Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
f304c001ba733ced1a3b213dcf2d1ba0
Sha1
c65bdda766b3702eed9b4874e636e188169a924a
Sha256
32855d78f2bb5b72b9ea1a9284a04e52bdd3778fcf4e23eb6229356b9f158c10
Sha384
7b052b5aef04533c2d7549232b7e4d66e227fe3f93170ed781b1470a07f083a302d4be6927fa93554d636897cc5d294a
Sha512
85f34fd249f1a8ddbd1fcd8ea7037bd07baf3b9ccd45a61b800a13966900c94f576f914892bc478bf48b6413ccd71d3c93e1b2a4ee8a85a696fe1eaee9f060c9
SSDeep
12288:0zj3uX1wUG0PU1K31XjdkhGMe+7xlYCVWGP+743+dEZN3ZTNQ3isOUvNeCK:azuX2GPn316hOg/z+O+dEZrNkisn8CK
TLSH
03F423366CB89E7D0A7803E5A413DB054CE852D30C1C5CD776D8BD093BAB9819A1F5BB
File Structure
f304c001ba733ced1a3b213dcf2d1ba0
Malicious
[Base64-Block]
Malicious
file_0.bin
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
InvokedClient.InvokedClientApplication.resources
costura.costura.dll.compressed
costura.costura.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.pdb.compressed
costura.costura.pdb
costura.gma.system.mousekeyhook.dll.compressed
costura.gma.system.mousekeyhook.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.newtonsoft.json.dll.compressed
costura.newtonsoft.json.dll
[Authenticode]_220cad77.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.protobuf-net.dll.compressed
costura.protobuf-net.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.system.diagnostics.diagnosticsource.dll.compressed
costura.system.diagnostics.diagnosticsource.dll
[Authenticode]_50c89911.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.invokedcommon.dll.compressed
costura.invokedcommon.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.metadata
ILRepack.List
Malware Configuration - QuasarRAT config.
Config. Field
 Value
Conf. AES-Salt

BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key

Version

D3bT5n8GVUpYAB3P2Z1Nn/w73pKBorcCyEgSOU+P4Ornw4oKyU4sv1B6b0QK98Gak2XbXAHoD4gnlN7INy3cHg==
Port

NZlG5eHN3/dQuJ/+i1vsXXhSHxX+/JPVpqM+pCIGlluuWrwrJBsSnoAhV9gqsR38R9sZmv9+3RQxpECGUdAWToI1ZWj/RP1U/0BXmlkA8GU=
Host

NZlG5eHN3/dQuJ/+i1vsXXhSHxX+/JPVpqM+pCIGlluuWrwrJBsSnoAhV9gqsR38R9sZmv9+3RQxpECGUdAWToI1ZWj/RP1U/0BXmlkA8GU=
ReconnectDelay

3000
Key

g8/TLHu3NS5tyVcHbJWDwiz1Ow4MaIKKs1P39s+L/ARbdofdBoVkOcruGwoEHqFWO0SOH2vSXocobps0m0LYlA==
SubDirectory

g/E4ZDtx118l3Lrv8P45MIsq8suOT+2giPYnpdYorInmyw/iiiN44YcbXzmfGMP4y/8Sp9nbbWb0jA7ic6uczw==
InstallName

1
Install

1
Startup

ciDXSwVmz24j5wlgADTaFsoQI9xmMybY7URwhVHzd6VSqh3fmGWGqGWvcf55Yd5C6np6+vZcv0trp2ejcFxWjTOei3PcRg73xGOekVKDdKgpO69H5QLCP/yzqQkcZWf+
Mutex

aQ4h7q+fex69g3OOOZtIKocinun85BIecy5gm6f/cPT84soyPQRadSH4YRMOxcNqM8tKw8FoOq4BiqmXaMJbdQ==
StartupKey

0
HideFile

1
EnableLogger

6B58BFD60FC3150331254A46D2E75F0856F5D0AE
EncryptionKey

pSmwbmB4UIuKx1kscrxyFrTsdY3HtHOUrlrE9CIaVcqFuE3EaSW88AQupo0NCVf6ks8TjlT6cEb3bdENAsVw+w==
Artefacts
Name
 Value
CnC

NZlG5eHN3/dQuJ/+i1vsXXhSHxX+/JPVpqM+pCIGlluuWrwrJBsSnoAhV9gqsR38R9sZmv9+3RQxpECGUdAWToI1ZWj/RP1U/0BXmlkA8GU=
Port

NZlG5eHN3/dQuJ/+i1vsXXhSHxX+/JPVpqM+pCIGlluuWrwrJBsSnoAhV9gqsR38R9sZmv9+3RQxpECGUdAWToI1ZWj/RP1U/0BXmlkA8GU=
f304c001ba733ced1a3b213dcf2d1ba0 (779.38 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙