8b5dfde6d441112266a058c50639d678

PE Executable
|
MD5: 8b5dfde6d441112266a058c50639d678
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	8b5dfde6d441112266a058c50639d678
Sha1	b399a2e1c46cf12e2970ce1875fe0bd2433f9769
Sha256	f92dfa0dd1f33115f3d57f0dca422485115db759d04413367e4c8ad9ce5638d1
Sha384	07cdde6b30663b4c9165ce1490f8d7fa7dcbfdffacec2df8c11dae261ed299a43e3d73153adeafa372c0143a45757de1
Sha512	a240f0412afb60eaae59fa6baf572e38e2f13af05ad01b17f8d888b59a08e30ec52d8d8ae9d5f5ac296cf548cf3cc79d0deeb89fdb4f43cda916d5ea54f366aa
SSDeep	3072:G/rt+8Hiefcu00MKpyDcsvwnvW099QkVNyEThTbH9p9/4viWCvAgxLKFQA4X6ICv:GjNHXf500M+ntakPyCbHXWzC4ILKzsy
TLSH	0A847B2373A8EA3BD6BE173AF43206154BB1D607B716E38B5A5C55B92C133868D413B3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	uqdAstDdnZ72ISbgTQwi
Version	1.3.0.0
Port	ethh.duckdns.org
Host	ethh.duckdns.org
ReconnectDelay	3000
Key	WxfziAORCcn+sFDvGfsM1g==
AuthKey	TUHMbMxk6xn/l0pl/OvhUWDo/iB3aBDHphtgLqxFU5u3quPHFMn2+6LS32+1PlWWSwmmLRWB5vhSGLbt38AzAQ==
SubDirectory	BlustacksHelp
InstallName	BlustacksHelp.ex
Install	0
Startup	0
Mutex	QSR_MUTEX_U1MlR7
StartupKey	BlustacksHelp
HideFile	1
EnableLogger	1
Tag	ETH
LogDirectory	Logs
HideLogDirectory	1
HideLogSubdirectory	1

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_99e2eaa8.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::좒䒃뿏㣱纨ᢕ鰂쥹⢻䇸霥缼岢䣣ᗬ撞꟰ꖋ뤡(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 澔䚓ꯙš୕ᅑῄஔ㍋톢ꃇ㽙撜鹾堒ᇡ৊::鑌纶ꞑ˂웥≒뒄嗽㺣ୗ쮔ό㏸캸ゖ駘䄻() brfalse.s IL_0040: call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() call System.Boolean 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::蹉搙᪓敌봃竺≽夀孅啚贗들ꭩ~揮楸() brfalse.s IL_0040: call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() call System.Boolean ꥞햜᧩檌茽ꕸꯉ껄쯕օꧽ쇗鬉�퟼萗囊�䤟::get_Exiting() brtrue.s IL_0040: call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() ldsfld ꥞햜᧩檌茽ꕸꯉ껄쯕օꧽ쇗鬉�퟼萗囊�䤟擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::㞚墟훅ꨖ쐩鼓㷷㡀踗䨄再꥕男血ꡇ竌 callvirt System.Void ꥞햜᧩檌茽ꕸꯉ껄쯕օꧽ쇗鬉�퟼萗囊�䤟::궄눽⽢푚ᡮ䕅淂餿醛쒡肔颭鋑腒焔ß登뇟דּ() call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::冇銢㷵疻믅㼗䷠魹☦荏폒顥坊㧔ᶏ泽敨() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::좒䒃뿏㣱纨ᢕ鰂쥹⢻䇸霥缼岢䣣ᗬ撞꟰ꖋ뤡(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 澔䚓ꯙš୕ᅑῄஔ㍋톢ꃇ㽙撜鹾堒ᇡ৊::鑌纶ꞑ˂웥≒뒄嗽㺣ୗ쮔ό㏸캸ゖ駘䄻() brfalse.s IL_0040: call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() call System.Boolean 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::蹉搙᪓敌봃竺≽夀孅啚贗들ꭩ~揮楸() brfalse.s IL_0040: call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() call System.Boolean ꥞햜᧩檌茽ꕸꯉ껄쯕օꧽ쇗鬉�퟼萗囊�䤟::get_Exiting() brtrue.s IL_0040: call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() ldsfld ꥞햜᧩檌茽ꕸꯉ껄쯕օꧽ쇗鬉�퟼萗囊�䤟擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::㞚墟훅ꨖ쐩鼓㷷㡀踗䨄再꥕男血ꡇ竌 callvirt System.Void ꥞햜᧩檌茽ꕸꯉ껄쯕օꧽ쇗鬉�퟼萗囊�䤟::궄눽⽢푚ᡮ䕅淂餿醛쒡肔颭鋑腒焔ß登뇟דּ() call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::ⶔ骡鶙㵿㌶㎫แ᫩饽ﰻꚻ⡱ⓩ쁔黧ᩜ㮮() call System.Void 擆�퇵킢ﾃ㮮⍃⚕繛圥债푦捪�崘::冇銢㷵疻믅㼗䷠魹☦荏폒顥坊㧔ᶏ泽敨() ret <null>

Artefacts

Name0	Value
CnC	ethh.duckdns.org
Port	ethh.duckdns.org
PE Layout	MemoryMapped (process dump suspected)
CnC	ethh.duckdns.org
Port	ethh.duckdns.org
PE Layout	MemoryMapped (process dump suspected)

8b5dfde6d441112266a058c50639d678 (376.84 KB)