Malicious
Malicious

1772eac5be0b215cb982b38b749b9e79

PE Executable
|
MD5: 1772eac5be0b215cb982b38b749b9e79
|
Size: 646.48 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
1772eac5be0b215cb982b38b749b9e79
Sha1
edf753eda3fa9f936f036c94fb85fff732923b45
Sha256
d733c598df62dae156c7ea43eba97a49cb69503a56153eda9b7e899749a2903c
Sha384
d1e46c7630655812ea1964bb0b0d318ba933a9c132ad76e7060e87da2949ffc5a921317e929ed07ca76cac9e500f13e1
Sha512
c53108a73235fce0016b8452e242786a836be1f92575b57f5088c8dbf3af296c82db80713640e277290d5853188e3a588e2ff4ebda67958e5e7706183d7f63d7
SSDeep
12288:Q6j1dEoLO166Bwd/a6DjskTeac0VKet632Q/KRJ9lcWTUYhjAbiSBRrYkga35N:QEOoLOBBwdC6DjshaCGS2QSZlc2UQx4H
TLSH
94D4F12276E2C877C66221318EDD6BB6B1F6E7090F25488713C48B5E9B349E0D73927D

PeID

Microsoft Visual C++
Microsoft Visual C++ 5.0
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 7.0 - 8.0
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0 DLL
File Structure
1772eac5be0b215cb982b38b749b9e79
Malicious
7z-stream @ 0x00034600.7z
Malicious
NSI-SCRIPTS
Malicious
0.OPEN-EXPLORER.bat
1.INSTALL-VSCODE-UV.bat
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
2.INSTALL-MSYS2.bat
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
3.MAJ-MSYS2.bat
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
4.DESTROY.bat
dvdrental.tar
toc.dat
3057.dat
3065.dat
3059.dat
3067.dat
3069.dat
3055.dat
3061.dat
3062.dat
3063.dat
3071.dat
3073.dat
3075.dat
3077.dat
3079.dat
3081.dat
restore.sql
install-c.bat
install-elm.bat
install-graphviz.bat
install-ocaml.bat
install-postgres.bat
install-qemu.bat
install-rust.bat
postgres-start.bat
postgres-stop.bat
pyproject.toml
RunMSYS2Cmd.bat
settings.json
NSI-sauver.bat
NSI-importer.bat
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.sxdata
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
ID:0002
ID:1033
RT_DIALOG
ID:0061
ID:1033
ID:0D48
ID:1033
ID:0DAC
ID:1033
ID:0ED8
ID:1033
RT_STRING
ID:001A
ID:1033
ID:001C
ID:1033
ID:001D
ID:1033
ID:0040
ID:1033
ID:00BC
ID:1033
ID:00BD
ID:1033
ID:00CF
ID:1033
ID:00D0
ID:1033
ID:00D5
ID:1033
ID:00D6
ID:1033
ID:00D7
ID:1033
ID:00DC
ID:1033
ID:00E8
ID:1033
ID:00E9
ID:1033
ID:00EA
ID:1033
ID:00EC
ID:1033
RT_GROUP_CURSOR4
ID:0001
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_c001c07c.bin (431948 bytes)
Artefacts
Name
 Value
Deobfuscated PowerShell

^ "$t='%TARGET%';" ^ "$p=[Environment]::GetEnvironmentVariable('Path','User');" ^ "if([string]::IsNullOrEmpty($p)){ $new=$t } elseif(($p.Split(';') -notcontains $t)){ $new=$p.TrimEnd(';')+';'+$t } else { $new=$p };" ^ "[Environment]::SetEnvironmentVariable('Path',$new,'User')" Write-Output "Fini." "Le" "PATH" "a" "été" "modifié." "Toute" "application" "déjà" "ouverte" "ne" "prendra" "pas" "en" "compte" "les" "modifications." Pause endlocal
Deobfuscated PowerShell

^ "$t='%TARGET%';" ^ "$p=[Environment]::GetEnvironmentVariable('Path','User');" ^ "if([string]::IsNullOrEmpty($p)){ $new=$t } elseif(($p.Split(';') -notcontains $t)){ $new=$p.TrimEnd(';')+';'+$t } else { $new=$p };" ^ "[Environment]::SetEnvironmentVariable('Path',$new,'User')" Write-Output "C'EST FINI" Write-Output "Relancez le script tant qu'il n'est pas indiqué 'there is nothing to do' ou 'Il n'y a rien à faire' 2 lignes au dessus ce celle-ci" Pause endlocal
1772eac5be0b215cb982b38b749b9e79 (646.48 KB)
File Structure
1772eac5be0b215cb982b38b749b9e79
Malicious
7z-stream @ 0x00034600.7z
Malicious
NSI-SCRIPTS
Malicious
0.OPEN-EXPLORER.bat
1.INSTALL-VSCODE-UV.bat
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
2.INSTALL-MSYS2.bat
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
3.MAJ-MSYS2.bat
Malicious
[PowerShell Command]
Malicious
[Deobfuscated PS]
Malicious
4.DESTROY.bat
dvdrental.tar
toc.dat
3057.dat
3065.dat
3059.dat
3067.dat
3069.dat
3055.dat
3061.dat
3062.dat
3063.dat
3071.dat
3073.dat
3075.dat
3077.dat
3079.dat
3081.dat
restore.sql
install-c.bat
install-elm.bat
install-graphviz.bat
install-ocaml.bat
install-postgres.bat
install-qemu.bat
install-rust.bat
postgres-start.bat
postgres-stop.bat
pyproject.toml
RunMSYS2Cmd.bat
settings.json
NSI-sauver.bat
NSI-importer.bat
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.sxdata
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
ID:0002
ID:1033
RT_DIALOG
ID:0061
ID:1033
ID:0D48
ID:1033
ID:0DAC
ID:1033
ID:0ED8
ID:1033
RT_STRING
ID:001A
ID:1033
ID:001C
ID:1033
ID:001D
ID:1033
ID:0040
ID:1033
ID:00BC
ID:1033
ID:00BD
ID:1033
ID:00CF
ID:1033
ID:00D0
ID:1033
ID:00D5
ID:1033
ID:00D6
ID:1033
ID:00D7
ID:1033
ID:00DC
ID:1033
ID:00E8
ID:1033
ID:00E9
ID:1033
ID:00EA
ID:1033
ID:00EC
ID:1033
RT_GROUP_CURSOR4
ID:0001
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
Deobfuscated PowerShell

^ "$t='%TARGET%';" ^ "$p=[Environment]::GetEnvironmentVariable('Path','User');" ^ "if([string]::IsNullOrEmpty($p)){ $new=$t } elseif(($p.Split(';') -notcontains $t)){ $new=$p.TrimEnd(';')+';'+$t } else { $new=$p };" ^ "[Environment]::SetEnvironmentVariable('Path',$new,'User')" Write-Output "Fini." "Le" "PATH" "a" "été" "modifié." "Toute" "application" "déjà" "ouverte" "ne" "prendra" "pas" "en" "compte" "les" "modifications." Pause endlocal

Malicious

1772eac5be0b215cb982b38b749b9e79 > 7z-stream @ 0x00034600.7z > NSI-SCRIPTS > 2.INSTALL-MSYS2.bat > [PowerShell Command]
Deobfuscated PowerShell

^ "$t='%TARGET%';" ^ "$p=[Environment]::GetEnvironmentVariable('Path','User');" ^ "if([string]::IsNullOrEmpty($p)){ $new=$t } elseif(($p.Split(';') -notcontains $t)){ $new=$p.TrimEnd(';')+';'+$t } else { $new=$p };" ^ "[Environment]::SetEnvironmentVariable('Path',$new,'User')" Write-Output "C'EST FINI" Write-Output "Relancez le script tant qu'il n'est pas indiqué 'there is nothing to do' ou 'Il n'y a rien à faire' 2 lignes au dessus ce celle-ci" Pause endlocal

Malicious

1772eac5be0b215cb982b38b749b9e79 > 7z-stream @ 0x00034600.7z > NSI-SCRIPTS > 3.MAJ-MSYS2.bat > [PowerShell Command]
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙