b1de80c43d7da5347a2eea66debcb5ee

PE Executable
|
MD5: b1de80c43d7da5347a2eea66debcb5ee
|
Size: 385.02 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	b1de80c43d7da5347a2eea66debcb5ee
Sha1	e70e6153430cf7f656a6daf4e5bbcdf37c84b01f
Sha256	4fbd1f7271a1dbf638601dbb1911c093f84f91ea81d54e6f038386730b60d7b0
Sha384	25dfd6bb8348b8630823984ce30a001f3c27eac395ed06ad795fc64e07e7fd9e05a5418b79c0048acc26a4f0b0783e59
Sha512	800aa1b8c4fbace913336297619d8d16e96081a8f14a0e825556f5e66061b12bb11931ca01422d992c41afd33e53cf56914ff11ed0cb3ada10eda77169a74966
SSDeep	6144:QLNHXf500M8B+1gbuTbG5E/Gn4C9HXDBnRCunk4X:ad50J1gqL/C9T1R/X
TLSH	31847B1377A8E63BD1BE177BE03205142BF0D446B716E38B6A6855BCAC123868D917F3

PeID

Microsoft Visual C# / Basic .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	bshp2B76on6QymiDmd4K
Version	1.3.0.0
Port	kamal199.ddns.ne
Host	kamal199.ddns.ne
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	setup
InstallName	Client.exe
Install	0
Startup	1
Mutex	QSR_MUTEX_ZIhw2o
StartupKey	Quasar Client St
HideFile	0
EnableLogger	1
Tag	setup
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_c968264e.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::፠麧兾Ƨ旾ꖧ鰘ꛇ챠䮓и쒣ࡨ�歎ꎫ忌鑚ﴕ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ꅖ鱽�뮹ፊ莝윫켡鸏᪰ຂ葈Ѩ좇蔮싐㨴䷊㑝蜡::槮嵾瓃ﮏ疵익憗뷩쳻敌꒽꜒Ⲟ鴭䠤琭ퟄዲ馶() brfalse.s IL_0040: call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() call System.Boolean �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::醯␔᤯튂ꈄ酖䍎槞岜鼃켲ᴏ덍鮚ꜣ貤萤() brfalse.s IL_0040: call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() call System.Boolean 危ဍ濉滟鈅湴ろ䚙졧蠐质貱ރ魤ա踱ꢈ蠤㪒呻::get_Exiting() brtrue.s IL_0040: call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() ldsfld 危ဍ濉滟鈅湴ろ䚙졧蠐质貱ރ魤ա踱ꢈ蠤㪒呻 �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::㴯㪾냧㣘忚ﴷ⟚咒쓱卑㠞阞쎂힇�쉋ꨱ�먚 callvirt System.Void 危ဍ濉滟鈅湴ろ䚙졧蠐质貱ރ魤ա踱ꢈ蠤㪒呻::马몣اꋺ펖홞㓔ⳃ呎ႈ䇗愙藑뫟塞涡ꯧᘏ() call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::ᓲ䂄匔紻ꟾ㽗셠㶃澘䑴䢪윅쐓♾䙧ꗏ䣩띥() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::፠麧兾Ƨ旾ꖧ鰘ꛇ챠䮓и쒣ࡨ�歎ꎫ忌鑚ﴕ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ꅖ鱽�뮹ፊ莝윫켡鸏᪰ຂ葈Ѩ좇蔮싐㨴䷊㑝蜡::槮嵾瓃ﮏ疵익憗뷩쳻敌꒽꜒Ⲟ鴭䠤琭ퟄዲ馶() brfalse.s IL_0040: call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() call System.Boolean �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::醯␔᤯튂ꈄ酖䍎槞岜鼃켲ᴏ덍鮚ꜣ貤萤() brfalse.s IL_0040: call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() call System.Boolean 危ဍ濉滟鈅湴ろ䚙졧蠐质貱ރ魤ա踱ꢈ蠤㪒呻::get_Exiting() brtrue.s IL_0040: call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() ldsfld 危ဍ濉滟鈅湴ろ䚙졧蠐质貱ރ魤ա踱ꢈ蠤㪒呻 �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::㴯㪾냧㣘忚ﴷ⟚咒쓱卑㠞阞쎂힇�쉋ꨱ�먚 callvirt System.Void 危ဍ濉滟鈅湴ろ䚙졧蠐质貱ރ魤ա踱ꢈ蠤㪒呻::马몣اꋺ펖홞㓔ⳃ呎ႈ䇗愙藑뫟塞涡ꯧᘏ() call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::䵺ՙ㺂ᶋ慸ꠓ伔㕂௿׮뿜؟댊鈸腀簇() call System.Void �䛠䡼�♍铥鐆뢀ൺᜆ讣㩼〈፸ፎ呤뙣뎦::ᓲ䂄匔紻ꟾ㽗셠㶃澘䑴䢪윅쐓♾䙧ꗏ䣩띥() ret <null>

Artefacts

Name0	Value
CnC	kamal199.ddns.ne
Port	kamal199.ddns.ne
PE Layout	MemoryMapped (process dump suspected)
CnC	kamal199.ddns.ne
Port	kamal199.ddns.ne
PE Layout	MemoryMapped (process dump suspected)

b1de80c43d7da5347a2eea66debcb5ee (385.02 KB)