Malicious
Malicious

72b66bac20017e024ccdef1c786c04ba

Share on LinkedIn
Print
PE Executable
MD5: 72b66bac20017e024ccdef1c786c04ba
Size: 28.16 KB
application/x-dosexec
Ctrl + scroll to zoom · drag to pan

Get an AI-generated breakdown of this malware's behaviour, IOCs and recommendations.

AI analysis is available with Essential.
Unlock with Essential
Symbol Obfuscation Score Low
MD5 72b66bac20017e024ccdef1c786c04ba
Sha1 a3498ddeca65ce8bd339c08b19cfe0f0200e68f7
Sha256 2d5b38af2b9b6b5b2a6fb2416322d4143cfabe6c958eac7ca34ba41be0f4831e
Sha384 593a5b4e9647b277e5a5b63d10ff289efa6fe9e6ee33f863650ba9101843de39284517807271c284cc53c19249093685
Sha512 b51395491aa860fa01bf577a24b958fdaa540e892a85c18fe322003bba2d2bbf68ff713e748b049c015d91d1e1b68384f20e1760211ca342723074e126120cc4
SSDeep 384:jgSVEEMiNPWmeOsVa/KFHbh0yH9qbuUscCbQxnCJfJBndnjJvKsbT+:jgSVXFg1VDHF0wIb1BBiBnesbT+
TLSH FFC23D0873E8C572D2FE0ABE883395009775D55B9913D75A6FC890AE2E23BCD8A14BD4
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
STICH beta Structural Threat Infection Chain Hash

A content-independent fingerprint of the infection method: successive formats, internal objects and MITRE techniques from the initial file to each final payload.

Structural branches: 1 STICH kept: 1
STICH Path = the fingerprint (canonical chain with techniques) STICH Shape = structure only Only determinant branches produce STICH Paths.
1 / 1
Path pe:exe>pe:rsrc>bin
Shape pe:exe>pe:rsrc>bin
malicious 3 nodes
Config. Field Value
Key (AES_256) Byhuhuhuhu
Pastebin -huhuhuhu
Install fhuhuhuhu
Install File Tehuhuhuhu
Install-Folder %huhuhuhu
Version 0.huhuhuhu
Hosts 78whuhuhuhu
Ports 4huhuhuhu
Mutex Aphuhuhuhu
Delay 0huhuhuhu
Group NYhuhuhuhu
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Name Value
Info
PE Detect: PeReader OK (file layout)
Info
PDB Path: C:\new\Client\obj\Debug\AU88APP.pdb
Module Name
AU88APP.exe
Full Name
AU88APP.exe
EntryPoint
System.Void Client.Program::Main()
Scope Name
AU88APP.exe
Scope Type
ModuleDef
Kind
Windows
Runtime Version
v4.0.30319
Tables Header Version
512
WinMD Version
<null>
Assembly Name
AU88APP
Assembly Version
1.0.0.0
Assembly Culture
<null>
Has PublicKey
False
PublicKey Token
<null>
Target Framework
.NETFramework,Version=v4.8
Total Strings
122
Main Method
System.Void Client.Program::Main()
Main IL Instruction Count
101
Main IL
nop <null>
ldc.i4.0 <null>
stloc.0 <null>
br.s IL_0016: ldloc.0
nop <null>
ldc.i4 1000
call System.Void System.Threading.Thread::Sleep(System.Int32)
nop <null>
nop <null>
ldloc.0 <null>
ldc.i4.1 <null>
add <null>
stloc.0 <null>
ldloc.0 <null>
ldsfld System.String Client.Settings::Delay
call System.Int32 System.Convert::ToInt32(System.String)
clt <null>
stloc.1 <null>
ldloc.1 <null>
brtrue.s IL_0005: nop
call System.Boolean Client.Settings::InitializeSettings()
ldc.i4.0 <null>
ceq <null>
stloc.2 <null>
ldloc.2 <null>
brfalse.s IL_003A: nop
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
nop <null>
nop <null>
nop <null>
call System.Boolean Client.Helper.MutexControl::CreateMutex()
ldc.i4.0 <null>
ceq <null>
stloc.3 <null>
ldloc.3 <null>
brfalse.s IL_004F: ldsfld System.String Client.Settings::Anti
ldc.i4.0 <null>
call System.Void System.Environment::Exit(System.Int32)
nop <null>
ldsfld System.String Client.Settings::Anti
call System.Boolean System.Convert::ToBoolean(System.String)
stloc.s V_4
ldloc.s V_4
brfalse.s IL_0065: ldsfld System.String Client.Settings::Install
call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis()
nop <null>
ldsfld System.String Client.Settings::Install
call System.Boolean System.Convert::ToBoolean(System.String)
stloc.s V_5
ldloc.s V_5
brfalse.s IL_007B: ldsfld System.String Client.Settings::BDOS
call System.Void Client.Install.NormalStartup::Install()
nop <null>
ldsfld System.String Client.Settings::BDOS
call System.Boolean System.Convert::ToBoolean(System.String)
brfalse.s IL_008E: ldc.i4.0
call System.Boolean Client.Helper.Methods::IsAdmin()
br.s IL_008F: stloc.s V_6
ldc.i4.0 <null>
stloc.s V_6
ldloc.s V_6
brfalse.s IL_009B: call System.Void Client.Helper.Methods::PreventSleep()
call System.Void Client.Helper.ProcessCritical::Set()
nop <null>
call System.Void Client.Helper.Methods::PreventSleep()
nop <null>
nop <null>
leave.s IL_00A9: br.s IL_00DD
pop <null>
nop <null>
nop <null>
leave.s IL_00A9: br.s IL_00DD
br.s IL_00DD: ldc.i4.1
nop <null>
nop <null>
call System.Boolean Client.Connection.ClientSocket::get_IsConnected()
ldc.i4.0 <null>
ceq <null>
stloc.s V_7
ldloc.s V_7
brfalse.s IL_00C9: nop
nop <null>
call System.Void Client.Connection.ClientSocket::Reconnect()
nop <null>
call System.Void Client.Connection.ClientSocket::InitializeClient()
nop <null>
nop <null>
nop <null>
leave.s IL_00D1: ldc.i4 5000
pop <null>
nop <null>
nop <null>
leave.s IL_00D1: ldc.i4 5000
ldc.i4 5000
call System.Void System.Threading.Thread::Sleep(System.Int32)
nop <null>
nop <null>
ldc.i4.1 <null>
stloc.s V_8
br.s IL_00AB: nop
Key (AES_256) MUTEXmalicious
Byhuhuhuhu
CnC CNCmalicious
78whuhuhuhu
Ports PORTmalicious
4huhuhuhu
Mutex MUTEXmalicious
Aphuhuhuhu
Full artefact values (URLs, paths, registry keys, scripts…) are available with Essential.
Unlock with Essential
An error has occurred. This application may no longer respond until reloaded. Reload 🗙