Malicious
Malicious

0264751f6495eff1100a4c14e5e6a8dc

Share on LinkedIn
Print
PE Executable
MD5: 0264751f6495eff1100a4c14e5e6a8dc
Size: 27.14 KB
application/x-dosexec
Ctrl + scroll to zoom · drag to pan

Get an AI-generated breakdown of this malware's behaviour, IOCs and recommendations.

AI analysis is available with Essential.
Unlock with Essential
Symbol Obfuscation Score Low
MD5 0264751f6495eff1100a4c14e5e6a8dc
Sha1 e0052a8ad8311e1ca2074362c9828afd6880811a
Sha256 ed0f08343c0f3288db6fa05dfbe5722e6a6d39a7d985d198e54c63876fc1c22a
Sha384 0d5e1d15af1ec311fcf0fa383368d6ee3e3df2e19409c15805eeb9d2d61b568bfb0420ad4ab905bc3e110103f2abe6e7
Sha512 5a465ce71fd713e87bb5ecc694a58d23abe395610a30f449a9712290ecc4a8a5abf777d1c66c8985462c4945334461d39684e12f27e6666a506f6f2534389671
SSDeep 384:lgSVEEMiNPWiilvaR90gVqH9qbuUsAbQxnCJfJBndnjJoKX3:lgSVXFWaIIbqBiBn5X3
TLSH 8FC22C0833E8C576D1FD4A7D883386109735A95B9D23DB5A5FC490AE2933BC98B14FD4
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
STICH beta Structural Threat Infection Chain Hash

A content-independent fingerprint of the infection method: successive formats, internal objects and MITRE techniques from the initial file to each final payload.

Structural branches: 1 STICH kept: 1
STICH Path = the fingerprint (canonical chain with techniques) STICH Shape = structure only Only determinant branches produce STICH Paths.
1 / 1
Path pe:exe>pe:rsrc>bin
Shape pe:exe>pe:rsrc>bin
malicious 3 nodes
Config. Field Value
Key (AES_256) Byhuhuhuhu
Pastebin -huhuhuhu
Install fhuhuhuhu
Install File Tehuhuhuhu
Install-Folder %huhuhuhu
Version 0.huhuhuhu
Hosts f16huhuhuhu
Ports 4huhuhuhu
Mutex Aphuhuhuhu
Delay 0huhuhuhu
Group NYhuhuhuhu
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Name Value
Info
PE Detect: PeReader OK (file layout)
Info
PDB Path: C:\new\Client\obj\Debug\S8APP.pdb
Module Name
S8APP.exe
Full Name
S8APP.exe
EntryPoint
System.Void Client.Program::Main()
Scope Name
S8APP.exe
Scope Type
ModuleDef
Kind
Windows
Runtime Version
v4.0.30319
Tables Header Version
512
WinMD Version
<null>
Assembly Name
S8APP
Assembly Version
1.0.0.0
Assembly Culture
<null>
Has PublicKey
False
PublicKey Token
<null>
Target Framework
.NETFramework,Version=v4.8
Total Strings
122
Main Method
System.Void Client.Program::Main()
Main IL Instruction Count
101
Main IL
nop <null>
ldc.i4.0 <null>
stloc.0 <null>
br.s IL_0016: ldloc.0
nop <null>
ldc.i4 1000
call System.Void System.Threading.Thread::Sleep(System.Int32)
nop <null>
nop <null>
ldloc.0 <null>
ldc.i4.1 <null>
add <null>
stloc.0 <null>
ldloc.0 <null>
ldsfld System.String Client.Settings::Delay
call System.Int32 System.Convert::ToInt32(System.String)
clt <null>
stloc.1 <null>
ldloc.1 <null>
brtrue.s IL_0005: nop
call System.Boolean Client.Settings::InitializeSettings()
ldc.i4.0 <null>
ceq <null>
stloc.2 <null>
ldloc.2 <null>
brfalse.s IL_003A: nop
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
nop <null>
nop <null>
nop <null>
call System.Boolean Client.Helper.MutexControl::CreateMutex()
ldc.i4.0 <null>
ceq <null>
stloc.3 <null>
ldloc.3 <null>
brfalse.s IL_004F: ldsfld System.String Client.Settings::Anti
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
nop <null>
ldsfld System.String Client.Settings::Anti
call System.Boolean System.Convert::ToBoolean(System.String)
stloc.s V_4
ldloc.s V_4
brfalse.s IL_0065: ldsfld System.String Client.Settings::Install
call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis()
nop <null>
ldsfld System.String Client.Settings::Install
call System.Boolean System.Convert::ToBoolean(System.String)
stloc.s V_5
ldloc.s V_5
brfalse.s IL_007B: ldsfld System.String Client.Settings::BDOS
call System.Void Client.Install.NormalStartup::Install()
nop <null>
ldsfld System.String Client.Settings::BDOS
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse.s IL_008E: ldc.i4.0
call System.Boolean Client.Helper.Methods::IsAdmin()
br.s IL_008F: stloc.s V_6
ldc.i4.0 <null>
stloc.s V_6
ldloc.s V_6
brfalse.s IL_009B: call System.Void Client.Helper.Methods::PreventSleep()
call System.Void Client.Helper.ProcessCritical::Set()
nop <null>
call System.Void Client.Helper.Methods::PreventSleep()
nop <null>
nop <null>
leave.s IL_00A9: br.s IL_00DD
pop <null>
nop <null>
nop <null>
leave.s IL_00A9: br.s IL_00DD
br.s IL_00DD: ldc.i4.1
nop <null>
nop <null>
call System.Boolean Client.Connection.ClientSocket::get_IsConnected()
ldc.i4.0 <null>
ceq <null>
stloc.s V_7
ldloc.s V_7
brfalse.s IL_00C9: nop
nop <null>
call System.Void Client.Connection.ClientSocket::Reconnect()
nop <null>
call System.Void Client.Connection.ClientSocket::InitializeClient()
nop <null>
nop <null>
nop <null>
leave.s IL_00D1: ldc.i4 5000
pop <null>
nop <null>
nop <null>
leave.s IL_00D1: ldc.i4 5000
ldc.i4 5000
call System.Void System.Threading.Thread::Sleep(System.Int32)
nop <null>
nop <null>
ldc.i4.1 <null>
stloc.s V_8
br.s IL_00AB: nop
Key (AES_256) MUTEXmalicious
Byhuhuhuhu
CnC CNCmalicious
f16huhuhuhu
Ports PORTmalicious
4huhuhuhu
Mutex MUTEXmalicious
Aphuhuhuhu
Full artefact values (URLs, paths, registry keys, scripts…) are available with Essential.
Unlock with Essential
An error has occurred. This application may no longer respond until reloaded. Reload 🗙