Malicious
Malicious

b71eaa3dc527f36ee2267bb1174a1090

PE Executable
|
MD5: b71eaa3dc527f36ee2267bb1174a1090
|
Size: 436.22 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
b71eaa3dc527f36ee2267bb1174a1090
Sha1
0b0a4674974cdabf50cedc84f1d228ff5df3f8e4
Sha256
4b767fac98191dd727620e5c8d6cceaa8a1e8b5d5a55055afb4b9624b4f48be6
Sha384
bd86a2469051865acc2bebfc517d3f85837bd3b7267f9e113c0fd7a447b96170ec566ee7a59e0f4962869670a3e31537
Sha512
ccf75f2b68377d94622c4daceabff3bd5297594d4e0d81aacacefce1fe40866a6c4f5b4a4801f2272c773c228ddd8c0512a9976aa2714064089bf460eb8eb2d8
SSDeep
1536:gaht6TcEC8Q0GbbLw9vZeJGauxwo4uxg/uSUEVclN:gY6TcQlGbbLYhdC9uDJ2Y
TLSH
9094F7103384F41AD59D56B19F96F0B41270AD662D428A5B7CCC73DF3ABEEC148393AA

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
b71eaa3dc527f36ee2267bb1174a1090
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

REduVUpNaXV2MzE2NFVVQThIN3ZwaFNrb0N2N3NDU1k=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVAMCkoZTZNI3ZZ34cnBMGc/s4e6Y5MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDUxMDA3NDI1MFoXDTM2MDIxNzA3NDI1MFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4YC68ak9mcMHawxFt8Gxj2GXml1knV57InO/0Za664LuxzKHfAQmwfkj8uvTXA61FFg/O6wR20s/fxKkrRHe+/aiaIRjidv4XeWp/V0N+461cqqBpR1KdJD17U3rhQLP27r79ctkQ/UWQlQECm2dbbKsVNnOxqgJa9FrvV+V+zAgMBAAGjMjAwMB0GA1UdDgQWBBRsd3Fp83LT+pwkYcnDlsVIW0NvSzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABb92SeCE/l4FmzrPbfAXy7afvxerhxxzrIIOHyWoJD7btC12q2giikPXC6jhkfmjC4Pu6AfCgVmS94GNx6F4Scb2v5MOExkgUHr8sdfp0Y/kLFntuwf8tejAox+nuOqUAd/pm0g//klE2jsqd7W1cWpSxY4fiwDpIGavoduTyWZ
ServerSignature

cI9OZhj7vjJXorRvVeoSM/PTc6OjH1RCecg+pENNk45UFRdCO7gScUorPAznilf5J9GGDptJqmQ0gV0ZW8+1pgNdhNEYFsmVD2oTsCHJkeUccjD0a5uJukjprCfqYnWXyV2to9Eol8lUeKwSuk5Sk82zfs3AaUkkiFJGOG34iXE=
Install

true
BDOS

false
Anti-VM

false
Install File

Dclient.exe
Install-Folder

%AppData%
Hosts

beber.mex.com,www.beber.mex.com,obrien.us.com,www.obrien.us.com,thissubdomainshouldonlyresolveifwildcard.beber.mex.com,199.59.242.153,104.21.53.138,172.67.213.99,216.120.146.200,199.59.243.200,104.21.21.238,172.67.201.107,54.153.56.183
Ports

22,25,44,64,80,88,139,443,445,465,587,1433,1604,3306,3389,4040,4782,5432,6379,8080,8443,9999,27017
Mutex

uyderzefjevytbh
Version

1.0.7
Delay

1
Group

Dclient
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

DClient.exe
Full Name

DClient.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

DClient.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

DClient
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Module Name

DClient.exe
Full Name

DClient.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

DClient.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

DClient
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Artefacts
Name
 Value
Key (AES_256)

REduVUpNaXV2MzE2NFVVQThIN3ZwaFNrb0N2N3NDU1k=
CnC

beber.mex.com
CnC

www.beber.mex.com
CnC

obrien.us.com
CnC

www.obrien.us.com
CnC

thissubdomainshouldonlyresolveifwildcard.beber.mex.com
CnC

199.59.242.153
CnC

104.21.53.138
CnC

172.67.213.99
CnC

216.120.146.200
CnC

199.59.243.200
CnC

104.21.21.238
CnC

172.67.201.107
CnC

54.153.56.183
Ports

22
Ports

25
Ports

44
Ports

64
Ports

80
Ports

88
Ports

139
Ports

443
Ports

445
Ports

465
Ports

587
Ports

1433
Ports

1604
Ports

3306
Ports

3389
Ports

4040
Ports

4782
Ports

5432
Ports

6379
Ports

8080
Ports

8443
Ports

9999
Ports

27017
Mutex

uyderzefjevytbh
b71eaa3dc527f36ee2267bb1174a1090 (436.22 KB)
File Structure
b71eaa3dc527f36ee2267bb1174a1090
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

REduVUpNaXV2MzE2NFVVQThIN3ZwaFNrb0N2N3NDU1k=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVAMCkoZTZNI3ZZ34cnBMGc/s4e6Y5MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDUxMDA3NDI1MFoXDTM2MDIxNzA3NDI1MFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4YC68ak9mcMHawxFt8Gxj2GXml1knV57InO/0Za664LuxzKHfAQmwfkj8uvTXA61FFg/O6wR20s/fxKkrRHe+/aiaIRjidv4XeWp/V0N+461cqqBpR1KdJD17U3rhQLP27r79ctkQ/UWQlQECm2dbbKsVNnOxqgJa9FrvV+V+zAgMBAAGjMjAwMB0GA1UdDgQWBBRsd3Fp83LT+pwkYcnDlsVIW0NvSzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABb92SeCE/l4FmzrPbfAXy7afvxerhxxzrIIOHyWoJD7btC12q2giikPXC6jhkfmjC4Pu6AfCgVmS94GNx6F4Scb2v5MOExkgUHr8sdfp0Y/kLFntuwf8tejAox+nuOqUAd/pm0g//klE2jsqd7W1cWpSxY4fiwDpIGavoduTyWZ
ServerSignature

cI9OZhj7vjJXorRvVeoSM/PTc6OjH1RCecg+pENNk45UFRdCO7gScUorPAznilf5J9GGDptJqmQ0gV0ZW8+1pgNdhNEYFsmVD2oTsCHJkeUccjD0a5uJukjprCfqYnWXyV2to9Eol8lUeKwSuk5Sk82zfs3AaUkkiFJGOG34iXE=
Install

true
BDOS

false
Anti-VM

false
Install File

Dclient.exe
Install-Folder

%AppData%
Hosts

beber.mex.com,www.beber.mex.com,obrien.us.com,www.obrien.us.com,thissubdomainshouldonlyresolveifwildcard.beber.mex.com,199.59.242.153,104.21.53.138,172.67.213.99,216.120.146.200,199.59.243.200,104.21.21.238,172.67.201.107,54.153.56.183
Ports

22,25,44,64,80,88,139,443,445,465,587,1433,1604,3306,3389,4040,4782,5432,6379,8080,8443,9999,27017
Mutex

uyderzefjevytbh
Version

1.0.7
Delay

1
Group

Dclient
Artefacts
Name
 Value Location
Key (AES_256)

REduVUpNaXV2MzE2NFVVQThIN3ZwaFNrb0N2N3NDU1k=

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

beber.mex.com

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

www.beber.mex.com

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

obrien.us.com

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

www.obrien.us.com

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

thissubdomainshouldonlyresolveifwildcard.beber.mex.com

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

199.59.242.153

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

104.21.53.138

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

172.67.213.99

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

216.120.146.200

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

199.59.243.200

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

104.21.21.238

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

172.67.201.107

Malicious

b71eaa3dc527f36ee2267bb1174a1090
CnC

54.153.56.183

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

22

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

25

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

44

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

64

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

80

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

88

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

139

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

443

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

445

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

465

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

587

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

1433

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

1604

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

3306

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

3389

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

4040

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

4782

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

5432

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

6379

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

8080

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

8443

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

9999

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Ports

27017

Malicious

b71eaa3dc527f36ee2267bb1174a1090
Mutex

uyderzefjevytbh

Malicious

b71eaa3dc527f36ee2267bb1174a1090
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙