Malicious
Malicious

c2e7aed71e5e6d5772cc39d702e694f2

PE Executable
|
MD5: c2e7aed71e5e6d5772cc39d702e694f2
|
Size: 66.56 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
c2e7aed71e5e6d5772cc39d702e694f2
Sha1
529deca554ef916aa40f5c3de40410f81c6b74a9
Sha256
bb3653b0d1b215e32abeaf6198b991ef9040997fa083b2cacd0ade7b0933119f
Sha384
d8159f80a72db22a72087973ca23be6a03690620746ff9681f0cb74c70f98eff8e0835bbb22d82601f0bd4c8e982c12c
Sha512
ebecc9d74e2949cc8c5a6f11228bf2c9e2c6a0c6b96f4f84ba7f74b11e251109fd11e181e2d85f3948aa59ce762ee9a3fb2e6fe94abf35d7892b8691c2426e0a
SSDeep
1536:XWsT2/MaBitymKEV4+GbbYwqKloGNkrVclN:XL2/MaBitRvVnGbbYPK3khY
TLSH
41535B003798CA65E1BE4BB4ACF2554006B5D9772106DA5E7CC404CBAB9FBC64A237FE

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
c2e7aed71e5e6d5772cc39d702e694f2
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - DcRat config.
Config. Field
 Value
Key (AES_256)

amRlNTZvY1dGRWpKTWk4c0hCaEcyUnRHREZ0YmJVOEo=
Pastebin

-
Certificate

MIICMDCCAZmgAwIBAgIVAMCkoZTZNI3ZZ34cnBMGc/s4e6Y5MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI1MDUxMDA3NDI1MFoXDTM2MDIxNzA3NDI1MFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4YC68ak9mcMHawxFt8Gxj2GXml1knV57InO/0Za664LuxzKHfAQmwfkj8uvTXA61FFg/O6wR20s/fxKkrRHe+/aiaIRjidv4XeWp/V0N+461cqqBpR1KdJD17U3rhQLP27r79ctkQ/UWQlQECm2dbbKsVNnOxqgJa9FrvV+V+zAgMBAAGjMjAwMB0GA1UdDgQWBBRsd3Fp83LT+pwkYcnDlsVIW0NvSzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABb92SeCE/l4FmzrPbfAXy7afvxerhxxzrIIOHyWoJD7btC12q2giikPXC6jhkfmjC4Pu6AfCgVmS94GNx6F4Scb2v5MOExkgUHr8sdfp0Y/kLFntuwf8tejAox+nuOqUAd/pm0g//klE2jsqd7W1cWpSxY4fiwDpIGavoduTyWZ
ServerSignature

R8lVHGVs16a36kr1NRRD/PHOJSPfEK5YuslxWPqA7zuxeAq2bkcYPPVDcNpv4Jp59L5pTmasoZa/n2hEqUblDIPevNlg9OEb+EwhHD8VH4r8rxF33RN8ehSDZtPhjZckTmbOq7vAkIsSTjR42eaUNSlHwvvq88D2Ze188DMVuwg=
Install

true
BDOS

false
Anti-VM

true
Install File

codepulse.exe
Install-Folder

%AppData%
Hosts

true-religionjeans.in.net,api.true-religionjeans.in.net,ae888.ru.com,app.ae888.ru.com,duxfun.in.net,app.duxfun.in.net,tzeifr.ru.com,app.tzeifr.ru.com,app.balajisolution.in.net,vcfdsy.ru.com,app.vcfdsy.ru.com,qq8893.com,app.qq8893.com
Ports

22,25,44,64,80,88,139,443,445,465,587,1433,1604,3306,3389,4040,4782,5432,6379,8080,8443,9999,27017
Mutex

B4E29310-A4D2-4E31-9F2D-342B24D92F38
Version

1.0.7
Delay

1
Group

App Money
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

codepulse.exe
Full Name

codepulse.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

codepulse.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

codepulse
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Module Name

codepulse.exe
Full Name

codepulse.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

codepulse.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

codepulse
Assembly Version

1.0.7.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

157
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

77
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::De_lay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: nop ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldsfld System.String Client.Settings::An_ti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0047: leave IL_0052 call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() leave IL_0052: call System.Void Client.Helper.A::B() pop <null> leave IL_0052: call System.Void Client.Helper.A::B() call System.Void Client.Helper.A::B() call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0067: leave IL_0072 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0072: nop pop <null> leave IL_0072: nop nop <null> ldsfld System.String Client.Settings::Anti_Process call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_0087: leave IL_0092 call System.Void Client.Helper.AntiProcess::StartBlock() leave IL_0092: nop pop <null> leave IL_0092: nop nop <null> ldsfld System.String Client.Settings::BS_OD call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00B1: leave IL_00BC call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00B1: leave IL_00BC call System.Void Client.Helper.ProcessCritical::Set() leave IL_00BC: nop pop <null> leave IL_00BC: nop nop <null> ldsfld System.String Client.Settings::In_stall call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D1: leave IL_00DC call System.Void Client.Install.NormalStartup::Install() leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() pop <null> leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00F0: leave IL_00FB call System.Void Client.Helper.Methods::ClearSetting() leave IL_00FB: nop pop <null> leave IL_00FB: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_0110: leave IL_011B call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_011B: ldc.i4 5000 pop <null> leave IL_011B: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00FB: nop
Artefacts
Name
 Value
Key (AES_256)

amRlNTZvY1dGRWpKTWk4c0hCaEcyUnRHREZ0YmJVOEo=
CnC

true-religionjeans.in.net
CnC

api.true-religionjeans.in.net
CnC

ae888.ru.com
CnC

app.ae888.ru.com
CnC

duxfun.in.net
CnC

app.duxfun.in.net
CnC

tzeifr.ru.com
CnC

app.tzeifr.ru.com
CnC

app.balajisolution.in.net
CnC

vcfdsy.ru.com
CnC

app.vcfdsy.ru.com
CnC

qq8893.com
CnC

app.qq8893.com
Ports

22
Ports

25
Ports

44
Ports

64
Ports

80
Ports

88
Ports

139
Ports

443
Ports

445
Ports

465
Ports

587
Ports

1433
Ports

1604
Ports

3306
Ports

3389
Ports

4040
Ports

4782
Ports

5432
Ports

6379
Ports

8080
Ports

8443
Ports

9999
Ports

27017
Mutex

B4E29310-A4D2-4E31-9F2D-342B24D92F38
c2e7aed71e5e6d5772cc39d702e694f2 (66.56 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙