Malicious
Malicious

6790ad5ddb8c2dae3eabba05191eaa97

PE Executable
|
MD5: 6790ad5ddb8c2dae3eabba05191eaa97
|
Size: 133.63 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
6790ad5ddb8c2dae3eabba05191eaa97
Sha1
2aeceb4253b60fd81e688f9d0157a20fc35b4714
Sha256
535f8582aed8ce412fdb82cbbf7d33090d605b4d38e5aa395e6201c9511204fa
Sha384
8fa22f62892cc02a36cb541cda1f0d305598cb83c6229abc10b387f531c0baa4a2c01ea2e2db4d76ea6ccdc82de131d6
Sha512
52407aad92517632887dd9ec023278399f11d2b06f505043c5e67dc1526697e6822530320822cb0a5a90869d6638a876491e82e78ac1608c8a4d6e00f17d677d
SSDeep
768:qR1Cu3zliPf5kiD9J60HFhrIefF01+yYCv7mqb2nxpwH1oEukl0az08GEqLXwehS:qNzWBP1F0+Gbb2wzGEugehG/YVclN
TLSH
10D3F505339CC811EDED0BB4BFA2990D06759D36D50AFACA7CC431DB56FBBC185122AA

PeID

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual Studio .NET
File Structure
6790ad5ddb8c2dae3eabba05191eaa97
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

dFpOUWJYN0FOUzFyUlhucXJsNHowNzB0Uk00RzQyMHE=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVALV2hi3nDM88rPB/M+k+VIWkqiwpMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDQxMDE0MzgxNFoXDTM2MDExODE0MzgxNFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALu1/TPbf4WQAMY4lBsw1V9BE5NJoMEVaoZJpruwyZmgadVZ7ePGdMWMsG3k+/NF6Cz1dZE613KPO6z0hVyPisWurgoyGYMtg6jUuIL/H3x9IvUm2Riz8oMduRAGRMRI1iIEvoiwslly4ETLcdz8rrmic00CCAd8diqjbvWOHwcFAgMBAAGjMjAwMB0GA1UdDgQWBBRs6/fysekOOsqmPQXMl1JdplMoajAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAExlcGELH6yyl+ijRGy5jh75mPg6zxed3//3cSuqPHMMdkK/N/q1d9BEqy7py30aJrpDiMXRJedqa8xyHRfLoEQ7k8P7IFRsIeLBXZuSOICorcn8jwyTumKR+RIkNfIZvM49g7MLXqXTaPGELWi2Yr9qJi5xwMxl0UeqJfqXgmDE
ServerSignature

qsoN0Cuo2xqemrRxBMuXWJk1N9Z8GBwcEeqQHZcJhpkHq3+0C2ofpkE8Wsz32mjREaYJ023AQmWGwNEzfljaVZqcNb6UkNyznX3FfL9vBe7b8h0TbDzD1hsnJF5YoSWqozATM1ui1ZHnpNJo11pDjsaT+OBa1eCZxSZUfwqe594=
Install

true
BDOS

false
Anti-VM

false
Install File

Window11.exe
Install-Folder

%AppData%
Hosts

sun.win,sunwinn.earth,sunwin.sx,sunwin.moi,www.sun.win,www.sunwinn.earth,www.sunwin.sx,www.sunwin.moi,www.drain.it.com,moon.sun.win,moon.sunwinn.earth,moon.sunwin.sx,moon.sunwin.moi,moon.drain.it.com
Ports

80,443,2053,2083,2087,2096,4782,8080,8848,8888
Mutex

TSCC_ImperiumStrategic_TitanLock_1j2k3l4m
Version

1.0.7
Delay

1
Group

Horizon
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

Window11.exe
Full Name

Window11.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

Window11.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Window11
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Module Name

Window11.exe
Full Name

Window11.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

Window11.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Window11
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Artefacts
Name
 Value
Key (AES_256)

dFpOUWJYN0FOUzFyUlhucXJsNHowNzB0Uk00RzQyMHE=
CnC

sun.win
CnC

sunwinn.earth
CnC

sunwin.sx
CnC

sunwin.moi
CnC

www.sun.win
CnC

www.sunwinn.earth
CnC

www.sunwin.sx
CnC

www.sunwin.moi
CnC

www.drain.it.com
CnC

moon.sun.win
CnC

moon.sunwinn.earth
CnC

moon.sunwin.sx
CnC

moon.sunwin.moi
CnC

moon.drain.it.com
Ports

80
Ports

443
Ports

2053
Ports

2083
Ports

2087
Ports

2096
Ports

4782
Ports

8080
Ports

8848
Ports

8888
Mutex

TSCC_ImperiumStrategic_TitanLock_1j2k3l4m
6790ad5ddb8c2dae3eabba05191eaa97 (133.63 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙