Suspicious
Suspect

5dd8e125c6d0881c39b022153a4fdb88

PE Executable
|
MD5: 5dd8e125c6d0881c39b022153a4fdb88
|
Size: 47.62 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Very low

Hash
 Hash Value
MD5
5dd8e125c6d0881c39b022153a4fdb88
Sha1
1af72284c1bf1b50a30019d67c4dece7816a6547
Sha256
70134da287cbda239af35c4e6c8e49593904e2e5f99d8ca3c395b7244ff09384
Sha384
036438b2906eb4facc93c5270cd5e6b0af3de04aba6dd01b9052f5839cc68387c8e67364143240eb0bdec49c1b5a2e0d
Sha512
498a4fcd28351b9f692807ebf447a5f6ee23ccdce0d6efcdfd4b929c6e5daca17fbbd726236fb16f630b0af43b77ff8cbc27065dfcd57fbb0ec370c88bd8f48e
SSDeep
768:9VxooPVZT+nKR3FDtoze1SZhETh7tD5EFlk/:L2GVZhRVKe1Sm7tz/
TLSH
FE23824637EC5616F6BF6F7CA97606110B77B9226C34DA1D0CDC20DE1BA3B018861BA7

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
5dd8e125c6d0881c39b022153a4fdb88
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Informations
Name
 Value
Module Name

WSuspicious.exe
Full Name

WSuspicious.exe
EntryPoint

System.Int32 WSuspicious.Program::Main(System.String[])
Scope Name

WSuspicious.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

WSuspicious
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.5
Total Strings

123
Main Method

System.Int32 WSuspicious.Program::Main(System.String[])
Main IL Instruction Count

217
Main IL

nop <null> ldarg.0 <null> call System.Collections.Generic.Dictionary`2<System.String,System.String> WSuspicious.Utility.ArgumentsParser::parse(System.String[]) stloc.0 <null> ldloc.0 <null> ldstr /help callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) stloc.3 <null> ldloc.3 <null> brfalse.s IL_0026: ldstr "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\" nop <null> call System.Void WSuspicious.Program::PrintHelp() nop <null> ldc.i4.0 <null> stloc.s V_4 br IL_0259: ldloc.s V_4 ldstr HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ ldstr WUServer ldnull <null> call System.Object Microsoft.Win32.Registry::GetValue(System.String,System.String,System.Object) castclass System.String stloc.1 <null> ldnull <null> stloc.2 <null> ldloc.1 <null> ldnull <null> cgt.un <null> stloc.s V_5 ldloc.s V_5 brfalse IL_023C: nop nop <null> ldloc.1 <null> newobj System.Void System.Uri::.ctor(System.String) stloc.s V_6 ldloc.s V_6 callvirt System.String System.Uri::get_Host() stloc.2 <null> ldnull <null> stloc.s V_7 ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_007F: ldc.i4.0 ldloc.0 <null> ldstr /enabletls callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) br.s IL_0080: stloc.s V_10 ldc.i4.0 <null> stloc.s V_10 ldloc.s V_10 brfalse.s IL_00B0: ldloc.s V_6 nop <null> ldstr The WSUS Server is using HTTPS. Adding a self-signed certificate to store call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.2 <null> call System.Security.Cryptography.X509Certificates.X509Certificate2 WSuspicious.Servers.Proxy.tls.CertificateMaker::MakeCertificate(System.String) stloc.s V_7 ldstr Prompting user to add the certificate. Please wait. call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.s V_7 call System.Void WSuspicious.Servers.Proxy.tls.CertificateMaker::AddToTrustStore(System.Security.Cryptography.X509Certificates.X509Certificate2) nop <null> nop <null> br.s IL_00E6: ldstr "Detected WSUS Server - {0}" ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_11 ldloc.s V_11 brfalse.s IL_00E6: ldstr "Detected WSUS Server - {0}" nop <null> ldstr The WSUS Server is using HTTPS and we are not configured to accept TLS connections. call System.Void System.Console::WriteLine(System.String) nop <null> ldstr Exiting now. call System.Void System.Console::WriteLine(System.String) nop <null> ldc.i4.0 <null> stloc.s V_4 br IL_0259: ldloc.s V_4 ldstr Detected WSUS Server - {0} ldloc.2 <null> call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.0 <null> ldstr /exe callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.Byte[] System.IO.File::ReadAllBytes(System.String) stloc.s V_8 ldnull <null> stloc.s V_9 ldloc.0 <null> ldstr /downloadport callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) stloc.s V_12 ldloc.s V_12 brfalse.s IL_0140: ldloc.2 nop <null> ldloc.0 <null> ldstr /downloadport callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.Int32 System.Int32::Parse(System.String) ldloc.s V_8 newobj System.Void WSuspicious.Servers.HttpServer::.ctor(System.Int32,System.Byte[]) stloc.s V_9 ldloc.s V_9 callvirt System.Void WSuspicious.Servers.HttpServer::Start() nop <null> nop <null> ldloc.2 <null> ldloc.s V_8 ldloc.0 <null> ldstr /exe callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.String System.IO.Path::GetFileName(System.String) ldloc.0 <null> ldstr /command callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) ldloc.0 <null> ldstr /debug callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) ldloc.0 <null> ldstr /downloadport callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) brtrue.s IL_0179: ldstr "localhost:{0}" ldnull <null> br.s IL_018E: ldloc.s V_7 ldstr localhost:{0} ldloc.0 <null> ldstr /downloadport callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.String System.String::Format(System.String,System.Object) ldloc.s V_7 newobj System.Void WSuspicious.Servers.Proxy.WsusProxy::.ctor(System.String,System.Byte[],System.String,System.String,System.Boolean,System.String,System.Security.Cryptography.X509Certificates.X509Certificate2) stloc.s V_13 nop <null> ldloc.s V_13 ldloc.0 <null> ldstr /proxyport callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.Int32 System.Int32::Parse(System.String) callvirt System.Void WSuspicious.Servers.Proxy.WsusProxy::Start(System.Int32) nop <null> ldstr Hit any key to exit.. call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.0 <null> ldstr /autoinstall callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) stloc.s V_14 ldloc.s V_14 brfalse.s IL_01D4: call System.Void System.Console::WriteLine() nop <null> call System.Void WSuspicious.Utility.WindowsUpdateLauncher::StartUpdates() nop <null> nop <null> call System.Void System.Console::WriteLine() nop <null> call System.Int32 System.Console::Read() pop <null> nop <null> leave.s IL_01F0: ldloc.s V_6 ldloc.s V_13 brfalse.s IL_01EF: endfinally ldloc.s V_13 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0210: ldc.i4.0 ldloc.0 <null> ldstr /enabletls callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) br.s IL_0211: stloc.s V_15 ldc.i4.0 <null> stloc.s V_15 ldloc.s V_15 brfalse.s IL_0224: ldloc.s V_9 nop <null> ldstr Consider removing the self-signed certificate from the store (Warning: it will prompt the user again). call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> ldloc.s V_9 ldnull <null> cgt.un <null> stloc.s V_16 ldloc.s V_16 brfalse.s IL_0239: nop nop <null> ldloc.s V_9 callvirt System.Void WSuspicious.Servers.HttpServer::Stop() nop <null> nop <null> nop <null> br.s IL_0254: ldc.i4.0 nop <null> ldstr No WSUS Server detected. call System.Void System.Console::WriteLine(System.String) nop <null> ldstr Stopping now. call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> ldc.i4.0 <null> stloc.s V_4 br.s IL_0259: ldloc.s V_4 ldloc.s V_4 ret <null>
Module Name

WSuspicious.exe
Full Name

WSuspicious.exe
EntryPoint

System.Int32 WSuspicious.Program::Main(System.String[])
Scope Name

WSuspicious.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

WSuspicious
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.5
Total Strings

123
Main Method

System.Int32 WSuspicious.Program::Main(System.String[])
Main IL Instruction Count

217
Main IL

nop <null> ldarg.0 <null> call System.Collections.Generic.Dictionary`2<System.String,System.String> WSuspicious.Utility.ArgumentsParser::parse(System.String[]) stloc.0 <null> ldloc.0 <null> ldstr /help callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) stloc.3 <null> ldloc.3 <null> brfalse.s IL_0026: ldstr "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\" nop <null> call System.Void WSuspicious.Program::PrintHelp() nop <null> ldc.i4.0 <null> stloc.s V_4 br IL_0259: ldloc.s V_4 ldstr HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ ldstr WUServer ldnull <null> call System.Object Microsoft.Win32.Registry::GetValue(System.String,System.String,System.Object) castclass System.String stloc.1 <null> ldnull <null> stloc.2 <null> ldloc.1 <null> ldnull <null> cgt.un <null> stloc.s V_5 ldloc.s V_5 brfalse IL_023C: nop nop <null> ldloc.1 <null> newobj System.Void System.Uri::.ctor(System.String) stloc.s V_6 ldloc.s V_6 callvirt System.String System.Uri::get_Host() stloc.2 <null> ldnull <null> stloc.s V_7 ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_007F: ldc.i4.0 ldloc.0 <null> ldstr /enabletls callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) br.s IL_0080: stloc.s V_10 ldc.i4.0 <null> stloc.s V_10 ldloc.s V_10 brfalse.s IL_00B0: ldloc.s V_6 nop <null> ldstr The WSUS Server is using HTTPS. Adding a self-signed certificate to store call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.2 <null> call System.Security.Cryptography.X509Certificates.X509Certificate2 WSuspicious.Servers.Proxy.tls.CertificateMaker::MakeCertificate(System.String) stloc.s V_7 ldstr Prompting user to add the certificate. Please wait. call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.s V_7 call System.Void WSuspicious.Servers.Proxy.tls.CertificateMaker::AddToTrustStore(System.Security.Cryptography.X509Certificates.X509Certificate2) nop <null> nop <null> br.s IL_00E6: ldstr "Detected WSUS Server - {0}" ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) stloc.s V_11 ldloc.s V_11 brfalse.s IL_00E6: ldstr "Detected WSUS Server - {0}" nop <null> ldstr The WSUS Server is using HTTPS and we are not configured to accept TLS connections. call System.Void System.Console::WriteLine(System.String) nop <null> ldstr Exiting now. call System.Void System.Console::WriteLine(System.String) nop <null> ldc.i4.0 <null> stloc.s V_4 br IL_0259: ldloc.s V_4 ldstr Detected WSUS Server - {0} ldloc.2 <null> call System.String System.String::Format(System.String,System.Object) call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.0 <null> ldstr /exe callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.Byte[] System.IO.File::ReadAllBytes(System.String) stloc.s V_8 ldnull <null> stloc.s V_9 ldloc.0 <null> ldstr /downloadport callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) stloc.s V_12 ldloc.s V_12 brfalse.s IL_0140: ldloc.2 nop <null> ldloc.0 <null> ldstr /downloadport callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.Int32 System.Int32::Parse(System.String) ldloc.s V_8 newobj System.Void WSuspicious.Servers.HttpServer::.ctor(System.Int32,System.Byte[]) stloc.s V_9 ldloc.s V_9 callvirt System.Void WSuspicious.Servers.HttpServer::Start() nop <null> nop <null> ldloc.2 <null> ldloc.s V_8 ldloc.0 <null> ldstr /exe callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.String System.IO.Path::GetFileName(System.String) ldloc.0 <null> ldstr /command callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) ldloc.0 <null> ldstr /debug callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) ldloc.0 <null> ldstr /downloadport callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) brtrue.s IL_0179: ldstr "localhost:{0}" ldnull <null> br.s IL_018E: ldloc.s V_7 ldstr localhost:{0} ldloc.0 <null> ldstr /downloadport callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.String System.String::Format(System.String,System.Object) ldloc.s V_7 newobj System.Void WSuspicious.Servers.Proxy.WsusProxy::.ctor(System.String,System.Byte[],System.String,System.String,System.Boolean,System.String,System.Security.Cryptography.X509Certificates.X509Certificate2) stloc.s V_13 nop <null> ldloc.s V_13 ldloc.0 <null> ldstr /proxyport callvirt System.String System.Collections.Generic.Dictionary`2<System.String,System.String>::get_Item(System.String) call System.Int32 System.Int32::Parse(System.String) callvirt System.Void WSuspicious.Servers.Proxy.WsusProxy::Start(System.Int32) nop <null> ldstr Hit any key to exit.. call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.0 <null> ldstr /autoinstall callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) stloc.s V_14 ldloc.s V_14 brfalse.s IL_01D4: call System.Void System.Console::WriteLine() nop <null> call System.Void WSuspicious.Utility.WindowsUpdateLauncher::StartUpdates() nop <null> nop <null> call System.Void System.Console::WriteLine() nop <null> call System.Int32 System.Console::Read() pop <null> nop <null> leave.s IL_01F0: ldloc.s V_6 ldloc.s V_13 brfalse.s IL_01EF: endfinally ldloc.s V_13 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0210: ldc.i4.0 ldloc.0 <null> ldstr /enabletls callvirt System.Boolean System.Collections.Generic.Dictionary`2<System.String,System.String>::ContainsKey(System.String) br.s IL_0211: stloc.s V_15 ldc.i4.0 <null> stloc.s V_15 ldloc.s V_15 brfalse.s IL_0224: ldloc.s V_9 nop <null> ldstr Consider removing the self-signed certificate from the store (Warning: it will prompt the user again). call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> ldloc.s V_9 ldnull <null> cgt.un <null> stloc.s V_16 ldloc.s V_16 brfalse.s IL_0239: nop nop <null> ldloc.s V_9 callvirt System.Void WSuspicious.Servers.HttpServer::Stop() nop <null> nop <null> nop <null> br.s IL_0254: ldc.i4.0 nop <null> ldstr No WSUS Server detected. call System.Void System.Console::WriteLine(System.String) nop <null> ldstr Stopping now. call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> ldc.i4.0 <null> stloc.s V_4 br.s IL_0259: ldloc.s V_4 ldloc.s V_4 ret <null>
Artefacts
Name
 Value
PDB Path

C:\Users\s.ksenofontov\Documents\shared_folder\exception\WSuspicious\WSuspicious\obj\Debug\net45\WSuspicious.pdb
5dd8e125c6d0881c39b022153a4fdb88 (47.62 KB)
File Structure
5dd8e125c6d0881c39b022153a4fdb88
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
PDB Path

C:\Users\s.ksenofontov\Documents\shared_folder\exception\WSuspicious\WSuspicious\obj\Debug\net45\WSuspicious.pdb

5dd8e125c6d0881c39b022153a4fdb88
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙