Malicious
Malicious

6aa02a2830885e4d7cb02363d5e198d8

PE Executable
|
MD5: 6aa02a2830885e4d7cb02363d5e198d8
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
6aa02a2830885e4d7cb02363d5e198d8
Sha1
ce4bd8d13b7ddabd5198fe00a2d7e0ceee5a1c40
Sha256
a4c1955036ada5d3e72ddb49cf00da7277debbb806fa6769302eb98d5a98a908
Sha384
84579bec3ba37e83c51e9b8b5246343460dbea6b2e20f28971a7796f4a50a8704a7c32fee606d6bfae1021ca26a0bb0a
Sha512
5a3469a8788f7cf7f54bc96805fc8a6fb0d14b77d529c4e911269db6243aa1872838de9e2a0abce30158fb41d2bc83bd5bc43041c1c0e3c8747ca920a13d27ef
SSDeep
6144:X8NHXf500MT1/4eYfbNVuJbm3ehy0kH84qXZC5a:Md50/SKE3qy/H84aZEa
TLSH
C0849E1377A4D53BD1FE573AE43206144BB0D887BA16F38F995897B86C123868D913B3

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
6aa02a2830885e4d7cb02363d5e198d8
Malicious
[Rebuild from dump]_62c1a0e3.exe
Malicious
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

n7ts9VPNVq8ey6wDxg53
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

154.12.2
Host

154.12.2
Conf. AES-Key

n7ts9VPNVq8ey6wDxg53
Version

1.3.0.0
Port

2026
Host

mac-m4.duckdns.org
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

svchostaasea
InstallName

sserviceaea.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_2xYMk6
StartupKey

sserviceea
HideFile

1
EnableLogger

1
Tag

VIPPPPPPPPPPP
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_62c1a0e3.exe
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::떏᯳ᬡ纖䚊並੭ኸ浸䤬凕鋕�剎ӏꬑ뙋쑡꺿(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean Ꝭ૦⚡탯퓴쵏Ḍ캙푥둱㭷㊇�쉥嵩⅌�濨䆣苌::శ폥㻊形磱紺鎉扇팇彃Ꮊ⥘�欻�骒鱝券() brfalse.s IL_0040: call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() call System.Boolean 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ᑩ繫�ඈ瑧Ꭷ敛慖⍯ꁆ硆洠쇸Ѥ䬤ꊠ蒜틿䐌혯() brfalse.s IL_0040: call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() call System.Boolean 簨蚙徱맲焚넢吏£饬铢䔥歸绂炉虞赕씀秎::get_Exiting() brtrue.s IL_0040: call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() ldsfld 簨蚙徱맲焚넢吏£饬铢䔥歸绂炉虞赕씀秎 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::╯㠽㉔篠﹝黑떠쨾邖ꛘ客呎ꏎ덯ࣣ䙚졬㆟礪 callvirt System.Void 簨蚙徱맲焚넢吏£饬铢䔥歸绂炉虞赕씀秎::[㜈䛝␵嬨뮠越꿮툕힎值얐鈴͸掝䖝罡㽠() call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::㸺藸튭茣媒뜼ে㤤೏琨ᆵޒ呠ꝴ䩤琋猴쑮() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::떏᯳ᬡ纖䚊並੭ኸ浸䤬凕鋕�剎ӏꬑ뙋쑡꺿(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean Ꝭ૦⚡탯퓴쵏Ḍ캙푥둱㭷㊇�쉥嵩⅌�濨䆣苌::శ폥㻊形磱紺鎉扇팇彃Ꮊ⥘�欻�骒鱝券() brfalse.s IL_0040: call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() call System.Boolean 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ᑩ繫�ඈ瑧Ꭷ敛慖⍯ꁆ硆洠쇸Ѥ䬤ꊠ蒜틿䐌혯() brfalse.s IL_0040: call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() call System.Boolean 簨蚙徱맲焚넢吏£饬铢䔥歸绂炉虞赕씀秎::get_Exiting() brtrue.s IL_0040: call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() ldsfld 簨蚙徱맲焚넢吏£饬铢䔥歸绂炉虞赕씀秎 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::╯㠽㉔篠﹝黑떠쨾邖ꛘ客呎ꏎ덯ࣣ䙚졬㆟礪 callvirt System.Void 簨蚙徱맲焚넢吏£饬铢䔥歸绂炉虞赕씀秎::[㜈䛝␵嬨뮠越꿮툕힎值얐鈴͸掝䖝罡㽠() call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::ﵵ≿ϑ⹟텽퉛⥸艪៰ᒓ契螝뛭᎛쯱옜莈() call System.Void 㨤잵෸⩮�얖ᔔ酭䨵⥽翐ㅉ顥콘욺ꑛ�殯::㸺藸튭茣媒뜼ে㤤೏琨ᆵޒ呠ꝴ䩤琋猴쑮() ret <null>
Artefacts
Name
 Value
CnC

mac-m4.duckdns.org
Port

2026
CnC

154.12.2
Port

154.12.2
PE Layout

MemoryMapped (process dump suspected)
CnC

mac-m4.duckdns.org
Port

2026
CnC

154.12.2
Port

154.12.2
PE Layout

MemoryMapped (process dump suspected)
6aa02a2830885e4d7cb02363d5e198d8 (376.84 KB)
File Structure
6aa02a2830885e4d7cb02363d5e198d8
Malicious
[Rebuild from dump]_62c1a0e3.exe
Malicious
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

n7ts9VPNVq8ey6wDxg53
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

154.12.2
Host

154.12.2
Conf. AES-Key

n7ts9VPNVq8ey6wDxg53
Version

1.3.0.0
Port

2026
Host

mac-m4.duckdns.org
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

svchostaasea
InstallName

sserviceaea.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_2xYMk6
StartupKey

sserviceea
HideFile

1
EnableLogger

1
Tag

VIPPPPPPPPPPP
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Artefacts
Name
 Value Location
CnC

mac-m4.duckdns.org

Malicious

6aa02a2830885e4d7cb02363d5e198d8
Port

2026

Malicious

6aa02a2830885e4d7cb02363d5e198d8
CnC

154.12.2

Malicious

6aa02a2830885e4d7cb02363d5e198d8
Port

154.12.2

Malicious

6aa02a2830885e4d7cb02363d5e198d8
PE Layout

MemoryMapped (process dump suspected)

6aa02a2830885e4d7cb02363d5e198d8
CnC

mac-m4.duckdns.org

Malicious

6aa02a2830885e4d7cb02363d5e198d8 > [Rebuild from dump]_62c1a0e3.exe
Port

2026

Malicious

6aa02a2830885e4d7cb02363d5e198d8 > [Rebuild from dump]_62c1a0e3.exe
CnC

154.12.2

Malicious

6aa02a2830885e4d7cb02363d5e198d8 > [Rebuild from dump]_62c1a0e3.exe
Port

154.12.2

Malicious

6aa02a2830885e4d7cb02363d5e198d8 > [Rebuild from dump]_62c1a0e3.exe
PE Layout

MemoryMapped (process dump suspected)

6aa02a2830885e4d7cb02363d5e198d8 > [Rebuild from dump]_62c1a0e3.exe
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙