c509119d0f7e80c77bd41f8aefd9d3b7

PE Executable
|
MD5: c509119d0f7e80c77bd41f8aefd9d3b7
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	c509119d0f7e80c77bd41f8aefd9d3b7
Sha1	8a5f13587a375f7c8961010b078cb4aa0e82c525
Sha256	f481413e72698abedeaec9f0aba4b3ec9af39839a7cca46959ad41efcfd91325
Sha384	37abd2e71f7468baa05462196e916403e743e91391d8fe71bd00836604430cf404eba3bd3be2b0b82c014eb9264683f9
Sha512	e1d678c8cbd119967071417fd44e488bf833241a315d1681c8d5c6522779388a7a2dd653b6d09d92b33b450b5879f9fe74f522fd7b297f5de09790793aa565c8
SSDeep	6144:XLNHXf500MeHEpYtibPMEzOGU4USU2KPOSVr:7d50GT0MyDESGPOSr
TLSH	BB847B2377E4E63BD6FE177AF43206054BB1D546B616E38B6A5855F82C133868E803B3

PeID

Microsoft Visual C# / Basic .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	eE35DyiiWbPDofjAUBHe
Version	1.3.0.0
Port	62
Host	172.86.110.11
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	0
Startup	1
Mutex	QSR_MUTEX_q8KF8E
StartupKey	Quasar Client St
HideFile	0
EnableLogger	1
Tag	3fra
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_fb74c5df.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::﹤沆婫葲岷ᰂ뾊ᇶ硫ឞ腡볗騵촢嚎莂쐱Ể(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 赐ꄧᥒ엌ᷥໝ䗱׬⒪橛橩垫ꯣ뱔㄄䓋⎨▰ഊ脖::﫵薥륀╢뛨㘳Ẩ捜쳝鿀摂淩鮶ᑾ됤⻈鮻쓃Ꭹ() brfalse.s IL_0040: call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() call System.Boolean ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::홋硯�㮦獟졚ߘ䎇�렅㞋ਐꈦ縓㑾㹂폺() brfalse.s IL_0040: call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() call System.Boolean �쌤駈᫠�梊鶊烢␽ᢔ﬑ో蠖ᡞ⤛ῙŅᅋ::get_Exiting() brtrue.s IL_0040: call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() ldsfld �쌤駈᫠�梊鶊烢␽ᢔ﬑ో蠖ᡞ⤛ῙŅᅋ ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::度ᨱ㒆᭮꽮㨼䁯驻ꛆ犹鐣舶磡瓫莀䞆䄨ፐ嬀 callvirt System.Void �쌤駈᫠�梊鶊烢␽ᢔ﬑ో蠖ᡞ⤛ῙŅᅋ::腜ˮ峘퓻猚硫⢽펦ꐇ⨒斖阒㏩뺄罡夌긍헁() call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::ᴍ㯯嘜쥕氊ᰪ뱮㴺끠Ⱶᙃ쪉먯卙뽤樅呷࿥㑚() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::﹤沆婫葲岷ᰂ뾊ᇶ硫ឞ腡볗騵촢嚎莂쐱Ể(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 赐ꄧᥒ엌ᷥໝ䗱׬⒪橛橩垫ꯣ뱔㄄䓋⎨▰ഊ脖::﫵薥륀╢뛨㘳Ẩ捜쳝鿀摂淩鮶ᑾ됤⻈鮻쓃Ꭹ() brfalse.s IL_0040: call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() call System.Boolean ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::홋硯�㮦獟졚ߘ䎇�렅㞋ਐꈦ縓㑾㹂폺() brfalse.s IL_0040: call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() call System.Boolean �쌤駈᫠�梊鶊烢␽ᢔ﬑ో蠖ᡞ⤛ῙŅᅋ::get_Exiting() brtrue.s IL_0040: call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() ldsfld �쌤駈᫠�梊鶊烢␽ᢔ﬑ో蠖ᡞ⤛ῙŅᅋ ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::度ᨱ㒆᭮꽮㨼䁯驻ꛆ犹鐣舶磡瓫莀䞆䄨ፐ嬀 callvirt System.Void �쌤駈᫠�梊鶊烢␽ᢔ﬑ో蠖ᡞ⤛ῙŅᅋ::腜ˮ峘퓻猚硫⢽펦ꐇ⨒斖阒㏩뺄罡夌긍헁() call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::敠突煦녞뜠깨燋⒋ᒫꏙ뜮⠞⽗돆겭킮䟬錛() call System.Void ᤶ鵁굱㳑뉊▍锅鉢昐꼠癑표넋됸宖ʭ⹩荓::ᴍ㯯嘜쥕氊ᰪ뱮㴺끠Ⱶᙃ쪉먯卙뽤樅呷࿥㑚() ret <null>

Artefacts

Name0	Value
CnC	172.86.110.11
Port	62
PE Layout	MemoryMapped (process dump suspected)
CnC	172.86.110.11
Port	62
PE Layout	MemoryMapped (process dump suspected)

c509119d0f7e80c77bd41f8aefd9d3b7 (376.84 KB)