e9ee98884693a0f7b1e123bd39d3eb81

PE Executable
|
MD5: e9ee98884693a0f7b1e123bd39d3eb81
|
Size: 376.84 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	e9ee98884693a0f7b1e123bd39d3eb81
Sha1	ad4760f53df33aa8e7964b63f9bc85d8a6c79b6c
Sha256	82e73b81ac55851de4f80a23e08c3b0d60b73a4a91d3ec7e176906fd2554f55b
Sha384	f3cedf8ed14a95c8cf76c47f14aa44310651306152bb0b76ff7e671d966d39ab97f5a1120e997304e57e23c74189cb6a
Sha512	d53b0bbc6f9be7c3d3b841cb9deb4f9759bf9f7ea3f65289427e99e1ffe82c4d30019b8d50de655473723b779971996047ae76d1bfbcf75a02af1369fdcad7a7
SSDeep	6144:/7NHXf500MxKlLUWLD3bwMgdlQF2A7hUYPyVbJe:jd50alLVMnlK2A7qYPGbJe
TLSH	9E848C1333A8D63BD1BE577AF53606044BB1D447BA16F38F9A5896B82C133868D913B3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	JTis9uZa3y2AQVXE5OLV
Version	1.3.0.0
Port	1604
Host	85.121.4.92
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	1
Startup	0
Mutex	QSR_MUTEX_A0MQsC
StartupKey	Quasar Client St
HideFile	0
EnableLogger	1
Tag	Office04
LogDirectory	Logs
HideLogDirectory	0
HideLogSubdirectory	0

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_ec386a74.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::႕Ⓘ悩ጼ䙳塢懶眎护๯�緔杰쎒揊徥ꗢ�㊫(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 呜魠溊甅锧괫⩭㝰㛤⵺Ꮣ콂竸끓�∣㰨�㨚::䂋͊余䲇㰹핧쭖翉焵᯶烪陶酄輗臨ꦴ‡㯆�() brfalse.s IL_0040: call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() call System.Boolean 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::贜뻔脟ࣄ묫뚧讘持ꬻ폫渡쒳툙긐㯈梾橁() brfalse.s IL_0040: call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() call System.Boolean 爂ぉ숅廀ᥛ鯒鵙२ႇ랢ⵕᛆᔩ痾߈㢕ﴣ✢암::get_Exiting() brtrue.s IL_0040: call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() ldsfld 爂ぉ숅廀ᥛ鯒鵙२ႇ랢ⵕᛆᔩ痾߈㢕ﴣ✢암 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::糊鮙徰댴龰蹘�薺魈༾ꡎ⤈⦝ີ钰ჵ曵 callvirt System.Void 爂ぉ숅廀ᥛ鯒鵙२ႇ랢ⵕᛆᔩ痾߈㢕ﴣ✢암::푅珮ᐖᇂ鶷膧㎾菔崟脿⦑�㻇ⵉ榑左ฦ쬙() call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::î멚왰沟㭡怉ᨡ࿇뜺⫰接ৱ튪쁵梻骸㜾ₚ臣() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::႕Ⓘ悩ጼ䙳塢懶眎护๯�緔杰쎒揊徥ꗢ�㊫(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 呜魠溊甅锧괫⩭㝰㛤⵺Ꮣ콂竸끓�∣㰨�㨚::䂋͊余䲇㰹핧쭖翉焵᯶烪陶酄輗臨ꦴ‡㯆�() brfalse.s IL_0040: call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() call System.Boolean 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::贜뻔脟ࣄ묫뚧讘持ꬻ폫渡쒳툙긐㯈梾橁() brfalse.s IL_0040: call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() call System.Boolean 爂ぉ숅廀ᥛ鯒鵙२ႇ랢ⵕᛆᔩ痾߈㢕ﴣ✢암::get_Exiting() brtrue.s IL_0040: call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() ldsfld 爂ぉ숅廀ᥛ鯒鵙२ႇ랢ⵕᛆᔩ痾߈㢕ﴣ✢암 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::糊鮙徰댴龰蹘�薺魈༾ꡎ⤈⦝ີ钰ჵ曵 callvirt System.Void 爂ぉ숅廀ᥛ鯒鵙२ႇ랢ⵕᛆᔩ痾߈㢕ﴣ✢암::푅珮ᐖᇂ鶷膧㎾菔崟脿⦑�㻇ⵉ榑左ฦ쬙() call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::腡롉鑉�烐숚걬麤㮜縉拄⟬㏻竽ᗘ뇂鍭ࣹ() call System.Void 鉥뷒䔑�ݝꯙ늴ﮬ骇毩奄笳᫢::î멚왰沟㭡怉ᨡ࿇뜺⫰接ৱ튪쁵梻骸㜾ₚ臣() ret <null>

Artefacts

Name0	Value
CnC	85.121.4.92
Port	1604
PE Layout	MemoryMapped (process dump suspected)
CnC	85.121.4.92
Port	1604
PE Layout	MemoryMapped (process dump suspected)

e9ee98884693a0f7b1e123bd39d3eb81 (376.84 KB)

e9ee98884693a0f7b1e123bd39d3eb81

PE Executable | MD5: e9ee98884693a0f7b1e123bd39d3eb81 | Size: 376.84 KB | application/x-dosexec

PE Executable
|
MD5: e9ee98884693a0f7b1e123bd39d3eb81
|
Size: 376.84 KB
|
application/x-dosexec