Malicious
Malicious

d2ebd4669742c3eca630f806cbf56930

PE Executable
|
MD5: d2ebd4669742c3eca630f806cbf56930
|
Size: 355.41 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
d2ebd4669742c3eca630f806cbf56930
Sha1
5748d854a608cf53cb752ff3cfc93f6c728663be
Sha256
edf4c8e33b3f5f2009b8693b604f7b678084133c3db4e414972413c794d13abb
Sha384
4889638d9e99856c6882d9e58d99d4e1d057bc99fa965af567b7a4b9281e5f1726f7160554ed577f2f07d738c0411a98
Sha512
16a6f7d45e03263584b2edb69f6dec104184c09c414e5e1dc33d3593d2da8b9648ab3d161423e28e6e61380a54b839397afcb89b3f1d3b7b538e8e76b6cf2d71
SSDeep
6144:ImSiPqU23zk5QCV44q+Mpzbe3uQhuqD2sr3X3MW:3oU2244qtTQQqlr3X3MW
TLSH
C3748D23B7A8E63BD6BE173BF43206055BB0D647B616E38B5A5C54B86C133868D503B3

PeID

.NET executable
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual Studio .NET
File Structure
d2ebd4669742c3eca630f806cbf56930
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

WhxbgtfoCH2rle1wnnE8
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

anydesks.duckdn
Host

anydesks.duckdn
Conf. AES-Key

WhxbgtfoCH2rle1wnnE8
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

2
Host

154.53.50.145

Conf. AES-Key

WhxbgtfoCH2rle1wnnE8
Version

1.3.0.0
Port

2
Host

5.189.132.160
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

desktop
InstallName

desktop.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_UlQgRB
StartupKey

desktop
HideFile

1
EnableLogger

1
Tag

microsoft
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::뎖Ꞥ햏ঁﯫ៶Ị∂穯걉兝ⲩ뗕燴㢷渆慚꭫ₗ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⌤捤喢䧍巡婘颦伜ፙ訫ⓩ古혇齭�㘻ᇪ▸莟::麫촘ꔔ颀坒춐픭꡴෭䛅㽩≤ौ氕减ﮞ렗媴회() brfalse.s IL_0040: call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() call System.Boolean ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::曀碲퍿ϊၐ䶑⠮邧⠃駀᱆�こ▄뵰㖳() brfalse.s IL_0040: call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() call System.Boolean 諄㨠巚䇊㯄羸齶零鈊㢥㚰쇋ᶊ뱓遶쟜軷::get_Exiting() brtrue.s IL_0040: call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() ldsfld 諄㨠巚䇊㯄羸齶零鈊㢥㚰쇋ᶊ뱓遶쟜軷 ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::᤭鱝지ᡗ꜖�뛦淞孠틄㢄㎰女ꈈ쥓ꍑ囿 callvirt System.Void 諄㨠巚䇊㯄羸齶零鈊㢥㚰쇋ᶊ뱓遶쟜軷::퍢鴂徲᫪㫃ᴺ欞紜ᘔ㮪皿婌᜻ʼ趾蕮赐៧Ꞷ卹() call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::㆟躂ᨪ㷤嬛랖䜾耉婁᧷่흯韘잛ꍑ召䊊햲ԇ() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

896
Main Method

System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::뎖Ꞥ햏ঁﯫ៶Ị∂穯걉兝ⲩ뗕燴㢷渆慚꭫ₗ(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean ⌤捤喢䧍巡婘颦伜ፙ訫ⓩ古혇齭�㘻ᇪ▸莟::麫촘ꔔ颀坒춐픭꡴෭䛅㽩≤ौ氕减ﮞ렗媴회() brfalse.s IL_0040: call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() call System.Boolean ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::曀碲퍿ϊၐ䶑⠮邧⠃駀᱆�こ▄뵰㖳() brfalse.s IL_0040: call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() call System.Boolean 諄㨠巚䇊㯄羸齶零鈊㢥㚰쇋ᶊ뱓遶쟜軷::get_Exiting() brtrue.s IL_0040: call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() ldsfld 諄㨠巚䇊㯄羸齶零鈊㢥㚰쇋ᶊ뱓遶쟜軷 ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::᤭鱝지ᡗ꜖�뛦淞孠틄㢄㎰女ꈈ쥓ꍑ囿 callvirt System.Void 諄㨠巚䇊㯄羸齶零鈊㢥㚰쇋ᶊ뱓遶쟜軷::퍢鴂徲᫪㫃ᴺ欞紜ᘔ㮪皿婌᜻ʼ趾蕮赐៧Ꞷ卹() call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::媎왝躰䘘⾗䰴ዷ�ƣ蔈瀌�苹͟숱۹㙼() call System.Void ꅊ﮶䡺宺㯳暀娓븰馚䪋찞딃ꄩ�璲ᓾ鍌䟈::㆟躂ᨪ㷤嬛랖䜾耉婁᧷่흯韘잛ꍑ召䊊햲ԇ() ret <null>
Artefacts
Name
 Value
CnC

5.189.132.160
Port

2
CnC

154.53.50.145

CnC

anydesks.duckdn
Port

anydesks.duckdn
PE Layout

MemoryMapped (process dump suspected)
d2ebd4669742c3eca630f806cbf56930 (355.41 KB)
File Structure
d2ebd4669742c3eca630f806cbf56930
Malicious
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

WhxbgtfoCH2rle1wnnE8
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

anydesks.duckdn
Host

anydesks.duckdn
Conf. AES-Key

WhxbgtfoCH2rle1wnnE8
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port

2
Host

154.53.50.145

Conf. AES-Key

WhxbgtfoCH2rle1wnnE8
Version

1.3.0.0
Port

2
Host

5.189.132.160
ReconnectDelay

3000
Key

1WvgEMPjdwfqIMeM9MclyQ==
AuthKey

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory

desktop
InstallName

desktop.exe
Install

1
Startup

1
Mutex

QSR_MUTEX_UlQgRB
StartupKey

desktop
HideFile

1
EnableLogger

1
Tag

microsoft
LogDirectory

Logs
HideLogDirectory

1
HideLogSubdirectory

1
Artefacts
Name
 Value Location
CnC

5.189.132.160

Malicious

d2ebd4669742c3eca630f806cbf56930
Port

2

Malicious

d2ebd4669742c3eca630f806cbf56930
CnC

154.53.50.145

Malicious

d2ebd4669742c3eca630f806cbf56930
CnC

anydesks.duckdn

Malicious

d2ebd4669742c3eca630f806cbf56930
Port

anydesks.duckdn

Malicious

d2ebd4669742c3eca630f806cbf56930
PE Layout

MemoryMapped (process dump suspected)

d2ebd4669742c3eca630f806cbf56930
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙