5c44f354eb2dbc466dbaa99252660d05

PE Executable
|
MD5: 5c44f354eb2dbc466dbaa99252660d05
|
Size: 1.24 MB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	5c44f354eb2dbc466dbaa99252660d05
Sha1	58a8820fc7b7ec097ae058a81f270d48f30186fe
Sha256	148a66e153761e6bc969fbc4f98a40ed0a27d52469901eefe8cd6965ab4d09c5
Sha384	441dfd6fbadf00408bfe6c7abb2acf2193dd2efe42b5575455030ce941fb942aaac8b72660403835c836a37c3e86eb8a
Sha512	dd1639c97a7eddb6fc15f961ec4d7b44000c2c0e53ab5f62b991c53509b0027d905b0e4480767d239aa512b70c1056c8de009f4daac995afa8231ec69bedd115
SSDeep	24576:7nsJ39LyjbJkQFMhmC+6GD9d+kk0kqx2ciXD:7nsHyjtk2MYC5GDL+/cYD
TLSH	C745BF32F2D16437D1361FFD8C5BB3A85839BA511E24754E3BE41E8E4E3A2822D652D3

PeID

BobSoft Mini Delphi -> BoB / BobSoft

Borland Delphi 4.0

Borland Delphi v3.0

Borland Delphi v6.0 - v7.0

D1S1G v1.1 beta --> D1N

Microsoft Visual C++ v6.0 DLL

Pe123 v2006.4.4-4.12

File Structure

Malware Configuration - URLs in VBA/VBS Code

Config. Field0	Value
URL #1	https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
URL #2	https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

5c44f354eb2dbc466dbaa99252660d05 (1.24 MB)

	Module Name0
	ThisWorkbook	Blacklist VBA VBA Macro
PCode Decompiled VBA Stored VBA Partial Diff. Full Diff. Missing P-Code: The Office document under analysis has been identified as having undergone VBA Purging techniques, as the P-Code block within the document is currently inaccessible. As a result, the decompilation of the code was not possible, leaving only the stored code available in textual format for analysis. VBA Purging essentially involves the elimination of the PerformanceCache section from the module streams. To fully erase any traces of the P-Code section, the MODULEOFFSET between the two sections is adjusted to 0 by altering the _VBA_PROJECT stream, and all SRP streams that also house PerformanceCache data are removed. Following the removal of the compiled code, antivirus engines and Yara rules, which depend on precise string matches, are rendered ineffective. This allows macros to bypass them effortlessly, owing to the compressed format of the remaining source code.