Malicious
Malicious

PE Executable
MD5: 478a1956d73a21b08567fe4ee38b6da2
Size: 66.05 KB
application/x-dosexec
Ctrl + scroll to zoom · drag to pan

Get an AI-generated breakdown of this malware's behaviour, IOCs and recommendations.

AI analysis is available with Essential.
Unlock with Essential
Symbol Obfuscation Score Low
MD5 478a1956d73a21b08567fe4ee38b6da2
Sha1 cf16b32b7282fc4ec565945f8043d70776058730
Sha256 5d896a1e7acf19940db5d3dc02f125d84dddcdf8dfd344a87498d5fe157610a6
Sha384 b52aa5745ed74e56ce8164fa44037e0fe7981903e13497ea949c41716f52c202887fcbe4a04b01e08427acea1dbdb8fe
Sha512 ad249aecdb6e560bb47913b591378fe30b9db82b4fd54187dc9de4505004113f51450118d511bfedc8ac40576c99e98c2e5e8e7524008ed90700282e91578db0
SSDeep 768:XhWBkc+d5iPpVei89J+X6BZrPym873tiHyYd1+DSCv7mqb2nSpwHsoFBhLO8G2iI:XUud+e5P8ZiHyYBGbbrwfG2iVclN
TLSH 4C535B003798C965E2AD4AB4BCF2950106B5D5772102DB5E7CC405DBAB9EFC64A133FE
PeID
.NET executableMicrosoft Visual C# / Basic .NETMicrosoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL Microsoft Visual C# v7.0 / Basic .NETMicrosoft Visual Studio .NET
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Config. Field Value
Key (AES_256) S0s4bkhuhuhuhuhuhuhuhuhuhuhu
Pastebin -huhuhuhu
Certificate MIICMDhuhuhuhuhuhuhuhuhuhuhu
ServerSignature WfQsaehuhuhuhuhuhuhuhuhuhuhu
Install thuhuhuhu
BDOS fhuhuhuhu
Anti-VM fhuhuhuhu
Install File Shielhuhuhuhuhuhuhu
Install-Folder %Aphuhuhuhu
Hosts hy7tpehuhuhuhuhuhuhuhuhuhuhu
Ports 80,443huhuhuhuhuhuhuhuhuhuhu
Mutex Dohuhuhuhu
Version 1huhuhuhu
Delay 1huhuhuhu
Group Shhuhuhuhu
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Name Value
Info
PE Detect: PeReader OK (file layout)
Module Name
Shieldbrowser.exe
Full Name
Shieldbrowser.exe
EntryPoint
System.Void Client.Program::Main()
Scope Name
Shieldbrowser.exe
Scope Type
ModuleDef
Kind
Windows
Runtime Version
v4.0.30319
Tables Header Version
512
WinMD Version
<null>
Assembly Name
Shieldbrowser
Assembly Version
1.0.7.0
Assembly Culture
<null>
Has PublicKey
False
PublicKey Token
<null>
Target Framework
.NETFramework,Version=v4.0
Total Strings
157
Main Method
System.Void Client.Program::Main()
Main IL Instruction Count
77
Main IL
ldc.i4.0 <null>
stloc.0 <null>
br IL_0015: ldloc.0
ldc.i4 1000
call System.Void System.Threading.Thread::Sleep(System.Int32)
ldloc.0 <null>
ldc.i4.1 <null>
add <null>
stloc.0 <null>
ldloc.0 <null>
ldsfld System.String Client.Settings::De_lay
call System.Int32 System.Convert::ToInt32(System.String)
blt.s IL_0007: ldc.i4 1000
call System.Boolean Client.Settings::InitializeSettings()
brtrue IL_0032: nop
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
nop <null>
ldsfld System.String Client.Settings::An_ti
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_0047: leave IL_0052
call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis()
leave IL_0052: call System.Void Client.Helper.A::B()
pop <null>
leave IL_0052: call System.Void Client.Helper.A::B()
call System.Void Client.Helper.A::B()
call System.Boolean Client.Helper.MutexControl::CreateMutex()
brtrue IL_0067: leave IL_0072
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
leave IL_0072: nop
pop <null>
leave IL_0072: nop
nop <null>
ldsfld System.String Client.Settings::Anti_Process
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_0087: leave IL_0092
call System.Void Client.Helper.AntiProcess::StartBlock()
leave IL_0092: nop
pop <null>
leave IL_0092: nop
nop <null>
ldsfld System.String Client.Settings::BS_OD
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_00B1: leave IL_00BC
call System.Boolean Client.Helper.Methods::IsAdmin()
brfalse IL_00B1: leave IL_00BC
call System.Void Client.Helper.ProcessCritical::Set()
leave IL_00BC: nop
pop <null>
leave IL_00BC: nop
nop <null>
ldsfld System.String Client.Settings::In_stall
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_00D1: leave IL_00DC
call System.Void Client.Install.NormalStartup::Install()
leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep()
pop <null>
leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep()
call System.Void Client.Helper.Methods::PreventSleep()
call System.Boolean Client.Helper.Methods::IsAdmin()
brfalse IL_00F0: leave IL_00FB
call System.Void Client.Helper.Methods::ClearSetting()
leave IL_00FB: nop
pop <null>
leave IL_00FB: nop
nop <null>
call System.Boolean Client.Connection.ClientSocket::get_IsConnected()
brtrue IL_0110: leave IL_011B
call System.Void Client.Connection.ClientSocket::Reconnect()
call System.Void Client.Connection.ClientSocket::InitializeClient()
leave IL_011B: ldc.i4 5000
pop <null>
leave IL_011B: ldc.i4 5000
ldc.i4 5000
call System.Void System.Threading.Thread::Sleep(System.Int32)
br.s IL_00FB: nop
Module Name
Shieldbrowser.exe
Full Name
Shieldbrowser.exe
EntryPoint
System.Void Client.Program::Main()
Scope Name
Shieldbrowser.exe
Scope Type
ModuleDef
Kind
Windows
Runtime Version
v4.0.30319
Tables Header Version
512
WinMD Version
<null>
Assembly Name
Shieldbrowser
Assembly Version
1.0.7.0
Assembly Culture
<null>
Has PublicKey
False
PublicKey Token
<null>
Target Framework
.NETFramework,Version=v4.0
Total Strings
157
Main Method
System.Void Client.Program::Main()
Main IL Instruction Count
77
Main IL
ldc.i4.0 <null>
stloc.0 <null>
br IL_0015: ldloc.0
ldc.i4 1000
call System.Void System.Threading.Thread::Sleep(System.Int32)
ldloc.0 <null>
ldc.i4.1 <null>
add <null>
stloc.0 <null>
ldloc.0 <null>
ldsfld System.String Client.Settings::De_lay
call System.Int32 System.Convert::ToInt32(System.String)
blt.s IL_0007: ldc.i4 1000
call System.Boolean Client.Settings::InitializeSettings()
brtrue IL_0032: nop
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
nop <null>
ldsfld System.String Client.Settings::An_ti
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_0047: leave IL_0052
call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis()
leave IL_0052: call System.Void Client.Helper.A::B()
pop <null>
leave IL_0052: call System.Void Client.Helper.A::B()
call System.Void Client.Helper.A::B()
call System.Boolean Client.Helper.MutexControl::CreateMutex()
brtrue IL_0067: leave IL_0072
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
leave IL_0072: nop
pop <null>
leave IL_0072: nop
nop <null>
ldsfld System.String Client.Settings::Anti_Process
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_0087: leave IL_0092
call System.Void Client.Helper.AntiProcess::StartBlock()
leave IL_0092: nop
pop <null>
leave IL_0092: nop
nop <null>
ldsfld System.String Client.Settings::BS_OD
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_00B1: leave IL_00BC
call System.Boolean Client.Helper.Methods::IsAdmin()
brfalse IL_00B1: leave IL_00BC
call System.Void Client.Helper.ProcessCritical::Set()
leave IL_00BC: nop
pop <null>
leave IL_00BC: nop
nop <null>
ldsfld System.String Client.Settings::In_stall
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse IL_00D1: leave IL_00DC
call System.Void Client.Install.NormalStartup::Install()
leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep()
pop <null>
leave IL_00DC: call System.Void Client.Helper.Methods::PreventSleep()
call System.Void Client.Helper.Methods::PreventSleep()
call System.Boolean Client.Helper.Methods::IsAdmin()
brfalse IL_00F0: leave IL_00FB
call System.Void Client.Helper.Methods::ClearSetting()
leave IL_00FB: nop
pop <null>
leave IL_00FB: nop
nop <null>
call System.Boolean Client.Connection.ClientSocket::get_IsConnected()
brtrue IL_0110: leave IL_011B
call System.Void Client.Connection.ClientSocket::Reconnect()
call System.Void Client.Connection.ClientSocket::InitializeClient()
leave IL_011B: ldc.i4 5000
pop <null>
leave IL_011B: ldc.i4 5000
ldc.i4 5000
call System.Void System.Threading.Thread::Sleep(System.Int32)
br.s IL_00FB: nop
Key (AES_256) MUTEXmalicious
S0s4bkhuhuhuhuhuhuhuhuhuhuhu
CnC CNCmalicious
hy7thuhuhuhuhuhuhu
CnC CNCmalicious
www.hyhuhuhuhuhuhuhu
CnC CNCmalicious
qenhuhuhuhu
CnC CNCmalicious
www.huhuhuhuhuhuhu
CnC CNCmalicious
www.huhuhuhuhuhuhu
CnC CNCmalicious
rcnhuhuhuhu
CnC CNCmalicious
www.smhuhuhuhuhuhuhu
CnC CNCmalicious
smileehuhuhuhuhuhuhu
CnC CNCmalicious
www.hhuhuhuhuhuhuhu
CnC CNCmalicious
hrhshuhuhuhu
CnC CNCmalicious
gtihuhuhuhu
CnC CNCmalicious
www.huhuhuhuhuhuhu
CnC CNCmalicious
www.huhuhuhuhuhuhu
CnC CNCmalicious
dughuhuhuhu
CnC CNCmalicious
www.cohuhuhuhuhuhuhuhuhuhuhu
CnC CNCmalicious
companhuhuhuhuhuhuhuhuhuhuhu
Ports PORTmalicious
8huhuhuhu
Ports PORTmalicious
4huhuhuhu
Ports PORTmalicious
1huhuhuhu
Ports PORTmalicious
4huhuhuhu
Ports PORTmalicious
5huhuhuhu
Ports PORTmalicious
6huhuhuhu
Ports PORTmalicious
6huhuhuhu
Ports PORTmalicious
8huhuhuhu
Ports PORTmalicious
8huhuhuhu
Mutex MUTEXmalicious
Dohuhuhuhu
Full artefact values (URLs, paths, registry keys, scripts…) are available with Essential.
Unlock with Essential
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Config. Field Value
Key (AES_256) S0s4bkhuhuhuhuhuhuhuhuhuhuhu
Pastebin -huhuhuhu
Certificate MIICMDhuhuhuhuhuhuhuhuhuhuhu
ServerSignature WfQsaehuhuhuhuhuhuhuhuhuhuhu
Install thuhuhuhu
BDOS fhuhuhuhu
Anti-VM fhuhuhuhu
Install File Shielhuhuhuhuhuhuhu
Install-Folder %Aphuhuhuhu
Hosts hy7tpehuhuhuhuhuhuhuhuhuhuhu
Ports 80,443huhuhuhuhuhuhuhuhuhuhu
Mutex Dohuhuhuhu
Version 1huhuhuhu
Delay 1huhuhuhu
Group Shhuhuhuhu
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Key (AES_256) MUTEXmalicious
S0s4bkhuhuhuhuhuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
hy7thuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.hyhuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
qenhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.huhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.huhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
rcnhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.smhuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
smileehuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.hhuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
hrhshuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
gtihuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.huhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.huhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
dughuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
www.cohuhuhuhuhuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
CnC CNCmalicious
companhuhuhuhuhuhuhuhuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
8huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
4huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
1huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
4huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
5huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
6huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
6huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
8huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Ports PORTmalicious
8huhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Mutex MUTEXmalicious
Dohuhuhuhu
478a1956d73a21b08567fe4ee38b6da2
Full artefact values (URLs, paths, registry keys, scripts…) are available with Essential.
Unlock with Essential
You must be signed in to view YARA rules.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙