Malicious
827089f7d928c6dcb73bb33d0ff0affb
PE Executable | MD5: 827089f7d928c6dcb73bb33d0ff0affb | Size: 2.71 MB | application/x-dosexec
PE Executable
MD5: 827089f7d928c6dcb73bb33d0ff0affb
Size: 2.71 MB
application/x-dosexec
Infection Chain
Summary by MalvaGPT
Characteristics
Symbol Obfuscation Score
Medium
|
Hash | Hash Value |
|---|---|
| MD5 | 827089f7d928c6dcb73bb33d0ff0affb
|
| Sha1 | 3f2cb7db69441f95097d9e422ddf217f9e975666
|
| Sha256 | 1c021645e4b0340f968f6909823b642e01b577fdb878b76368d55e7895c3e96e
|
| Sha384 | 05e2cb550b4166b8218a957a8c9396cd3d6c2653d765275977518b823949be807242baabadf342f7bcc443b9facb1c1d
|
| Sha512 | 3da1adb7394cfd69e074ec62ad24671daedd17ce0268c4cae874e9eaa607eb63900c72dfd78fe5fe1d8a6eb59d9627fccec5c1ef4236e7716c02d4776e06f87e
|
| SSDeep | 49152:6oDVWiNgLmnc/N+ZZXZQOLHM7wRPirm2NnPTKKm77LrwCB6uan:xDVlNgScVIxpL7oZNn2Km77LrwkFW
|
| TLSH | 12C5011177F9810AE3BF2BB9ABB2145D0BB7B503DA3AD38E1848509D0EA3750DE51763
|
PeID
.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
827089f7d928c6dcb73bb33d0ff0affb
Malicious
[Base64-Block @0x00275887]
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Pulsar.Client.FrmRemoteChat.resources
Pulsar.Client.Properties.Resources.resources
RootkitStager
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.reloc
.Net Resources
Stager.Properties.Resources.resources
Dll32
Dll64
Service32
Service64
defendnot-loader.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.fptable
.rsrc
.reloc
Resources
RT_MANIFEST
ID:0001
ID:1033
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.fptable
.rsrc
.reloc
Resources
RT_MANIFEST
ID:0002
ID:1033
costura.aforge.dll.compressed
costura.aforge.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.aforge.video.dll.compressed
costura.aforge.video.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.aforge.video.directshow.dll.compressed
costura.aforge.video.directshow.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
AForge.Video.DirectShow.Properties.Resources.resources
camera
[NBF]root.Data
[NBF]root.Data-preview.png
AForge.Video.DirectShow.VideoCaptureDeviceForm.resources
costura.gma.system.mousekeyhook.dll.compressed
costura.gma.system.mousekeyhook.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.naudio.core.dll.compressed
costura.naudio.core.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.naudio.wasapi.dll.compressed
costura.naudio.wasapi.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.naudio.winforms.dll.compressed
costura.naudio.winforms.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
NAudio.WinForms.Gui.PanSlider.resources
$this.DefaultModifiers
$this.GridSize
$this.Language
NAudio.WinForms.Gui.VolumeSlider.resources
costura.naudio.winmm.dll.compressed
costura.naudio.winmm.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.dll.compressed
costura.protobuf-net.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.core.dll.compressed
costura.protobuf-net.core.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.dll.compressed
costura.sharpdx.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.pdb.compressed
costura.sharpdx.d3dcompiler.dll.compressed
costura.sharpdx.d3dcompiler.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.d3dcompiler.pdb.compressed
costura.sharpdx.direct2d1.dll.compressed
costura.sharpdx.direct2d1.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.direct2d1.pdb.compressed
costura.sharpdx.direct3d11.dll.compressed
costura.sharpdx.direct3d11.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.direct3d11.pdb.compressed
costura.sharpdx.dxgi.dll.compressed
costura.sharpdx.dxgi.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.dxgi.pdb.compressed
costura.sharpdx.mathematics.dll.compressed
costura.sharpdx.mathematics.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.mathematics.pdb.compressed
costura.system.buffers.dll.compressed
costura.system.buffers.dll
[Authenticode]_8c38879e.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Buffers.SR.resources
costura.system.collections.immutable.dll.compressed
costura.system.collections.immutable.dll
[Authenticode]_16f812e0.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Collections.Immutable.SR.resources
ILLink.Substitutions.xml
costura.system.memory.dll.compressed
costura.system.memory.dll
[Authenticode]_15ab3250.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Memory.SR.resources
costura.system.numerics.vectors.dll.compressed
costura.system.numerics.vectors.dll
[Authenticode]_ae030d4d.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Numerics.Vectors.SR.resources
costura.system.runtime.compilerservices.unsafe.dll.compressed
costura.system.runtime.compilerservices.unsafe.dll
[Authenticode]_e61c97b9.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.pulsar.common.dll.compressed
costura.pulsar.common.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
Malware Configuration - QuasarRAT config.
|
Config. Field0 | Value |
|---|---|
| Conf. AES-Salt | BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41 |
| Conf. AES-Key | |
| Version | ObjectLength |
| Port | ChainingModeGCM |
| Host | ChainingModeGCM |
| ReconnectDelay | AuthTagLength |
| Key | ChainingMode |
| SubDirectory | KeyDataBlob |
| InstallName | AES |
| Install | Microsoft Primitive Provider |
| Startup | 1 |
| Mutex | 1 |
| StartupKey | -1073700862 |
| HideFile | ObjectLength |
| EnableLogger | ChainingModeGCM |
| EncryptionKey | AuthTagLength |
Informations
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Info | PDB Path: ? |
| Module Name | Client.exe |
| Full Name | Client.exe |
| EntryPoint | System.Void naxgoyzodlffumiezgcyjr.FZ2AyouI7PiZhO0vJTR::Main() |
| Scope Name | Client.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | Client |
| Assembly Version | 1.6.6.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.7.2 |
| Total Strings | 1981 |
| Main Method | System.Void naxgoyzodlffumiezgcyjr.FZ2AyouI7PiZhO0vJTR::Main() |
| Main IL Instruction Count | 11 |
| Main IL | ldc.i4 3072 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) ldc.i4.2 <null> call System.Void System.Windows.Forms.Application::SetUnhandledExceptionMode(System.Windows.Forms.UnhandledExceptionMode) call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.Void naxgoyzodlffumiezgcyjr.FZ2AyouI7PiZhO0vJTR::VaUnUlwHPBPNc1uKLIBLzszDiZZJ5() newobj System.Void naxgoyzodlffumiezgcyjr.Y0rrE81vHmyTgef2DlNZcyHk::.ctor() call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.Form) ret <null> |
| Module Name | Client.exe |
| Full Name | Client.exe |
| EntryPoint | System.Void naxgoyzodlffumiezgcyjr.FZ2AyouI7PiZhO0vJTR::Main() |
| Scope Name | Client.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | Client |
| Assembly Version | 1.6.6.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.7.2 |
| Total Strings | 1981 |
| Main Method | System.Void naxgoyzodlffumiezgcyjr.FZ2AyouI7PiZhO0vJTR::Main() |
| Main IL Instruction Count | 11 |
| Main IL | ldc.i4 3072 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) ldc.i4.2 <null> call System.Void System.Windows.Forms.Application::SetUnhandledExceptionMode(System.Windows.Forms.UnhandledExceptionMode) call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.Void naxgoyzodlffumiezgcyjr.FZ2AyouI7PiZhO0vJTR::VaUnUlwHPBPNc1uKLIBLzszDiZZJ5() newobj System.Void naxgoyzodlffumiezgcyjr.Y0rrE81vHmyTgef2DlNZcyHk::.ctor() call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.Form) ret <null> |
Artefacts
|
Name0 | Value |
|---|---|
| CnC | ChainingModeGCM |
| Port | ChainingModeGCM |
827089f7d928c6dcb73bb33d0ff0affb (2.71 MB)
File Structure
827089f7d928c6dcb73bb33d0ff0affb
Malicious
[Base64-Block @0x00275887]
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Pulsar.Client.FrmRemoteChat.resources
Pulsar.Client.Properties.Resources.resources
RootkitStager
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.reloc
.Net Resources
Stager.Properties.Resources.resources
Dll32
Dll64
Service32
Service64
defendnot-loader.exe
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.fptable
.rsrc
.reloc
Resources
RT_MANIFEST
ID:0001
ID:1033
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rdata
.data
.pdata
.fptable
.rsrc
.reloc
Resources
RT_MANIFEST
ID:0002
ID:1033
costura.aforge.dll.compressed
costura.aforge.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.aforge.video.dll.compressed
costura.aforge.video.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.aforge.video.directshow.dll.compressed
costura.aforge.video.directshow.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
AForge.Video.DirectShow.Properties.Resources.resources
camera
[NBF]root.Data
[NBF]root.Data-preview.png
AForge.Video.DirectShow.VideoCaptureDeviceForm.resources
costura.gma.system.mousekeyhook.dll.compressed
costura.gma.system.mousekeyhook.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.naudio.core.dll.compressed
costura.naudio.core.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.naudio.wasapi.dll.compressed
costura.naudio.wasapi.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.naudio.winforms.dll.compressed
costura.naudio.winforms.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
NAudio.WinForms.Gui.PanSlider.resources
$this.DefaultModifiers
$this.GridSize
$this.Language
NAudio.WinForms.Gui.VolumeSlider.resources
costura.naudio.winmm.dll.compressed
costura.naudio.winmm.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.dll.compressed
costura.protobuf-net.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.core.dll.compressed
costura.protobuf-net.core.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.dll.compressed
costura.sharpdx.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.pdb.compressed
costura.sharpdx.d3dcompiler.dll.compressed
costura.sharpdx.d3dcompiler.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.d3dcompiler.pdb.compressed
costura.sharpdx.direct2d1.dll.compressed
costura.sharpdx.direct2d1.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.direct2d1.pdb.compressed
costura.sharpdx.direct3d11.dll.compressed
costura.sharpdx.direct3d11.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.direct3d11.pdb.compressed
costura.sharpdx.dxgi.dll.compressed
costura.sharpdx.dxgi.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.dxgi.pdb.compressed
costura.sharpdx.mathematics.dll.compressed
costura.sharpdx.mathematics.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.sharpdx.mathematics.pdb.compressed
costura.system.buffers.dll.compressed
costura.system.buffers.dll
[Authenticode]_8c38879e.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Buffers.SR.resources
costura.system.collections.immutable.dll.compressed
costura.system.collections.immutable.dll
[Authenticode]_16f812e0.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Collections.Immutable.SR.resources
ILLink.Substitutions.xml
costura.system.memory.dll.compressed
costura.system.memory.dll
[Authenticode]_15ab3250.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Memory.SR.resources
costura.system.numerics.vectors.dll.compressed
costura.system.numerics.vectors.dll
[Authenticode]_ae030d4d.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
.Net Resources
FxResources.System.Numerics.Vectors.SR.resources
costura.system.runtime.compilerservices.unsafe.dll.compressed
costura.system.runtime.compilerservices.unsafe.dll
[Authenticode]_e61c97b9.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.pulsar.common.dll.compressed
costura.pulsar.common.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
Characteristics
Malware Configuration - QuasarRAT config.
|
Config. Field0 | Value |
|---|---|
| Conf. AES-Salt | BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41 |
| Conf. AES-Key | |
| Version | ObjectLength |
| Port | ChainingModeGCM |
| Host | ChainingModeGCM |
| ReconnectDelay | AuthTagLength |
| Key | ChainingMode |
| SubDirectory | KeyDataBlob |
| InstallName | AES |
| Install | Microsoft Primitive Provider |
| Startup | 1 |
| Mutex | 1 |
| StartupKey | -1073700862 |
| HideFile | ObjectLength |
| EnableLogger | ChainingModeGCM |
| EncryptionKey | AuthTagLength |
Artefacts
|
Name0 | Value | Location |
|---|---|---|
| CnC | ChainingModeGCM Malicious |
827089f7d928c6dcb73bb33d0ff0affb |
| Port | ChainingModeGCM Malicious |
827089f7d928c6dcb73bb33d0ff0affb |
You must be signed in to post a comment.
You need a premium account to access this feature.
You must be signed in to post a comment.