Malicious
Malicious

63021f612c5aa372eff0f36d080efd84

PE Executable
|
MD5: 63021f612c5aa372eff0f36d080efd84
|
Size: 48.64 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
63021f612c5aa372eff0f36d080efd84
Sha1
b343462e0e871fb569f59a35b40458604070f476
Sha256
3aac8ca2a6d0da00fa05d5fe10c7c6cad91e9b81ffb92cd35c6e7acdbc9fed64
Sha384
0061e59ae29a4f8ed5bf133e5292750032e3affa4297933456d2eabf5debf5ff1a63ee68bd48cbaab04b0cdf6a8d88df
Sha512
1d4b2131c8e2c7e13920b57dd7a48022a72b47ee0093daa516fbd6f6949b7e4af17b4626097032461a95dcd86c44d8e4c6cd61fc75b0e0a0170a894e39feac9d
SSDeep
768:/seYPfoFMcveOB42fbvz6A5RyIvrRYAeb1ngUptWxrAK8Rcc4rWBNUR:vMcG2f7zNRbFYxbuU3CrvYcP2UR
TLSH
EA232B143BE9521AE2FE9F7D99F11545C6BAF6132602E34E1CC002DE4A23BC6DA527F1
File Structure
63021f612c5aa372eff0f36d080efd84
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

b2gwVnJVUFNLNlRFY3VIeEd1N1owNFhyY2JBOE13Ymk=
Pastebin

-
Certificate

MIIE8jCCAtqgAwIBAgIQAOMIvJPAU6LoP1Ucn44URzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUxMDEwMTUyNzE4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMXIq2ZA/jJ6LqmJGt1rYqqRdZPRXwNyyKcb+mZQKYs2mhUhuGFyzSUUaIwdDRHkKDehdsn7ThmR3A3Go0gVS7AbXTAiVIzaOGEcqOnk12R3pQAAhE1eg5FhJ4QR6RoMsy73RjfrTKzomDjYmBbYhqEibAQEQnXvzyHnQAt70gsGEgYQhORrrdt94mCNJjEBqNEaENt3Mrvfs6vy0Yi2C8UVQuEHLuo60mvJklgolqOwbsepmq8UXmWsAXHH2hZNtkpbtWg1yx0n7cCWIcuhfTQaS3X1oRWxaAfQt7RlhuH0oi3NOvfJgJVzG1O/8cajSpf8HvuCs+UmI56GddgwKVaK0eI3PpdNm2aLhrsEpeT284na8SafREXiNp/eGUaraecKpbIpGKriILHvLFfufUUVOMTcHfBwVgc4mNnN2HTULyiLem7HW3ckGH7KKQPSn0pIWWAPNP87E+T2m8XODiiBGDk7ejBIJJzDaa0s5e4YV+Un0ahrzznagr61oO45kI3I3P9b23sGOElZHFRKQZAj3XLJOkiVR8mYyI1XhRf8TeQ8KU/Bzw7PBHwWxGmB61nSuMkG/hPYiXMJoBE6tnnV+eoUZlkOcMeb+BgySVjgLQ+VEeQ5k+mu07HIywoCCJIV4MX3wINpYN+73ri0OhydwnhdwbRLcL5VWvJ2Zn9HAgMBAAGjMjAwMB0GA1UdDgQWBBQCPTDYFWNH7puRgZKDd7JocFZ0ozAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCrI7jtFXmaNl1njhz/YjZhKPVip/xE1PAZ4WV2axz6zXunVZwVWXOzD6LDfkoDWQXhzlmrLMtbRbWUBBNn13oFsY742YCXr8oz3XKUN+cbtQq3Mfpe/mVe2fkZ1VQQXKHQXNzDkwJsp8VCzPhRW/Skd1bRAZpkBiO8W7aXysJKaGje+2kmnstBRjYtSWWUej7xr5mtL8BcnglJWJICHMqgQJF+1bp8Li26hJQIMIO+JSZQ6XZ7g7H2wNCJMX3hw2pUwRSOvvZexjM7M8p9yVWf0d10CoR6cVt24vYr4S5ERLYnVnX53AnsPgCJ0Z42qddqK2ak0M0FUGFC8i4eMCRBNLZbEnx0jWjNM90I3lYcYOVt1JyE/LTt7v99/LI8pA/QGGosgAVkwxHifPGnf3oaZW5lixD4KBlpodHVJCowsX4DQULEPlj9k4VyEGft/4Pb7P15GBWa5bWUji+km8H1jzJCEsWDgzyGZcwAXHDgwT4O1rTV3Y0ayRH7T+MOh5utBnRxNEUcbg92RRhnQBCYBcBVsBv8fwQccH+pA/vUnYDBXFC7zeIAVpCmY3mmixPoAkcsivGuX8S+24swHKCRrVUA68ge6sv+D94tFLfDSRqHcwZ5UDa2qcOFmC3KIibkiOt7kztUNFBwlpsAyYe2mMRLRUMicHXGVkODAfsNVA==
ServerSignature

JDKMPV/e33fGaB6yHVtRiszVzdGeD7xhTdDjLfZ+CSepZnIiylmxSRWBNvf01kw7S12aJ2dl6Y+jwtF9u3SxvVtVbS6XGbWyzVrxNzAcpzegEN4PbWerFT+RS5EVZ8M18Dwgt5EQyrv+YjUDERaeo053IniGrhz9jmmsucoW+N2s1c87QZ2lZbfAdwtHLrvo5TvK9rM58sbIhvkT/zK9Nvtpox2aQBmeCMPv19PkODicM8Zwy+9Br0fYl7OE05E35GiB7Z8dOPBDaeIctAYipGVXSDyRDnSOCW5B/Ik2nq28U2bYfZO4ROQvE0537JuWEmY7OSy8/VSTILK9lJZIpSSQQZTwTzMHmGvvdpNEb55/oTJi5mtKQo54dHrblXIrckKXQkVUtIDqvYNWN1RKBNOHb6qxj+doIFjJtyDQTrDJq6nMD2y8dpiKstIqVIndfnL/FO5hT8yAChTW4Epa0l5LPH//+YT2OIn528fsCY4nz7KQg618sDGSMANant09jf56E+cJPSGZYeeQteAmzmOiITLGm2NwoWf3KA0hvzW5zSNrG+Ort37Rstxft5oc9O/AE7ESGgTW1yDp0eFpnR3CplGS8rB1jw63Bk9sbX54nte/A3sZoYWCzDF/1tnOuNiIsLPqfMAk9FoVbD1UXsb4Z7Xjji8NG7Bdmirw7f4=
Install

true
BDOS

false
Anti-VM

true
Install File

gClient.exe
Install-Folder

%AppData%
Hosts

livecdnem.com,www.livecdnem.com,xoilac.livecdnem.com,www.xoilac.livecdnem.com,xlz.livecdnem.com,www.xlz.livecdnem.com,91p.livecdnem.com,www.91p.livecdnem.com,ck.livecdnem.com,www.ck.livecdnem.com,xl365.livecdnem.com,www.xl365.livecdnem.com,soco.livecdnem.com,www.soco.livecdnem.com,xlvi.livecdnem.com,www.xlvi.livecdnem.com
Ports

25,80,443,8443
Mutex

lM9F7Ezcu9e3
Version

0.5.8
Delay

9
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\vboxuser\Desktop\SourceDecode\gatex\obj\Release\net481\gClient.pdb
Module Name

gClient.exe
Full Name

gClient.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

gClient.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

gClient
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8.1
Total Strings

128
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

69
Main IL

ldc.i4.0 <null> stloc.0 <null> br.s IL_0012: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0004: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue.s IL_002C: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue.s IL_003E: ldsfld System.String Client.Settings::Anti ldstr Mutex already exists or cannot be created. call System.Void System.Console::WriteLine(System.String) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse.s IL_004F: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse.s IL_009D: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() leave.s IL_009D: ldsfld System.String Client.Settings::BDOS stloc.1 <null> ldstr Win32Exception caught: {0} - {1} ldloc.1 <null> callvirt System.Int32 System.ComponentModel.Win32Exception::get_NativeErrorCode() box System.Int32 ldloc.1 <null> callvirt System.String System.Exception::get_Message() call System.String System.String::Format(System.String,System.Object,System.Object) call System.Void System.Console::WriteLine(System.String) leave.s IL_009D: ldsfld System.String Client.Settings::BDOS stloc.2 <null> ldstr Other exception: ldloc.2 <null> callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) leave.s IL_009D: ldsfld System.String Client.Settings::BDOS ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse.s IL_00B5: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse.s IL_00B5: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave.s IL_00BF: nop pop <null> leave.s IL_00BF: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue.s IL_00D1: leave.s IL_00D6 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave.s IL_00D6: ldc.i4 5000 pop <null> leave.s IL_00D6: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00BF: nop
Artefacts
Name
 Value
Key (AES_256)

b2gwVnJVUFNLNlRFY3VIeEd1N1owNFhyY2JBOE13Ymk=
CnC

livecdnem.com
CnC

www.livecdnem.com
CnC

xoilac.livecdnem.com
CnC

www.xoilac.livecdnem.com
CnC

xlz.livecdnem.com
CnC

www.xlz.livecdnem.com
CnC

91p.livecdnem.com
CnC

www.91p.livecdnem.com
CnC

ck.livecdnem.com
CnC

www.ck.livecdnem.com
CnC

xl365.livecdnem.com
CnC

www.xl365.livecdnem.com
CnC

soco.livecdnem.com
CnC

www.soco.livecdnem.com
CnC

xlvi.livecdnem.com
CnC

www.xlvi.livecdnem.com
Ports

25
Ports

80
Ports

443
Ports

8443
Mutex

lM9F7Ezcu9e3
63021f612c5aa372eff0f36d080efd84 (48.64 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙