Malicious
Malicious

d52cc6f8f2df2ec03155e1ffa7a7ff96

PE Executable
|
MD5: d52cc6f8f2df2ec03155e1ffa7a7ff96
|
Size: 10.78 MB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
d52cc6f8f2df2ec03155e1ffa7a7ff96
Sha1
a51a3795d6066a880743f2f27b92aecf758afb67
Sha256
2b8d25c562b20467aea9ba78fc9ca6b64fee9540948df239b0588c2c6e70906b
Sha384
f858aff08910764b33734c9ceab3ce36d703ee44ff8ffc8609a04cc2f0ab772815d43cd4e697a2b5471096ad0bd9d2cb
Sha512
7b5f1bab4308870028b754fd3eecc78974400812c32cef0d0920aed6b42f55680f3507ac4fb9b3d6de3f615dd118e5b64b54a7b13993dcd0c3fd4005e7948c8c
SSDeep
196608:r4do/4Hpjtll8Qc9zfH2MXBF2QWwrpti9Bhfh3c0RtyGtN6:8do/4Hp1vc9j20BF5Nc9TC0htU
TLSH
A0B6335917E49E7BF47F0AB8F47140011E71FC42A917FBCE389869B84E297988D06B93

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
UPolyX 0.3 -> delikon
File Structure
d52cc6f8f2df2ec03155e1ffa7a7ff96
Malicious
Overlay_21720d2c.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Y7gtFh8uaxJktlaw6Gav
Version

1.4.0.0
Port

222
Host

51.15.17.193
ReconnectDelay

3000
SubDirectory

1WvgEMPjdwfqIMeM9MclyQ==
InstallName

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
Install

7zip
Startup

7z.exe
Mutex

0
StartupKey

0
HideFile

mcCwajiPKbYEpGxs
EnableLogger

7z
Tag

0
LogDirectory

1
ServerSignature

TEST1
ServerCertificate

Logs
InstallPath

0
LogsPath

0
UnattendedMod

0
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_21720d2c.bin (10485764 bytes)
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void xClient.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

1062
Main Method

System.Void xClient.Program::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void xClient.Program::HandleUnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean xClient.Config.Settings::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Program::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Core.Networking.QuasarClient::get_Exiting() brtrue.s IL_0040: call System.Void xClient.Program::Cleanup() ldsfld xClient.Core.Networking.QuasarClient xClient.Program::ConnectClient callvirt System.Void xClient.Core.Networking.QuasarClient::Connect() call System.Void xClient.Program::Cleanup() call System.Void xClient.Program::Exit() ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void xClient.Program::Main(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.3.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0,Profile=Client
Total Strings

1062
Main Method

System.Void xClient.Program::Main(System.String[])
Main IL Instruction Count

19
Main IL

call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void xClient.Program::HandleUnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean xClient.Config.Settings::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Program::Initialize() brfalse.s IL_0040: call System.Void xClient.Program::Cleanup() call System.Boolean xClient.Core.Networking.QuasarClient::get_Exiting() brtrue.s IL_0040: call System.Void xClient.Program::Cleanup() ldsfld xClient.Core.Networking.QuasarClient xClient.Program::ConnectClient callvirt System.Void xClient.Core.Networking.QuasarClient::Connect() call System.Void xClient.Program::Cleanup() call System.Void xClient.Program::Exit() ret <null>
Artefacts
Name
 Value
CnC

51.15.17.193
Port

222
URLs in VB Code - #1

http://schemas.microsoft.com/SMI/2005/WindowsSettings
d52cc6f8f2df2ec03155e1ffa7a7ff96 (10.78 MB)
File Structure
d52cc6f8f2df2ec03155e1ffa7a7ff96
Malicious
Overlay_21720d2c.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
xClient.Properties.Resources.resources
information
[NBF]root.Data
[NBF]root.Data-preview.png
Characteristics
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Y7gtFh8uaxJktlaw6Gav
Version

1.4.0.0
Port

222
Host

51.15.17.193
ReconnectDelay

3000
SubDirectory

1WvgEMPjdwfqIMeM9MclyQ==
InstallName

NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
Install

7zip
Startup

7z.exe
Mutex

0
StartupKey

0
HideFile

mcCwajiPKbYEpGxs
EnableLogger

7z
Tag

0
LogDirectory

1
ServerSignature

TEST1
ServerCertificate

Logs
InstallPath

0
LogsPath

0
UnattendedMod

0
Artefacts
Name
 Value Location
CnC

51.15.17.193

Malicious

d52cc6f8f2df2ec03155e1ffa7a7ff96
Port

222

Malicious

d52cc6f8f2df2ec03155e1ffa7a7ff96
URLs in VB Code - #1

http://schemas.microsoft.com/SMI/2005/WindowsSettings

d52cc6f8f2df2ec03155e1ffa7a7ff96
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙