Malicious
Malicious
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

High

Hash
Hash Value
MD5
ceff49810f7f435b242b61c630d7d56b
Sha1
2a43f221cb19a008b0a58478216e6599369c62a3
Sha256
99baf47b126d485495849a9e52e81bd2eb5cb4b9a1ee8ea4180a65107c31542c
Sha384
d3c80b22eed05796528da71c94f0fb903dc696bc3964c7bc853499cba2cd551e1a957132be3650be61d33e52870aff7d
Sha512
bf3b8542ed7331b908d5f6c52ad83e54343104485ac781932c71f4d2428f56e10890c2e1114bd2a60a11452caf1f8d21d79af607bd778a3533fa4c08a3537af7
SSDeep
12288:gPRb9sASjkqjVnl36ud0zR/6CtQ9PUHIG8Dl8gSD+37PWY1Y1+f7LfNaX3I/qs:gJ9ojkqjVnlqud+/2P+AlUDcPt1aKFaK
TLSH
67D4022037FD8557E1BF66B998F162006676F663A623EB4C0C8462FD4533341E9D23BA

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
InvokedClient.InvokedClientApplication.resources
costura.costura.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.pdb.compressed
costura.gma.system.mousekeyhook.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.newtonsoft.json.dll.compressed
[Authenticode]_220cad77.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.diagnostics.diagnosticsource.dll.compressed
[Authenticode]_50c89911.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.invokedcommon.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
ILRepack.List
Malware Configuration - QuasarRAT config.
Config. Field
Value
Conf. AES-Salt
BF-EB-huhuhuhuhuhuhuhuhuhuhu
Conf. AES-Key
Version
Yq/IrIhuhuhuhuhuhuhuhuhuhuhu
Port
wdN0T/huhuhuhuhuhuhuhuhuhuhu
Host
wdN0T/huhuhuhuhuhuhuhuhuhuhu
ReconnectDelay
3huhuhuhu
Key
pxElAkhuhuhuhuhuhuhuhuhuhuhu
SubDirectory
3/LKZUhuhuhuhuhuhuhuhuhuhuhu
InstallName
0huhuhuhu
Install
0huhuhuhu
Startup
Hhh8mXhuhuhuhuhuhuhuhuhuhuhu
Mutex
9/U2rThuhuhuhuhuhuhuhuhuhuhu
StartupKey
0huhuhuhu
HideFile
1huhuhuhu
EnableLogger
9CC761huhuhuhuhuhuhuhuhuhuhu
EncryptionKey
3UpT2+huhuhuhuhuhuhuhuhuhuhu
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Informations
Name
Value
Info

PE Detect: PeReader OK (file layout)

Module Name

Client

Full Name

Client

EntryPoint

System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::Main()

Scope Name

Client

Scope Type

ModuleDef

Kind

Windows

Runtime Version

v4.0.30319

Tables Header Version

512

WinMD Version

<null>

Assembly Name

Client

Assembly Version

0.0.0.0

Assembly Culture

<null>

Has PublicKey

False

PublicKey Token

<null>

Target Framework

.NETFramework,Version=v4.8

Total Strings

613

Main Method

System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::Main()

Main IL Instruction Count

21

Main IL

call System.Boolean ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::ɸ슇몷ށ搄䷔臇婢䓉䟭삧桠ᶵ榹럃껹ꞻ() pop <null> ldc.i4 3072 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) ldc.i4.2 <null> call System.Void System.Windows.Forms.Application::SetUnhandledExceptionMode(System.Windows.Forms.UnhandledExceptionMode) ldnull <null> ldftn System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::ꕉ홖୘왁깭䤊뢣臖鴰㊾涐㑗頇璩쿺(System.Object,System.Threading.ThreadExceptionEventArgs) newobj System.Void System.Threading.ThreadExceptionEventHandler::.ctor(System.Object,System.IntPtr) call System.Void System.Windows.Forms.Application::add_ThreadException(System.Threading.ThreadExceptionEventHandler) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::૆礱ሙ⣽㤑峣ﰔ㔥좴胷쾼쯼䦯䍹༦仛(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) newobj System.Void 牋⁇큏넾뺻ᢷ掄杁쀀綏Ʇ꒵䖻嘼쩯첞烔匐買::.ctor() call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.Form) ret <null>

Module Name

Client

Full Name

Client

EntryPoint

System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::Main()

Scope Name

Client

Scope Type

ModuleDef

Kind

Windows

Runtime Version

v4.0.30319

Tables Header Version

512

WinMD Version

<null>

Assembly Name

Client

Assembly Version

0.0.0.0

Assembly Culture

<null>

Has PublicKey

False

PublicKey Token

<null>

Target Framework

.NETFramework,Version=v4.8

Total Strings

613

Main Method

System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::Main()

Main IL Instruction Count

21

Main IL

call System.Boolean ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::ɸ슇몷ށ搄䷔臇婢䓉䟭삧桠ᶵ榹럃껹ꞻ() pop <null> ldc.i4 3072 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) ldc.i4.2 <null> call System.Void System.Windows.Forms.Application::SetUnhandledExceptionMode(System.Windows.Forms.UnhandledExceptionMode) ldnull <null> ldftn System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::ꕉ홖୘왁깭䤊뢣臖鴰㊾涐㑗頇璩쿺(System.Object,System.Threading.ThreadExceptionEventArgs) newobj System.Void System.Threading.ThreadExceptionEventHandler::.ctor(System.Object,System.IntPtr) call System.Void System.Windows.Forms.Application::add_ThreadException(System.Threading.ThreadExceptionEventHandler) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ꕻ旐䀝긤狆왹귝辋넅紌햚肳ꚍ鷥㪮뢖ໟ㥔::૆礱ሙ⣽㤑峣ﰔ㔥좴胷쾼쯼䦯䍹༦仛(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) newobj System.Void 牋⁇큏넾뺻ᢷ掄杁쀀綏Ʇ꒵䖻嘼쩯첞烔匐買::.ctor() call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.Form) ret <null>

Artefacts
Name
Value
CnC
wdN0T/huhuhuhuhuhuhuhuhuhuhu
Port
wdN0T/huhuhuhuhuhuhuhuhuhuhu
Full artefact values (URLs, paths, registry keys…) are available with Essential.
Unlock with Essential
ceff49810f7f435b242b61c630d7d56b (646.66 KB)
File Structure
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
InvokedClient.InvokedClientApplication.resources
costura.costura.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.pdb.compressed
costura.gma.system.mousekeyhook.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.newtonsoft.json.dll.compressed
[Authenticode]_220cad77.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.diagnostics.diagnosticsource.dll.compressed
[Authenticode]_50c89911.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.invokedcommon.dll.compressed
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
ILRepack.List
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
Value
Conf. AES-Salt
BF-EB-huhuhuhuhuhuhuhuhuhuhu
Conf. AES-Key
Version
Yq/IrIhuhuhuhuhuhuhuhuhuhuhu
Port
wdN0T/huhuhuhuhuhuhuhuhuhuhu
Host
wdN0T/huhuhuhuhuhuhuhuhuhuhu
ReconnectDelay
3huhuhuhu
Key
pxElAkhuhuhuhuhuhuhuhuhuhuhu
SubDirectory
3/LKZUhuhuhuhuhuhuhuhuhuhuhu
InstallName
0huhuhuhu
Install
0huhuhuhu
Startup
Hhh8mXhuhuhuhuhuhuhuhuhuhuhu
Mutex
9/U2rThuhuhuhuhuhuhuhuhuhuhu
StartupKey
0huhuhuhu
HideFile
1huhuhuhu
EnableLogger
9CC761huhuhuhuhuhuhuhuhuhuhu
EncryptionKey
3UpT2+huhuhuhuhuhuhuhuhuhuhu
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Artefacts
Name
Value Location
CnC
wdN0T/huhuhuhuhuhuhuhuhuhuhu
Malicious

ceff49810f7f435b242b61c630d7d56b

Port
wdN0T/huhuhuhuhuhuhuhuhuhuhu
Malicious

ceff49810f7f435b242b61c630d7d56b

Full artefact values (URLs, paths, registry keys…) are available with Essential.
Unlock with Essential
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙