aa2076936452dba8456557920d9b44d8

PE Executable
|
MD5: aa2076936452dba8456557920d9b44d8
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	aa2076936452dba8456557920d9b44d8
Sha1	82df7fe53fc729316a53f68fb240606fa1a5a3e7
Sha256	da2cea35fd1e9f0bb690cbea5d625c6d1a0bb4080caa65ae1c1e3f2081d88196
Sha384	701292c23f1a786bf216dc0766e24439d9426737bea1a200d33985ba90a7e815c2857b2642f7af77ec5a1ef6bad697a1
Sha512	ca0e5b52b58bd422f22e6313c699b67effd99503e82f525d3bd583dfe3b023338c59d6fac20de316c42091360876721c7ee0d7d4b8f2749f42a220bfba5b88bf
SSDeep	6144:Cw6bPXhLApfpvIoNRzv0ybl+EHNCgmE9ynbH8y:fmhApHNhMqxQgm2ynbH8y
TLSH	A8846B1367A8D53BE1BE1737E43206045BB4D847B706E38B5A6855BD6C233868E90BF3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	FKtxNVbGt2pxY6yyI19X
Version	1.3.0.0
Port	19ap22.duckdns.o
Host	19ap22.duckdns.o
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	0
Startup	0
Mutex	QSR_MUTEX_7BYyMa
StartupKey	notes
HideFile	1
EnableLogger	0
Tag	3rd JULY
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	1

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_d78d20a5.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::ꐪ﷊ᣙ얡蛫릉噥쯶⮩ꓚ뒽ꦤ긵㫦牼枩号䥜㤜䨕(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 諭ᰤ˂ꑌ蝫겣⼿瞄䔢芯䓄쉲緕趕診抇^蹪::쥥�֟㶅촅졘禳䪋헌郚ꈕ錏䃈ģ㣣ᇗ␂() brfalse.s IL_0040: call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() call System.Boolean 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::䮧᝱烏⿻腊�븮�ﴨꂸ띷⫧熿㊭㷒() brfalse.s IL_0040: call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() call System.Boolean ㎺嘗亜ߌ䶒鈀們瑈㖨勰鮸狤傡໦忮臉뻯琊::get_Exiting() brtrue.s IL_0040: call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() ldsfld ㎺嘗亜ߌ䶒鈀們瑈㖨勰鮸狤傡໦忮臉뻯琊叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::簎阺虽贕覸됬䘺䨿鈨啯붴쟡䧍譖윚 callvirt System.Void ㎺嘗亜ߌ䶒鈀們瑈㖨勰鮸狤傡໦忮臉뻯琊::ᇞ퐥慰퓓⸄ᜆ䏲읰㹑則둈搮䩼煅꽩๝㯁곱刍() call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::読羲⎏ꆛ�窱⻠㽖ꃶ쯓൐噆꿃獓骶᡺ᦢ憓趲() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::ꐪ﷊ᣙ얡蛫릉噥쯶⮩ꓚ뒽ꦤ긵㫦牼枩号䥜㤜䨕(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 諭ᰤ˂ꑌ蝫겣⼿瞄䔢芯䓄쉲緕趕診抇^蹪::쥥�֟㶅촅졘禳䪋헌郚ꈕ錏䃈ģ㣣ᇗ␂() brfalse.s IL_0040: call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() call System.Boolean 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::䮧᝱烏⿻腊�븮�ﴨꂸ띷⫧熿㊭㷒() brfalse.s IL_0040: call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() call System.Boolean ㎺嘗亜ߌ䶒鈀們瑈㖨勰鮸狤傡໦忮臉뻯琊::get_Exiting() brtrue.s IL_0040: call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() ldsfld ㎺嘗亜ߌ䶒鈀們瑈㖨勰鮸狤傡໦忮臉뻯琊叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::簎阺虽贕覸됬䘺䨿鈨啯붴쟡䧍譖윚 callvirt System.Void ㎺嘗亜ߌ䶒鈀們瑈㖨勰鮸狤傡໦忮臉뻯琊::ᇞ퐥慰퓓⸄ᜆ䏲읰㹑則둈搮䩼煅꽩๝㯁곱刍() call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::씞鿈讚肃貞弡ꀜ釶憓ヶ吠�哬ൠ㢯沂远邈() call System.Void 叭✧텤眠픁蔲渏䗠౵￰�⟝勏ቃ�蔁곐㧁ầ::読羲⎏ꆛ�窱⻠㽖ꃶ쯓൐噆꿃獓骶᡺ᦢ憓趲() ret <null>

Artefacts

Name0	Value
CnC	19ap22.duckdns.o
Port	19ap22.duckdns.o
PE Layout	MemoryMapped (process dump suspected)
CnC	19ap22.duckdns.o
Port	19ap22.duckdns.o
PE Layout	MemoryMapped (process dump suspected)

aa2076936452dba8456557920d9b44d8 (376.84 KB)