b80d901395f15bd0091966dd73ba873e

PE Executable
|
MD5: b80d901395f15bd0091966dd73ba873e
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	b80d901395f15bd0091966dd73ba873e
Sha1	ee4b45552549bc74e53af4c00811ee3deb396515
Sha256	cdb054aa5c1700ab3312d11d41d724b27d94cd4f0618f7b8cd8c364774b7f7b3
Sha384	5e8cd39bc3b55704fd7010e20dfec1507efdf17aec4016723e3cf0625d62f96e24dc001bcdcbcd6f77ed44930086b5e0
Sha512	597e0ed23fcbca94485d6f424b4cb492b077e4afb9b43d28a9dab5c73a0b8c6a0dda31b6d7de6e7e408efc51f4bc4b3e458c164fc2cb42414e3173a48f95e0e4
SSDeep	6144:Lrwb/c2L0teuLCKIbOI8qLY7PcZBDx8lBQIBRBx:3H2LSLNYXEeDx8luSBx
TLSH	EC849D4373A4E53FE1BE1B3AE43606158BB0D447BB1AE3CB5A5855BA3C123868D413B7

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	f6x51gnsb1mOsWO2SKrP
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port	64594
Host	goldbolbein.chickenkiller.com
Conf. AES-Key	f6x51gnsb1mOsWO2SKrP
Version	1.3.0.0
Port	64594
Host	goldgoblein.sytes.net
ReconnectDelay	3000
Key	Ria/sJv8dhGq8LmfFLY+yA==
AuthKey	gIZSCRI06yY5VA+76KlIvhV/irx+Uv5Nt4sIXvhW8vNKgC8/0K5u+AHsmfb04M9mrBxyqILG3zYJ4xwenJsKsg==
SubDirectory	trcn
InstallName	trcn.exe
Install	1
Startup	1
Mutex	QSR_MUTEX_fAbhOQ
StartupKey	odm
HideFile	1
EnableLogger	0
Tag	ABop
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	1

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_16b46813.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::輋໳梴衻텅笩疤碰톖魢䋇厨ᨲ踣嚺℃幻豪(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⅾ퐳૷땨♬갺�䡑鉭抰䠄�籯娾휕脑䫂蜏::뇎㔗䊊紱⻗ᑝ㻏㒙伏ֶ䆵�汖凪䦺೩⇠퇲鞜() brfalse.s IL_0040: call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() call System.Boolean 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::❕렑옅桩ᘇ혰ꅯ䐹J簬塝釢둱嬒䦊灮걦ᾡྂ찋() brfalse.s IL_0040: call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() call System.Boolean ୉ͩ鯶뷉�㻂Ḷ똯ᯃ睵뽿覴Ṫ笽䄟쫶룂::get_Exiting() brtrue.s IL_0040: call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() ldsfld ୉ͩ鯶뷉�㻂Ḷ똯ᯃ睵뽿覴Ṫ笽䄟쫶룂 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::ᷬ楚臌곿{蘆櫱䇓颷≨蕊甀鏳꛵붰Ɔ摩 callvirt System.Void ୉ͩ鯶뷉�㻂Ḷ똯ᯃ睵뽿覴Ṫ笽䄟쫶룂::ꅻ⹁ᆩꐮ졝枈ᣝ끦ᒰᢛ蓫뱵Ǆ⤜澕() call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::ㆿ梞Ⴛ꘍㘵࢟廍亁穗춬퉋Ờ뀬ּ蔡榃飅() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::輋໳梴衻텅笩疤碰톖魢䋇厨ᨲ踣嚺℃幻豪(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⅾ퐳૷땨♬갺�䡑鉭抰䠄�籯娾휕脑䫂蜏::뇎㔗䊊紱⻗ᑝ㻏㒙伏ֶ䆵�汖凪䦺೩⇠퇲鞜() brfalse.s IL_0040: call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() call System.Boolean 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::❕렑옅桩ᘇ혰ꅯ䐹J簬塝釢둱嬒䦊灮걦ᾡྂ찋() brfalse.s IL_0040: call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() call System.Boolean ୉ͩ鯶뷉�㻂Ḷ똯ᯃ睵뽿覴Ṫ笽䄟쫶룂::get_Exiting() brtrue.s IL_0040: call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() ldsfld ୉ͩ鯶뷉�㻂Ḷ똯ᯃ睵뽿覴Ṫ笽䄟쫶룂 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::ᷬ楚臌곿{蘆櫱䇓颷≨蕊甀鏳꛵붰Ɔ摩 callvirt System.Void ୉ͩ鯶뷉�㻂Ḷ똯ᯃ睵뽿覴Ṫ笽䄟쫶룂::ꅻ⹁ᆩꐮ졝枈ᣝ끦ᒰᢛ蓫뱵Ǆ⤜澕() call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::䙣କ냺믹毝씗댢껒꯼금げだ᚜灪鞂뺥鷝鯭() call System.Void 漢�莫퍵섛됌᝱ⲧ艐¿픧앆峠�Ȟ鄶监䀦::ㆿ梞Ⴛ꘍㘵࢟廍亁穗춬퉋Ờ뀬ּ蔡榃飅() ret <null>

Artefacts

Name0	Value
CnC	goldgoblein.sytes.net
Port	64594
CnC	goldbolbein.chickenkiller.com
PE Layout	MemoryMapped (process dump suspected)
CnC	goldgoblein.sytes.net
Port	64594
CnC	goldbolbein.chickenkiller.com
PE Layout	MemoryMapped (process dump suspected)

b80d901395f15bd0091966dd73ba873e (376.84 KB)

b80d901395f15bd0091966dd73ba873e

PE Executable | MD5: b80d901395f15bd0091966dd73ba873e | Size: 376.84 KB | application/x-dosexec

PE Executable
|
MD5: b80d901395f15bd0091966dd73ba873e
|
Size: 376.84 KB
|
application/x-dosexec