ff1a12e4d8893d45f879246a730820d3

PE Executable
|
MD5: ff1a12e4d8893d45f879246a730820d3
|
Size: 393.23 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	ff1a12e4d8893d45f879246a730820d3
Sha1	60fc04840ae64ec19508b2076aad39bf1192583a
Sha256	ac101741124b522aa5735fa21bbcf947542e01edfcbe0eb7fb99e768bab558bf
Sha384	edb974ec267dd977f743bc4712a59166059683bf56f17182f50f30e6327c25e9db0daac025b951a0c216dfe8b989c04c
Sha512	cc568f04d1cb52c3fe6be8e278a0fecef5029b798f6445c4f7f07b596dc7c70a34ad4182ab14896d9680214acf51b387d96f36d9edc8f14e41ebf988235c3ce4
SSDeep	6144:JTNHXf500MtAbsJ3j8d7bjpiACNmfOBpPvCYXi:Vd50GMwYvNmWvPvbi
TLSH	6684491363A8A53BF1BFC736E73606045BB194467712E38B5A6854BD6C12386BD80BF3

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - QuasarRAT config.

Config. Field0	Value
Conf. AES-Salt	BF-EB-1E-56-FB-CD-97-3B-B2-19-02-24-30-A5-78-43-00-3D-56-44-D2-1E-62-B9-D4-F1-80-E7-E6-C3-39-41
Conf. AES-Key	HwssTMExilQzNxqkBd0F
Version	1.3.0.0
Port	47
Host	192.168.0.100
ReconnectDelay	3000
Key	1WvgEMPjdwfqIMeM9MclyQ==
AuthKey	NcFtjbDOcsw7Evd3coMC0y4koy/SRZGydhNmno81ZOWOvdfg7sv0Cj5ad2ROUfX4QMscAIjYJdjrrs41+qcQwg==
SubDirectory	SubDir
InstallName	Client.exe
Install	1
Startup	1
Mutex	QSR_MUTEX_AYGdK0
StartupKey	Quasar Client St
HideFile	1
EnableLogger	1
Tag	Office04
LogDirectory	Logs
HideLogDirectory	1
HideLogSubdirectory	1

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_ed5573ad.exe
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::蟅ڃ꭛犸톏牗⍋䦁鉃ꗞ렓壦賧師ඳट걮(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 唡ꆥ瀶쎣㴩ᲊ뛕䳑径꒚裴퍘䂰쒰锋큉�곑::ꫯ㬳쫊Ἃ㲘붬弖譐잜悒年莽�Լ鎧妟䔾() brfalse.s IL_0040: call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() call System.Boolean ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::鵰땸痼픦䞚车㞽ᄟ㞸ពℌ￷薁魼묔炆利ᣚ㈻帱() brfalse.s IL_0040: call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() call System.Boolean 榽⚠ፇ�ᱥඊ偵ી⺌၌애鰻手컋ʈ鑝ꥮꏋ㶊ꉧ::get_Exiting() brtrue.s IL_0040: call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() ldsfld 榽⚠ፇ�ᱥඊ偵ી⺌၌애鰻手컋ʈ鑝ꥮꏋ㶊ꉧ ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::蓉찙赡छٓㄌ࠸ᛡ圝魚똜앩슝ɀ㨶簘藺蝠楣뛡 callvirt System.Void 榽⚠ፇ�ᱥඊ偵ી⺌၌애鰻手컋ʈ鑝ꥮꏋ㶊ꉧ::辍槌橮⇌춡黸ʭ窀싖崤臻鼼＂㵢ꏲ탌﷢쐾돣ﰄ() call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::䫼瑷돬㒏⥂╶쇻㧸㾽푕䕒豆ꟶ쌿㶾풭笻䡨䲀駓() ret <null>
Module Name	Client.exe
Full Name	Client.exe
EntryPoint	System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::Main(System.String[])
Scope Name	Client.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	Client
Assembly Version	1.3.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	.NETFramework,Version=v4.0,Profile=Client
Total Strings	896
Main Method	System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::Main(System.String[])
Main IL Instruction Count	19
Main IL	call System.Void System.Windows.Forms.Application::EnableVisualStyles() ldc.i4.0 <null> call System.Void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(System.Boolean) call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::蟅ڃ꭛犸톏牗⍋䦁鉃ꗞ렓壦賧師ඳट걮(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) call System.Boolean 唡ꆥ瀶쎣㴩ᲊ뛕䳑径꒚裴퍘䂰쒰锋큉�곑::ꫯ㬳쫊Ἃ㲘붬弖譐잜悒年莽�Լ鎧妟䔾() brfalse.s IL_0040: call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() call System.Boolean ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::鵰땸痼픦䞚车㞽ᄟ㞸ពℌ￷薁魼묔炆利ᣚ㈻帱() brfalse.s IL_0040: call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() call System.Boolean 榽⚠ፇ�ᱥඊ偵ી⺌၌애鰻手컋ʈ鑝ꥮꏋ㶊ꉧ::get_Exiting() brtrue.s IL_0040: call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() ldsfld 榽⚠ፇ�ᱥඊ偵ી⺌၌애鰻手컋ʈ鑝ꥮꏋ㶊ꉧ ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::蓉찙赡छٓㄌ࠸ᛡ圝魚똜앩슝ɀ㨶簘藺蝠楣뛡 callvirt System.Void 榽⚠ፇ�ᱥඊ偵ી⺌၌애鰻手컋ʈ鑝ꥮꏋ㶊ꉧ::辍槌橮⇌춡黸ʭ窀싖崤臻鼼＂㵢ꏲ탌﷢쐾돣ﰄ() call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::殤ự幍瀇梲㩼浳屫鞙展朰䚉朴偣➂ኊ酷() call System.Void ᫠ವ௓麔ܨ竩�跺꘯鞲ꤪꚽ诵랚镾::䫼瑷돬㒏⥂╶쇻㧸㾽푕䕒豆ꟶ쌿㶾풭笻䡨䲀駓() ret <null>

Artefacts

Name0	Value
CnC	192.168.0.100
Port	47
PE Layout	MemoryMapped (process dump suspected)
CnC	192.168.0.100
Port	47
PE Layout	MemoryMapped (process dump suspected)

ff1a12e4d8893d45f879246a730820d3 (393.23 KB)