54a516f546a11bf364029b4e5a53c2b7

PE Executable
|
MD5: 54a516f546a11bf364029b4e5a53c2b7
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	54a516f546a11bf364029b4e5a53c2b7
Sha1	629afde0bdc8ca9b7ca38e94abe2f1f661f87271
Sha256	e9d39dfd85ae0838f6ea9ce72af7f6587558ee92f8a3ff42934eb6d09a2fa726
Sha384	87818374443fdb071db5a54dcbcefecd7d3fb1e7e85e0d76b30084ec61f73c66c32c175509ffe50fa4f0976304a10c57
Sha512	3cb253f2f7ce2f3bdce000c55ea6d6ef19e4c586512544f613f99396e44784804d5c0e552314c7bc183bca1a9628974de0089a27b8fa7ab19924a7fabbfe7d7f
SSDeep	6144:iLNHXf500MVn2ghtrJ1Db6oiKTfQzwFJPSCa:Ud50DThxJ1iTKTozOJPja
TLSH	A6848D13B7A4E93BD1FD1B3AE43207155BB0D587B616E38B6A5845BC2E133868E503B3

PeID

Microsoft Visual C# / Basic .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	1wnC7cGlDsH2mOSE6HBd
Version	1.3.0.0
Port	62
Host	172.86.110.11
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	0
Startup	1
Mutex	QSR_MUTEX_tMGgDU
StartupKey	Quasar Client St
HideFile	0
EnableLogger	1
Tag	qcp
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_62405b7a.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::�⚥氳࿤侅렧ส麁祣皴ㅔ耊䀦攍ᕪ韴簗�(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 䃵৽雗㩝�㙸栗결⿀탙匽η郏퐨鯴䠳‏僫::譥⡑⢷䕱�賊傞裚炿⸀쪳⾓얶ᶣ⎈��() brfalse.s IL_0040: call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() call System.Boolean ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ಳ볷㴕嵏ค㶤贗訹灷갖༥鳟�骏䦠㦅鮟徲쵪() brfalse.s IL_0040: call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() call System.Boolean ᘆ鋵厙曮㬺䃒뙣⑗ᢖẛ쯤䊆ꅈ곴≒䃰㍼门::get_Exiting() brtrue.s IL_0040: call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() ldsfld ᘆ鋵厙曮㬺䃒뙣⑗ᢖẛ쯤䊆ꅈ곴≒䃰㍼门㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::獏䷵⻛ĩຏ誊䂊㊡勤๬눵鐆액£늽ᔍ�푆 callvirt System.Void ᘆ鋵厙曮㬺䃒뙣⑗ᢖẛ쯤䊆ꅈ곴≒䃰㍼门::쨔奨ي쮍鈜睃꣞鱊㬉쑢쭠眆됄崫걱Ш꼡ﻐ꘦() call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::癥섹柪☎쫻푦鋓㐄˱韺㋚♇炕㨰螾Ⴀណꐅ() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::�⚥氳࿤侅렧ส麁祣皴ㅔ耊䀦攍ᕪ韴簗�(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 䃵৽雗㩝�㙸栗결⿀탙匽η郏퐨鯴䠳‏僫::譥⡑⢷䕱�賊傞裚炿⸀쪳⾓얶ᶣ⎈��() brfalse.s IL_0040: call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() call System.Boolean ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ಳ볷㴕嵏ค㶤贗訹灷갖༥鳟�骏䦠㦅鮟徲쵪() brfalse.s IL_0040: call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() call System.Boolean ᘆ鋵厙曮㬺䃒뙣⑗ᢖẛ쯤䊆ꅈ곴≒䃰㍼门::get_Exiting() brtrue.s IL_0040: call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() ldsfld ᘆ鋵厙曮㬺䃒뙣⑗ᢖẛ쯤䊆ꅈ곴≒䃰㍼门㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::獏䷵⻛ĩຏ誊䂊㊡勤๬눵鐆액£늽ᔍ�푆 callvirt System.Void ᘆ鋵厙曮㬺䃒뙣⑗ᢖẛ쯤䊆ꅈ곴≒䃰㍼门::쨔奨ي쮍鈜睃꣞鱊㬉쑢쭠眆됄崫걱Ш꼡ﻐ꘦() call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::ʒ俨䳱픴䳵࿦赕픇ᚺ⵻괫Ꝅ�懽㇜ⱗ刨֩() call System.Void ㍐襼쾱�⑎龳则빭굛쓴⨈늮ࢪ휃㉁胩�::癥섹柪☎쫻푦鋓㐄˱韺㋚♇炕㨰螾Ⴀណꐅ() ret <null>

Artefacts

Name0	Value
CnC	172.86.110.11
Port	62
PE Layout	MemoryMapped (process dump suspected)
CnC	172.86.110.11
Port	62
PE Layout	MemoryMapped (process dump suspected)

54a516f546a11bf364029b4e5a53c2b7 (376.84 KB)