e1647b0085457211e4b9e887c807e21c

PE Executable
|
MD5: e1647b0085457211e4b9e887c807e21c
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	e1647b0085457211e4b9e887c807e21c
Sha1	c485713ecc081ecf6d40e505058063b64d8d1008
Sha256	8afbde5dc32a73557582ce0c6ea793b4a73938491d27caebe66d3a57282b7612
Sha384	50d6b106343864983b8ced0b5bc18a9e5af0b8c04692d09d98cba0a13fd6d61607f949eb2f8f1a0a526be489063823b1
Sha512	fdfe83e5dc687706f519b5bbdcc8cf53b1c4b74168cc25a054ef166a727c1581f9f5f75625a08dd7d42fd9aa34fcaf147ce68e6418ca6206af1b8470a0392caf
SSDeep	6144:4Lwb/c2L0t+EL2kbyrH8Bx0LvYmS6J9EZGO+:CH2LgS38GBS0EZGO+
TLSH	61849D1377E8DA3BD1FD173AE43206194BB0D4677612E38B5A5AA5F82D233868D443B3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	mILR4WdDNMh8ulUJyfWN
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port	toptop
Host	toptop
Conf. AES-Key	mILR4WdDNMh8ulUJyfWN
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Port	4782
Host	toptoptop3.online
Conf. AES-Key	mILR4WdDNMh8ulUJyfWN
Version	1.3.0.0
Port	4782
Host	37.19.193.217
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	0
Startup	0
Mutex	QSR_MUTEX_YtiKGF
StartupKey	Quasar Client St
HideFile	0
EnableLogger	0
Tag	Aug22
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_0474f309.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::೅湟랒Ⱥ킢ꮪȡ㐨ሏ説ᾈ뷺砖᯼쪒蒸걾や(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 쁭린�孈꛴ք㢬쮄ꖥ쪰吳鉵蔳锰퐉佱嚂糎::ٞ띻퍖䎸톶᳢᷎�櫋殫蠦䯳儽�ߴ栎虆ܼኯ() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::薐낒ۄ쁞㱴譚챖ꁥ⽂㡫䕫쭸踊ၙ좝圬ꃸ華() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::get_Exiting() brtrue.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() ldsfld ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃 �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::⯜ᠫﳌ녃͘∛卾跰횼澋㜝撝ꈖ푈믐㜛⇾ callvirt System.Void ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::ᷗ쳵䯯閽칙덦�ꮳⵕ⑩擮醱㉾ᎍ�猞ﴱ鈛矺() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::㚮ꃪࠎꏧ␅䗊囘�펾뛭퉣夿૟曬締㗥敃၄뎙() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::೅湟랒Ⱥ킢ꮪȡ㐨ሏ説ᾈ뷺砖᯼쪒蒸걾や(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 쁭린�孈꛴ք㢬쮄ꖥ쪰吳鉵蔳锰퐉佱嚂糎::ٞ띻퍖䎸톶᳢᷎�櫋殫蠦䯳儽�ߴ栎虆ܼኯ() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::薐낒ۄ쁞㱴譚챖ꁥ⽂㡫䕫쭸踊ၙ좝圬ꃸ華() brfalse.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Boolean ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::get_Exiting() brtrue.s IL_0040: call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() ldsfld ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃 �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::⯜ᠫﳌ녃͘∛卾跰횼澋㜝撝ꈖ푈믐㜛⇾ callvirt System.Void ᑢﾮ敎超缆徤逿΢‴ꛆ⬔睮栆䀕쉱뙼觃::ᷗ쳵䯯閽칙덦�ꮳⵕ⑩擮醱㉾ᎍ�猞ﴱ鈛矺() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::盙疛䟇侕⽣趤鎻㟽滤אַ᜷眴ﳷⳌ() call System.Void �嘊쵆�錟빲윌檴꜆紝밢䭍ᠯ폏觥牭盞櫩赏::㚮ꃪࠎꏧ␅䗊囘�펾뛭퉣夿૟曬締㗥敃၄뎙() ret <null>

Artefacts

Name0	Value
CnC	37.19.193.217
Port	4782
CnC	toptoptop3.online
CnC	toptop
Port	toptop
PE Layout	MemoryMapped (process dump suspected)
CnC	37.19.193.217
Port	4782
CnC	toptoptop3.online
CnC	toptop
Port	toptop
PE Layout	MemoryMapped (process dump suspected)

e1647b0085457211e4b9e887c807e21c (376.84 KB)