Suspicious
Suspect

6ef90729281da2327a73fbe2cd2cfdfa

PE Executable
|
MD5: 6ef90729281da2327a73fbe2cd2cfdfa
|
Size: 96.77 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Very low

Hash
 Hash Value
MD5
6ef90729281da2327a73fbe2cd2cfdfa
Sha1
2a56d904c4407a01ce4aa65e2fe8b1fd641fc027
Sha256
e36eee6a572b2c5e45cfaffae49ee361f55915375a4b7c938983fe8f8b5aa539
Sha384
c80fe6201139e3ac8141929f9c0b52d04d5212987047da7e41de585f8c29433ad68d5cc5b7e1027cfd8db28d803f9bab
Sha512
b951f12296b7499fc814ccb0be167d82f2725807f9716fa85b83ec43cb220a502618a9b6849b1159c71c91f50c035cb50e235ec4a6815cb5cc1deb55764301d7
SSDeep
1536:shhQNWouE4Z5OHuJuDSecqRIuY7c7h57NzDHZFrSz+xT0eYQBvslcREVSTUMW1jo:shhQNWoX4Z5OHuOSelIq5PHZFrbxozap
TLSH
5B9302944BE06FB6C2584B3429F5574031346CD0E92FCBCEA25C505B6EDB78087A2F6B

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
6ef90729281da2327a73fbe2cd2cfdfa
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
WindowsFormsApp1.Properties.Resources.resources
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\jacknours\Desktop\maldev\source\cs\shellcode\1-NoClean\WindowsFormsApp1\obj\Release\WindowsFormsApp1.pdb
Module Name

WindowsFormsApp1.exe
Full Name

WindowsFormsApp1.exe
EntryPoint

System.Void ChromeUpdater.Program::Main(System.String[])
Scope Name

WindowsFormsApp1.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

WindowsFormsApp1
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

8
Main Method

System.Void ChromeUpdater.Program::Main(System.String[])
Main IL Instruction Count

59
Main IL

call System.Void ChromeUpdater.Program::WindowsUpdate() ldstr explorer stloc.0 <null> call System.Byte[] ChromeUpdater.Program::updating() stloc.1 <null> ldloc.1 <null> brfalse.s IL_0018: ldc.i4.1 ldloc.1 <null> ldlen <null> brtrue.s IL_001E: ldloc.0 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) ldloc.0 <null> call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) call System.Diagnostics.Process System.Linq.Enumerable::FirstOrDefault<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>) stloc.2 <null> ldloc.2 <null> brtrue.s IL_0048: ldc.i4 2035711 ldloc.0 <null> ldstr .exe call System.String System.String::Concat(System.String,System.String) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) stloc.2 <null> ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldc.i4 2035711 ldc.i4.0 <null> ldloc.2 <null> callvirt System.Int32 System.Diagnostics.Process::get_Id() call System.IntPtr ChromeUpdater.Program::OpenProcess(System.UInt32,System.Boolean,System.Int32) dup <null> ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) brfalse.s IL_006C: dup ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) dup <null> ldloc.1 <null> call System.IntPtr ChromeUpdater.Program::InjectShellcode(System.IntPtr,System.Byte[]) stloc.3 <null> ldloc.3 <null> ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) brfalse.s IL_0087: ldloc.1 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) ldloc.1 <null> ldloc.3 <null> call System.Void ChromeUpdater.Program::StartWatchdog(System.IntPtr,System.Byte[],System.IntPtr) call System.Boolean System.Diagnostics.Debugger::get_IsAttached() brtrue.s IL_009B: leave.s IL_00A6 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave.s IL_00A6: ret pop <null> ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) leave.s IL_00A6: ret ret <null>
Module Name

WindowsFormsApp1.exe
Full Name

WindowsFormsApp1.exe
EntryPoint

System.Void ChromeUpdater.Program::Main(System.String[])
Scope Name

WindowsFormsApp1.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

WindowsFormsApp1
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

8
Main Method

System.Void ChromeUpdater.Program::Main(System.String[])
Main IL Instruction Count

59
Main IL

call System.Void ChromeUpdater.Program::WindowsUpdate() ldstr explorer stloc.0 <null> call System.Byte[] ChromeUpdater.Program::updating() stloc.1 <null> ldloc.1 <null> brfalse.s IL_0018: ldc.i4.1 ldloc.1 <null> ldlen <null> brtrue.s IL_001E: ldloc.0 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) ldloc.0 <null> call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) call System.Diagnostics.Process System.Linq.Enumerable::FirstOrDefault<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>) stloc.2 <null> ldloc.2 <null> brtrue.s IL_0048: ldc.i4 2035711 ldloc.0 <null> ldstr .exe call System.String System.String::Concat(System.String,System.String) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) stloc.2 <null> ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldc.i4 2035711 ldc.i4.0 <null> ldloc.2 <null> callvirt System.Int32 System.Diagnostics.Process::get_Id() call System.IntPtr ChromeUpdater.Program::OpenProcess(System.UInt32,System.Boolean,System.Int32) dup <null> ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) brfalse.s IL_006C: dup ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) dup <null> ldloc.1 <null> call System.IntPtr ChromeUpdater.Program::InjectShellcode(System.IntPtr,System.Byte[]) stloc.3 <null> ldloc.3 <null> ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) brfalse.s IL_0087: ldloc.1 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) ldloc.1 <null> ldloc.3 <null> call System.Void ChromeUpdater.Program::StartWatchdog(System.IntPtr,System.Byte[],System.IntPtr) call System.Boolean System.Diagnostics.Debugger::get_IsAttached() brtrue.s IL_009B: leave.s IL_00A6 ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave.s IL_00A6: ret pop <null> ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) leave.s IL_00A6: ret ret <null>
6ef90729281da2327a73fbe2cd2cfdfa (96.77 KB)
File Structure
6ef90729281da2327a73fbe2cd2cfdfa
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
WindowsFormsApp1.Properties.Resources.resources
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙