8f8743131055e1e181f7d7c4ff527065

PE Executable
|
MD5: 8f8743131055e1e181f7d7c4ff527065
|
Size: 160.77 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	8f8743131055e1e181f7d7c4ff527065
Sha1	92ac3b84d67138f1c98d3b6a9764263550f63dad
Sha256	20da7c750b4c1162896320d3381121eb4bf71a19eee85234e9425d78c92c865c
Sha384	89b07980e01a41420067998617970d98f1b368f3fbbc08942f96a83e47655908b0249be804e058c6ecde8c5a056eeb59
Sha512	929ebb25605f0921dfb4944fd00807540c3ec5a93ef2d29d34daf2cb7897377ee82b7cbfef8db89f9efc980738854fd67588350d5427e38619679f26731862a0
SSDeep	3072:gKqV65eA/58HvPiWgA5TZ0rbU6MzuXDE478n0IuLG3qT:jq65j/58P6WgA5dkbLMzmf80IuL9
TLSH	5CF38A01E0E4AD0ACFCF623610F8DB059590B94EA1779188B9DB60E719FEBD4DCD32A5

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - XBinder config.

Config. Field0	Value
ref_elem_0x0000000E	XClient.exe-=>True-=>False
ref_elem_0x00000016	AsyncClient.exe-=>True-=>False
Workpath	%AppData%
SPL	-=>
Mutex	VSkZckmm4HMQXi2tu

Malware Configuration - AsyncRAT config.

Config. Field0	Value
Key (AES_256)	ZmNXcVRBU3RvSEQwaWI3SEpOZmplc21xVjdkbGhWOGI=
Pastebin	-
Certificate	MIIE8jCCAtqgAwIBAgIQALbFkWm6o99v3V5579wXezANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwNDEyMDc1NjQ1WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJMVtyo+JA0reXxeQQRlIAc1mHqNJdTims6CpmLwVXdkUH4YE4RVoJc4bQ8udUH7XEtq8/Y05W0LdkQzGPoW9I3fpe8LJdiE1tTwo8HrTe5uljJoSIL7/33Csaw9elkfEcE8vmlnMVa9P7V0srBrMFMw7vXDDNdIebZ3GWk5aArIqW3E9AgA1cMWE0IFut8A8BJZITySz5yKL9V8MmgqsktHb2+zZZ+x4XYET3Rol8u7cUsLKMTcMP2iZ12jjcdupASSTCKLf1z3lkkAmF1PAnoMkiyKZgZtie2VyHdswZ2ciMGGHMypPxz7LKc6TUi+yuCzX/7CLqXshaE0awyHzPaURP37Ia231sAgYuEnTi2cSpqTvyGz9fM8CeXck0AUlMgw+jm6RlvrUZRcHWRmUWKJo2vaTmsd1NsMbq7y0tY8PcsWd8uqTyooG9mfzGkj60sP7vJvZyHNNXttDP3CKdm5pBcfJKwACHQKAt/b34MwM9VvEcfclpGhFKJttk8phmFlC0S9cBcxH1beHRCTNQ8ujuNtK+v2kAMuGZIx8v4aCEUyj+vrhixXzEkiAmncZpnvsdKB2NYzHFEyXrnXXWA6wbcg9QwnXMwjCYRJFG8mySnTWyvUU1BpBI2eueFPMLGhl30PAfIEnaQec/TgOdj5AdFQ5nne3F6xStqwfT9lAgMBAAGjMjAwMB0GA1UdDgQWBBRySI7puURXXQFVAqVseBRk/f7xyzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQARt2UMUgoVhWLGSppJZveidS5BuI2l5LGEemE8HfZ2mqR5gyES+WHRigElbCoKCxRdhAdgyShJUqN/qGrDfhXjHXvUnxqwrhZFkGUU8352v7LhAirh2MyOKPn5zjR0MO9mHD2dqpeI9s69p7G1Ew9wI3pEdq28EMWjgjNmbANe2hrdRb6mG8VTpgObce5HJl4wl5WSiwSxuHP9s5c4AxdTSV7TNQhQjrgYpLpyejpn/TG2c1/gORUau0rsNf1TYr4pRWHki0aA6refWsN648xovtodR4ubiPNpiMzTEbthTznxrL6G2izoeeo/MMjVnRIr4CIeTjpR6WyRA02boNgBCnSJWGIj5lpPTosE6vbjgwBqDs3jr6aaXsBPqLONg4Xo17LBV2rpTKT3iLUtLyBf0SBjKc2bxCmerv0bzdu6hwkffEMrSUF07YhnDdeAk0TOQ+/UnSp3Kw4pqXDWvmiCWTaNerHlm31RQcyoh0Hu9Q3fBN8iKs6hquDFuPUIoml8gpdOHBf1MbrKJKAH++WGctZI8i5l+hkcGe2d8pGaFB+AnlXVB2csspgJJdCLDIuarJuFsEtaL9yTgwTycnJcEmjJ2d4u7ezRtUTZfRsJ+CKuuV0dYfq9i22e+TnTuAgl/uj3vqmechy94FSrcN13CPSuIdTliOmc/gzmbt9pJQ==
ServerSignature	PzP2nnjqR+gbMBNI9JcGK9gms1BKcMXe7HN1SZZj30LB0jdNVXVjdl8E7bA2Y51Gf1VleQSohfFC7vGD9spSy43WPz6x5tOakZ39AF8Ila3gFsJOWLtqs9XR7fkOmwIQ+Ae1LO5q5gfKMhTCwXQPjMxU+L6wyGLrDVSuzFOXUgzuw0hlYrOiouPa67UQjELW6NOCmDhwZcTs4w/rYUeSPLV9Lt2v9Ecjt9OMXLn9/6jiksjSjyPdpYn1i0Z42ox/lTaffGkDu8dwd+dWfWwzpkiYehRPHdiLyO7ZDUhrYN5bcq7IDf/7Q/ejt/mu/yw4u1EAp/dAOZLUgU9EUoArJdlFrAPBdr+HPo8+6fzII2RiwisQOrnYKtu9pee6vCjouYYEjq5VQVLC6P0lALUJ2cLyT7m2pxxsL/nQSkQeUHNMG0FymV3WZgsXjZT1t8fcMX5ypx9bZ+C3Swe6FpeAjrEvvz1HdesmjKbH+mGQd8mOT341v6l0pdzQ6ArYgHg7fRSyHPUtCtGo75w0xrIrG/RaM9G5T5Qeyhqx1JPWiqHoCWDn5DTJe5lGPZPYufRUtxXY5KjJeSQAQAmFyqBSGH4A7QgTy/kbe57eWXAIhMm8WC7AwB5KgIFS8wpDfaLs2atug1pHyJa5C49S1J6NbyRtAb1hNgttava6NoRQzLo=
Install	false
BDOS	false
Anti-VM	false
Install File	venom.exe
Install-Folder	%AppData%
Version	0.5.7B
Hosts	admingdtg.vn,handyrenuopen.in.net,roofing.gb.net,wplog.jp.net,deepsteam.sa.com,zsyp.cn.com,popcima.it.com
Ports	22,80,443,6606,7707,8808
Mutex	AsyncMutex_6SI8OkPnk
Delay	3
Group	C2

Malware Configuration - XWorm config.

Config. Field0	Value
Mutex	y5IogJoUK72chel2
Hosts	admingdtg.vn,aliexpress.us.com
Port	6000
KEY	<666666>
USBNM	<Xwormmm>
LoggerPath	%AppData%
family	xworm

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Module Name	kop.exe
Full Name	kop.exe
EntryPoint	System.Void Program::Main()
Scope Name	kop.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	kop
Assembly Version	1.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	11
Main Method	System.Void Program::Main()
Main IL Instruction Count	159
Main IL	ldc.i4.1 <null> stloc.s V_5 call System.Boolean Program::CreateMutex() brtrue.s IL_0013: call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.2 <null> stloc.s V_5 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.1 <null> stloc.3 <null> ldc.i4.5 <null> stloc.s V_5 ldsfld System.Collections.Generic.List`1<System.String> Program::List callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.2 <null> br IL_0130: ldloca.s V_2 ldloca.s V_2 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.0 <null> ldc.i4.6 <null> stloc.s V_5 ldsfld System.String Program::Workpath call System.Object Program::GETP(System.String) ldstr \ call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stloc.1 <null> ldc.i4.7 <null> stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.2 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_00CB: ldc.i4.s 13 ldc.i4.8 <null> stloc.s V_5 ldloc.1 <null> call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_00C9: br.s IL_0123 ldc.i4.s 9 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 10 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> br.s IL_0123: ldc.i4.s 19 ldc.i4.s 13 stloc.s V_5 ldc.i4.s 14 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 15 stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.1 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_0123: ldc.i4.s 19 ldc.i4.s 16 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> ldc.i4.s 19 stloc.s V_5 call System.Void System.GC::Collect() ldc.i4.s 20 stloc.s V_5 ldloca.s V_2 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_002D: ldloca.s V_2 ldloca.s V_2 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() leave IL_01F8: ldloc.s V_4 ldloc.s V_4 br.s IL_0156: ldc.i4.0 ldloc.s V_4 ldc.i4.1 <null> add <null> ldc.i4.0 <null> stloc.s V_4 switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 ldloc.s V_5 stloc.s V_4 ldloc.3 <null> switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 isinst System.Exception ldnull <null> cgt.un <null> ldloc.3 <null> ldc.i4.0 <null> cgt.un <null> and <null> ldloc.s V_4 ldc.i4.0 <null> ceq <null> and <null> endfilter <null> castclass System.Exception call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) leave.s IL_01B8: ldloc.s V_5 ldc.i4 -2146828237 call System.Exception Microsoft.VisualBasic.CompilerServices.ProjectData::CreateProjectError(System.Int32) throw <null> ldloc.s V_4 brfalse.s IL_0201: ret call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ret <null>
Module Name	kop.exe
Full Name	kop.exe
EntryPoint	System.Void Program::Main()
Scope Name	kop.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	kop
Assembly Version	1.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	11
Main Method	System.Void Program::Main()
Main IL Instruction Count	159
Main IL	ldc.i4.1 <null> stloc.s V_5 call System.Boolean Program::CreateMutex() brtrue.s IL_0013: call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.2 <null> stloc.s V_5 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.1 <null> stloc.3 <null> ldc.i4.5 <null> stloc.s V_5 ldsfld System.Collections.Generic.List`1<System.String> Program::List callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.2 <null> br IL_0130: ldloca.s V_2 ldloca.s V_2 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.0 <null> ldc.i4.6 <null> stloc.s V_5 ldsfld System.String Program::Workpath call System.Object Program::GETP(System.String) ldstr \ call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stloc.1 <null> ldc.i4.7 <null> stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.2 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_00CB: ldc.i4.s 13 ldc.i4.8 <null> stloc.s V_5 ldloc.1 <null> call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_00C9: br.s IL_0123 ldc.i4.s 9 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 10 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> br.s IL_0123: ldc.i4.s 19 ldc.i4.s 13 stloc.s V_5 ldc.i4.s 14 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 15 stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.1 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_0123: ldc.i4.s 19 ldc.i4.s 16 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> ldc.i4.s 19 stloc.s V_5 call System.Void System.GC::Collect() ldc.i4.s 20 stloc.s V_5 ldloca.s V_2 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_002D: ldloca.s V_2 ldloca.s V_2 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() leave IL_01F8: ldloc.s V_4 ldloc.s V_4 br.s IL_0156: ldc.i4.0 ldloc.s V_4 ldc.i4.1 <null> add <null> ldc.i4.0 <null> stloc.s V_4 switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 ldloc.s V_5 stloc.s V_4 ldloc.3 <null> switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 isinst System.Exception ldnull <null> cgt.un <null> ldloc.3 <null> ldc.i4.0 <null> cgt.un <null> and <null> ldloc.s V_4 ldc.i4.0 <null> ceq <null> and <null> endfilter <null> castclass System.Exception call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) leave.s IL_01B8: ldloc.s V_5 ldc.i4 -2146828237 call System.Exception Microsoft.VisualBasic.CompilerServices.ProjectData::CreateProjectError(System.Int32) throw <null> ldloc.s V_4 brfalse.s IL_0201: ret call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ret <null>

Artefacts

Name0	Value
Key (AES_256)	ZmNXcVRBU3RvSEQwaWI3SEpOZmplc21xVjdkbGhWOGI=
CnC	admingdtg.vn
CnC	handyrenuopen.in.net
CnC	roofing.gb.net
CnC	wplog.jp.net
CnC	deepsteam.sa.com
CnC	zsyp.cn.com
CnC	popcima.it.com
Ports	22
Ports	80
Ports	443
Ports	6606
Ports	7707
Ports	8808
Mutex	AsyncMutex_6SI8OkPnk
Mutex	y5IogJoUK72chel2
CnC	admingdtg.vn
CnC	aliexpress.us.com
Port	6000

8f8743131055e1e181f7d7c4ff527065 (160.77 KB)