ၈勩嬱䅻揅鐰䅟勏帎࿘猱㏓랉嫡׼ callvirt System.Void 鱊ւ偉酈⯹ʤꧤᤛ缾骻፱ꔣᐷ⯽쾬::銳�搆⢒侍㉤옋䂼ꨅ챭䭿䜉利除쭁ꀉ躷擞() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::⫞莿甸Ḵ臐�␴ඳᤠⳞ⃆⿊術≫흆譒誗䨩쑰擄() call System.Void ᭊ覣吕䀘䝠轏ꫧ輖쭍땘⽩␂춵񓪵挴ڄ::㪩缝찪濈莈缅룛裌⬔髓ꎐ碇ṅ㙍흰핀ᄎ䦟() ret <null>
Artefacts
Name
 Value
CnC

127.0.0.1
Port

4782
CnC

127.0.0.2
CnC

12
Port

12
4e0ffe2e522134b84adf341b9d569908 (368.04 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙