Malicious
Malicious

895d2a0108dc376f8a4e20b71dd299b2

PE Executable
|
MD5: 895d2a0108dc376f8a4e20b71dd299b2
|
Size: 48.13 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
895d2a0108dc376f8a4e20b71dd299b2
Sha1
f385208080615de28b8bc46820e75d9605ea2f52
Sha256
daefd6596440c56fa4d385b441d0a5ac224edb8f08edc531807c83a0e160e969
Sha384
9797a2b64aa7c897fdb79511fbf0dcb5677ef8d911d7f449de302ee27df456372546e1de6353ed2dfb6085033c999a10
Sha512
d3dbef0fe4d3595d7f089d1860ddfc471669bf25f63b15e633b06c29dea9b6a77b4bbda7b1e2f51b326f8f7185ec1bf0d7eb00d5584bda11056f934056e30817
SSDeep
768:5uydZT7g3kXKWU8lvm+O7mo2qw9nE+yb6tPIbzjbMgX3iGg8XREBCihpeMTYSBDT:5uydZT7ekg29ExWKb3bDXSuXREBCyTYs
TLSH
8F231A003BE9812BF2BE5F7899F26105867EF6A32603D54D1CC4419B1723FC69A526FE

PeID

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
File Structure
895d2a0108dc376f8a4e20b71dd299b2
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

-
Pastebin

-
Certificate

MIIE8jCCAtqgAwIBAgIQAIZMhXFGE5Y3RoSyBbvf0TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwNDI4MTExNjI4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrwVkcnBgXUyhAooY6q+UJsCi27nP0i2MlJG3HDEhuhS0ISzD0XBuuSXhTlGdvJqomv4I/pFxdEkstobKM7z852Vd01sx19HDSLilbGAke9yRbZp/TqKe60+RK8QQcnPUeJ4kiQijuDXKTrbkCdeytGVkMskvJQCWU2C8u+5LrXSDY2baID7kz4umKqU8PQl4imOQF+ewuxKmL5JC/ns9E11WfYE2KgD04145WLXwBkYRttXyaqTV704yTI6bZ2UpZ+naTLmyGgRVkYNYQqBLdTJ75sFgvkWcE5jECqVHowDv252RT4/qTTod7uYvWo0FG2AO7JjU3mLLxI+paxUA7GuYP+NrdAOVHGajgnWUL2JFv+XtEtQjWtuMRlQs1TDz0IUUwHQktrjYQC0yyUEUf4zMz/Qgb2NvVLziwST+6r38D7i8ckP0oxwO41HH+OQYqJ1Ecsaek5Ukxt/ZyyWSJSOy89jmAepBoogd5lzh+8g5CHB0tQrxl6rk0CdvKMtuspw+em9UT/mv3kWL/cqc5d3JLEYsFNGHPZbdMsoftCS+xWJVGQWObzs8iLabOTuNLmMHnffZUXcTfzSIriphoGejFy6Q9B9HI7WyWpzZLDD/fjb/4RVccUpo+ti8mnLP6owl4/IEkv2db5Lg8yxZgd0bCh+t61PbheRgv3a5vrAgMBAAGjMjAwMB0GA1UdDgQWBBQz9hwirkKpHBfj+59FVOjJgNy05DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBJXhJGeFKO0O7/1NF2Qzke7rx8Qif9n58/QLGfaVuGqKqVS0PQzVHOJPgiggWcGHaUBKmpKSzffOMGKlRcHAJUegd8j6amZeorYAliD0BpwXu2HsxEWKq/nzEF37pFEL/VTFjPSeYNtgEDgIjRZOHq9sNjr5bnjjZ9Ze4x2GrpSKi69bw+px9/V9XcSMZySRN65Ky7N2m+/SQdt5LLVm+2dsBLuPt/oCawYo3Ja82cKk9frrUPJUASl5Betxmh3WkVf5gvCvNKwY+KWCRDNGIA2rNr1B1RlthRcxIrBrUs8zF7BoliT7A/goaIyVHoiDlthCYKBRFwq7OEvWkh80rrszDFVKcubutcTDdngwYAXYBPQH2JY5RmK9f4efHyuXy3oP5/OfNVmb4j56QXa6fKr3xT+IFApKPrmwLbeKS5dunuW1ULqv7Ph7LGgVJxpZhT16GEtBrONczZDWfSMesvrVUQL42QVNrNLObQNJZtBT0dhXBXI+ErqV7ECcozjL6uaQfDkri8z8cs2l22xK9XEQIbYPEQESaXkyQl5i9IocwuykP9emdj8qERLYTffImvgVCY7XXztrgS+vLTkV12IEYS9qDMs/AtbYwsD3wbiIaIcguymj/Tleus05CcMKhOSCI01QmWaBk5qs4lyOMdc1uFVu9LHmrtfwvBAPTpug==
ServerSignature

m7o4iKmRaFH9trok/WuVL9BCWzthGdjvQaTxFTSnM6qWd9enHb86u2xUL5X8cwXpL0LmSYnUYeIK300RhioLxIi4JtkDHpB2Jh0qR6Cj5yYoicBTkUHTqAauotuh8qeyzvcxzsjO6xzywStsfM/YzwoSwBC1RZMVV+Zs5HhoFNSxCyKdIAnbZuZA6j2LJ9g1Z57bKWbDofHLPm+i+VYtwdRaXi/ICsK5v1/w6Uoa5eVPkIVHOcbdDv5yhsQ9Lkkk/nebYnnRkdy32G5El1S/iDMxSqawDbN7bYAEMgS3vd7Zko0OrRjv7Z4g95ePcEAzWfLNxgPCoq/ZemMmEnUF5r0umayc0llbJNKFCJOGFXctbX2f/qyaR2SGwSLrZSYb/yrlUsQxHbS5PVtcT7ZYI8XOHNT0ykXVqQRXvQJG2MXlz3iOM/h2pe0djxo3sjD4qy9P/4f0/sQqcU+V21GLR2LaioC1ODbMDQSOSjFy97979kaX4wzULIhJRDky+Wf9DBylfo6S8VQrjjuBrXovpF4PyKO83SfkmSW1PJ4P/b355T+c6pfbnombbc38lX4F9dontFCuTzwg2C/73u63Pw8+OltFdfqq/MLcfnmAu0uTt0VO5niyTFWfxaI0fHlqQlrvnZrvpalkm2a3RK0PAfL3lGaf/ss6+/buiBjT56k=
Install

false
Install-Folder

%AppData%
Hosts

www.xoilacks.tv,xoilacks.tv,malware-drop.xoilacks.tv,ddos-controller.xoilacks.tv,botnet-panel.xoilacks.tv,ransom-note.xoilacks.tv,stealer-gate.xoilacks.tv,payload-host.xoilacks.tv,exploit-chain.xoilacks.tv,trojan-loader.xoilacks.tv,phish-collector.xoilacks.tv,phishing.xoilacks.tv,secure-login.xoilacks.tv,account-verify.xoilacks.tv,update-billing.xoilacks.tv,password-reset.xoilacks.tv,wallet-check.xoilacks.tv,invoice-review.xoilacks.tv,mail-security.xoilacks.tv,session-alert.xoilacks.tv,document-share.xoilacks.tv,urgent-auth.xoilacks.tv,spam-blaster.xoilacks.tv,credential-harvest.xoilacks.tv,command-node.xoilacks.tv,flood-engine.xoilacks.tv,attack-orchestrator.xoilacks.tv,worm-update.xoilacks.tv,rootkit-hub.xoilacks.tv,crypto-miner.xoilacks.tv
Ports

443,6606,7707,8000,8080,8808,49152,50001,54321,57001,59999,60123,61000,62000,65000,65001,65002,65533,65534,65535
Mutex

t3G5mw659Dxg
Version

0.5.8
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

Jackpot_Settlement.exe
Full Name

Jackpot_Settlement.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

Jackpot_Settlement.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Jackpot_Settlement
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

120
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

51
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0043: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0057: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_006B: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0099: nop pop <null> leave IL_0099: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00AE: leave IL_00B9 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_00B9: ldc.i4 5000 pop <null> leave IL_00B9: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0099: nop
Module Name

Jackpot_Settlement.exe
Full Name

Jackpot_Settlement.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

Jackpot_Settlement.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Jackpot_Settlement
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

120
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

51
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0043: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0057: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_006B: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_0089: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_0099: nop pop <null> leave IL_0099: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00AE: leave IL_00B9 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_00B9: ldc.i4 5000 pop <null> leave IL_00B9: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0099: nop
Artefacts
Name
 Value
Key (AES_256)

-
CnC

www.xoilacks.tv
CnC

xoilacks.tv
CnC

malware-drop.xoilacks.tv
CnC

ddos-controller.xoilacks.tv
CnC

botnet-panel.xoilacks.tv
CnC

ransom-note.xoilacks.tv
CnC

stealer-gate.xoilacks.tv
CnC

payload-host.xoilacks.tv
CnC

exploit-chain.xoilacks.tv
CnC

trojan-loader.xoilacks.tv
CnC

phish-collector.xoilacks.tv
CnC

phishing.xoilacks.tv
CnC

secure-login.xoilacks.tv
CnC

account-verify.xoilacks.tv
CnC

update-billing.xoilacks.tv
CnC

password-reset.xoilacks.tv
CnC

wallet-check.xoilacks.tv
CnC

invoice-review.xoilacks.tv
CnC

mail-security.xoilacks.tv
CnC

session-alert.xoilacks.tv
CnC

document-share.xoilacks.tv
CnC

urgent-auth.xoilacks.tv
CnC

spam-blaster.xoilacks.tv
CnC

credential-harvest.xoilacks.tv
CnC

command-node.xoilacks.tv
CnC

flood-engine.xoilacks.tv
CnC

attack-orchestrator.xoilacks.tv
CnC

worm-update.xoilacks.tv
CnC

rootkit-hub.xoilacks.tv
CnC

crypto-miner.xoilacks.tv
Ports

443
Ports

6606
Ports

7707
Ports

8000
Ports

8080
Ports

8808
Ports

49152
Ports

50001
Ports

54321
Ports

57001
Ports

59999
Ports

60123
Ports

61000
Ports

62000
Ports

65000
Ports

65001
Ports

65002
Ports

65533
Ports

65534
Ports

65535
Mutex

t3G5mw659Dxg
895d2a0108dc376f8a4e20b71dd299b2 (48.13 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙