aae07edd0ecc7ce6108afb241d59fa13

PE Executable
|
MD5: aae07edd0ecc7ce6108afb241d59fa13
|
Size: 385.04 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	aae07edd0ecc7ce6108afb241d59fa13
Sha1	fdad18d67d46771bd6496f2d3e2b8d414b4d94fa
Sha256	adc6f220d24d49f4ba663643fa8139f2c24058c1d0441ef336c31e9b2480c689
Sha384	b85a4faac6abd8987f92362c98d61581e0dfe674d22012af643ee86b7ca47342fd9f92c8710adf09574f99c8ea942f3d
Sha512	97de400f44728dd00f5db0f0fba85fc724016ab68328ea490bce23cee1f24c36a408786316cd26e91923a1f7e385f0713ebd8c41de9b744d0ab5cc3e65fb92f9
SSDeep	6144:pFJbqQ4i1FFiEK2Nh79oKrStG2KbzgwuWl7uHTBbAsu:Fpliw9oKGrIIqqzB8su
TLSH	5A847B1373A4E63BD1FD5736A43205190BB19406BA17FB8F9A589AFD2D923868D403B3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	cGFUWV6KtyCkZOw8j6VZ
Version	1.3.0.0
Port	44
Host	ef590o1ari-44145.portmap.host
ReconnectDelay	3000
Key	MbFRZrs+lRl/H2206cGtcg==
AuthKey	6+llbabrfj5xTJdQaN9Witdm/63gVV92zLABKbaWQ8ZIHnkDtZd0KNqb0yLapM+w4oDkdCgBVobivBe/9dNO/A==
SubDirectory	SubDir
InstallName	OfficeUpdate.exe
Install	1
Startup	1
Mutex	QSR_MUTEX_kwpMwV
StartupKey	OfficeUpdate
HideFile	1
EnableLogger	1
Tag	ik=h
LogDirectory	Logs
HideLogDirectory	1
HideLogSubdirectory	1

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_4740c5d4.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::겼瓌띜庿�⫸숛肇髄舜榄㩳퀨Ԇ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ᜶Ź꺺ࡽ៲忖堶瓳饙炦덭ထᣖ戮튢⧘�晬::颕쏸ꂼ剶ﻂ쫄⡨艕搕成ꪡ᚞딴⸘��肋麕邶Ђ() brfalse.s IL_0040: call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() call System.Boolean 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::榺톏팲﫠鉏膰좳ᰐ鴅ዓ픠尅왳샊ꗡ丗燤堡瘋() brfalse.s IL_0040: call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() call System.Boolean 氦᥯졇ষ䠇㓡ↇ㮇뒌І᪹�퓶ꀧ䉹שּׁ患떭塞::get_Exiting() brtrue.s IL_0040: call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() ldsfld 氦᥯졇ষ䠇㓡ↇ㮇뒌І᪹�퓶ꀧ䉹שּׁ患떭塞泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::빢씁ᗐᏑ탒诗仭�燳⫽묱䳎ㇶ萘烝煾潩䀡ꟗ callvirt System.Void 氦᥯졇ষ䠇㓡ↇ㮇뒌І᪹�퓶ꀧ䉹שּׁ患떭塞::쇚낄濓䪛쳎沙큧煾纫穏ഇ尜䌤ꉜÀ읲漖ൄႂ痸() call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::�꺊滫씵裪鐈順갇떤䊑㔢ﮊ害ᚅ窯徖♜ণン() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::겼瓌띜庿�⫸숛肇髄舜榄㩳퀨Ԇ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ᜶Ź꺺ࡽ៲忖堶瓳饙炦덭ထᣖ戮튢⧘�晬::颕쏸ꂼ剶ﻂ쫄⡨艕搕成ꪡ᚞딴⸘��肋麕邶Ђ() brfalse.s IL_0040: call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() call System.Boolean 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::榺톏팲﫠鉏膰좳ᰐ鴅ዓ픠尅왳샊ꗡ丗燤堡瘋() brfalse.s IL_0040: call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() call System.Boolean 氦᥯졇ষ䠇㓡ↇ㮇뒌І᪹�퓶ꀧ䉹שּׁ患떭塞::get_Exiting() brtrue.s IL_0040: call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() ldsfld 氦᥯졇ষ䠇㓡ↇ㮇뒌І᪹�퓶ꀧ䉹שּׁ患떭塞泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::빢씁ᗐᏑ탒诗仭�燳⫽묱䳎ㇶ萘烝煾潩䀡ꟗ callvirt System.Void 氦᥯졇ষ䠇㓡ↇ㮇뒌І᪹�퓶ꀧ䉹שּׁ患떭塞::쇚낄濓䪛쳎沙큧煾纫穏ഇ尜䌤ꉜÀ읲漖ൄႂ痸() call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::餙氻컞譌䌥誚ᲨＢℝ캞麀싥⦚䊁ᏸ㸠쫆䟾曰() call System.Void 泟栌諊ග峒澈＊䔩⯛흟壘㼏耡禽쀳๹⸺光�::�꺊滫씵裪鐈順갇떤䊑㔢ﮊ害ᚅ窯徖♜ণン() ret <null>

Artefacts

Name0	Value
CnC	ef590o1ari-44145.portmap.host
Port	44
PE Layout	MemoryMapped (process dump suspected)
CnC	ef590o1ari-44145.portmap.host
Port	44
PE Layout	MemoryMapped (process dump suspected)

aae07edd0ecc7ce6108afb241d59fa13 (385.04 KB)

aae07edd0ecc7ce6108afb241d59fa13

PE Executable | MD5: aae07edd0ecc7ce6108afb241d59fa13 | Size: 385.04 KB | application/x-dosexec

PE Executable
|
MD5: aae07edd0ecc7ce6108afb241d59fa13
|
Size: 385.04 KB
|
application/x-dosexec