Malicious
Malicious

ead152233cb6712f2fb1920d08fe13b9

PE Executable
|
MD5: ead152233cb6712f2fb1920d08fe13b9
|
Size: 53.25 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
ead152233cb6712f2fb1920d08fe13b9
Sha1
31e179c2e6aaa4f0185f280069c094c1e2f6ef72
Sha256
bc1f349fc4db55e0ce087a043d3f7708994b65982f00599ddc52cfeaff55edba
Sha384
acb7c2affe8fd19d623ad8e5612c6e2f801c037bef74e1a2568cfb0bc2b26e072d1d5f15991e07d289af78c630e28437
Sha512
8aa6e923ebd702162205f9158aaff24e2a0574356c9dd383054484f5c1191b2f190fea3dd961751da1888b3774d35d1a77751f5627d1b066dcfcbf778f7a6fa3
SSDeep
768:PfwStm8MpXwNGQYby2AfoacJahMOCiob2gbOvz+K1uprUn/SgzX2/RcXJYWz+:PHR6u2A7MOCvbpbwq2kYn6mG/RcX1z+
TLSH
AC334C00F7E9C52AF1BD8B3898F322494679E557BA03DA5D0CC4159B0B13BC69A426FE

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
ead152233cb6712f2fb1920d08fe13b9
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - AsyncRAT config.
Config. Field
 Value
Key (AES_256)

a0U5R3BCMGYzSnp2VVhtV1JZd2F2MGFlRk9xWWJJNkM=
Pastebin

-
Certificate

MIIE8DCCAtigAwIBAgIQAKHoVQTTKstu3ShgR1hlHTANBgkqhkiG9w0BAQ0FADAZMRcwFQYDVQQDDA5qYXdhcjNkIFNlcnZlcjAgFw0yNjAxMjIxMzQxMzdaGA85OTk5MTIzMTIzNTk1OVowGTEXMBUGA1UEAwwOamF3YXIzZCBTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCWL5ZUw7LR9BybGrwYNmRxxG8vLaau7D2Akl7kNFIkOBWHso/GYTzAJg/PrZxWO6xvhs8mASWRqIZ0mpgVTCN9kNymKybh+aezZyBELmKF52mzN94Pf2YjmmhmlB8KU1zazMnu2U2iBSN8zw3V29qa6tknbWy64mPFwRs/pTFLYbJrf+E5pBC5l9MFh8zqR+FSDZZuCVgq/YWn3Lifm0vM9TM+zU3E8VaZ3su0jHhjo3pXOSky0z1ImOQClPVbda+NCTjgn4GUcCqzd8s3JKMv2i0ydg+DjnkndKksCZTZGcBugUDBFNL38aacDtmcTTI/ZFEpYRVAM9jsaPQYGP/Qjzm+OvvEmMEnmAYohz+pzFfmLFhWgTlBQK/m/8EYY6zZ9jr/SNOR8zy4LlpUTrErx8Cb4qYGZW77J1dkOMbrWN65jEGk12C0V2345zM1CuCQajG4lQfapCfvAIYY3W9Swe0d8fkmqsbsxefLEz/Bqq5h1QB/bsAjX4aeCo2rBuZCZWb/ayxh4hO0Q2w4omupaIpBuNQeHw0WYFG9tLWjN3iuMdDYJe3nexh6m7Vyhgvojk6EyIa2QfSn4nmoi76ujj1MJd0DCxQBgrUSvMrscg3dUof7QPnUTXUA2I+L/N2qLXFHuEMSCzOKlsdrfnAjaWx20NjHEvbTU9yclwji9wIDAQABozIwMDAdBgNVHQ4EFgQUa/w+I6xQvuuaC0I7GPHfD8FNsD0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAY6nPkA5LfwvH+OQnjIz3trTKYsffBb4PmXrAnKF5TGb2KpDLQlu2pVhvdjWmalvIE/UzlFETq6WNbYH6iofLX+z/bTdeN+WY6ME/zl8RUF2Z3DbabT6eRJFqbiZnyAaVgBH2o73oE3ryb7JnVv9Ou1A366moUgG4IrUsN1h1Va1dZiKD0sHES/Smvwxa0/k08tkhsWG/uWNsgKzduXrgkQwwOJ/zHvPlAOEDGua0d4ypsOQou4o9cGMcZmiCKGBtwe7EbHiLFJidGye+dx+G/K22uDtc8QV8CZNCL3vQpyVN6usWz72GYcxulD02MAZvODLr4Hj/Ygh5T3DknY8IOjop8iw1ORVKGMz5biLXM/0o/p1ApPOEp6Snny6VWDErixBeKX9daJ4FklSEzdfxo//uPQiBgusN8kfX3Y55kqKrunskdctSd15kcOCKEtWYzOZTYUi8yuwCy/k8HML6kMGK/9m6ryRJ/wr2jdfEMYMN3adlaGOvDnOjSotZAuzFOYp+gJlQZgsQDUiyxAStZ47WaN9hQJ3Eliyq8omYU3NVQSYK6++dEoUxiLBrtzgEubjamVX2XmZ6yV5A7shCeaMgcw3kz4ioUkuSmoauuZNfWIn1Md/umbiBx2Nxt5mNsLQx6e+Hd1jFWEKxucCKnWP1g6JMlTlOrqDCZ8FjYgg=
ServerSignature

QGh69ylkJzItHvKb8QCZ74vzUpvTMhqwnG8PozaTwGzSBhJNpwM/88cAj9MODVuQAmB7oOkTqDvPWFehFzKwPAz19RBNlJPngBEwhsmuZLeCPLAtotMwziKAOCb6XignEbniO5S4gy+B6fSX9QXGodzCnP7kAP06WErsTwltqs31ooFYlJWOCv6lzRRnXA+jjSNrCh/edO5r/GceRJlLiwCA7MxCGjyPzOFTkGkg0HevaSFklpD6PTjiu6EMFfEW8X41q48dUQLgUwJodoxkSKji+CsstPEMYvEsbHZ9n3N2IIlEz1IGjpMH8dxF0+UTCe1m8u30NTeHr3byMSTnUeIu5FSOREihCIyS4HBZY8Qw+qdPtxPqfQQCh1r+r1PNiLTF+MzjLAFa4F7P9lWjsnOw3A7Q/BRecAjNReKXcBq9uyo1H5MfvtJB9m5FpoSmD1+M72kVLb0EeAnnWCi6ob/4FsRUKtJ3h2fEODm8Ff5DuM/sqeRvYK3gWJjyPoypo8pMJ+b0o92atSU4GR/+1aV4KVgW+n1WGcqylFY1Uyue4odik7MSFCC3yAskN4KR/3Sp06oziEpD1ehUVLp+IQ7kzCbTC2Fz04ltkarEgm275/aMQClrTz4CQ61slqr2xQrqgf7aMCU0hTVt7R+bJhiKxUFrBl3AE8ncoaXjUTo=
Install

true
BDOS

false
Anti-VM

false
Install File

WindowsUpdateService.exe
Install-Folder

%AppData%
Hosts

jawared1-63785.portmap.host
Ports

3006,63785
Mutex

QNtN6eFA02rO
Version

0.5.8
Delay

3
Group

Default
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

iwn.exe
Full Name

iwn.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

iwn.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

iwn
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

126
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

70
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: ldsfld System.String Client.Settings::RunPEProcess ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::RunPEProcess call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue IL_0081: nop call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() callvirt System.String System.Reflection.Assembly::get_Location() call System.Byte[] System.IO.File::ReadAllBytes(System.String) ldsfld System.String Client.Settings::RunPEProcess ldstr explorer.exe call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_006E: ldstr "C:\\Windows\\explorer.exe" ldstr C:\Windows\System32\svchost.exe br IL_0073: stloc.1 ldstr C:\Windows\explorer.exe stloc.1 <null> ldloc.1 <null> call System.Boolean Client.Helper.RunPE::Execute(System.Byte[],System.String) pop <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0092: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00A6: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00BA: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_00E8: nop pop <null> leave IL_00E8: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00FD: leave IL_0108 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_0108: ldc.i4 5000 pop <null> leave IL_0108: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00E8: nop
Module Name

iwn.exe
Full Name

iwn.exe
EntryPoint

System.Void Client.Program::Main()
Scope Name

iwn.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

iwn
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

126
Main Method

System.Void Client.Program::Main()
Main IL Instruction Count

70
Main IL

ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: ldsfld System.String Client.Settings::RunPEProcess ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::RunPEProcess call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue IL_0081: nop call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() callvirt System.String System.Reflection.Assembly::get_Location() call System.Byte[] System.IO.File::ReadAllBytes(System.String) ldsfld System.String Client.Settings::RunPEProcess ldstr explorer.exe call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_006E: ldstr "C:\\Windows\\explorer.exe" ldstr C:\Windows\System32\svchost.exe br IL_0073: stloc.1 ldstr C:\Windows\explorer.exe stloc.1 <null> ldloc.1 <null> call System.Boolean Client.Helper.RunPE::Execute(System.Byte[],System.String) pop <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0092: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00A6: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00BA: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_00E8: nop pop <null> leave IL_00E8: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00FD: leave IL_0108 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_0108: ldc.i4 5000 pop <null> leave IL_0108: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00E8: nop
Artefacts
Name
 Value
Key (AES_256)

a0U5R3BCMGYzSnp2VVhtV1JZd2F2MGFlRk9xWWJJNkM=
CnC

jawared1-63785.portmap.host
Ports

3006
Ports

63785
Mutex

QNtN6eFA02rO
ead152233cb6712f2fb1920d08fe13b9 (53.25 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙