Suspicious
Suspect

PE Executable
MD5: 75b879119ba9e7a7e70c0652635372e0
Size: 3.4 MB
application/x-dosexec

Get an AI-generated breakdown of this malware's behaviour, IOCs and recommendations.

AI analysis is available with Essential.
Unlock with Essential
Symbol Obfuscation Score Very high
MD5 75b879119ba9e7a7e70c0652635372e0
Sha1 80e50a578256a114e7422de9abf495f5d2cdebb2
Sha256 53bd45a2da8a0db00c6202fd66651bde1b5ede0cdee998654c64d037ccfa9b68
Sha384 3bced1b27916967073f04e6663c35db6dd3941fd88402b950de0325e595a9fdb436816ec688823020fa4811559cf50df
Sha512 da38d1b7b0bfe56cbac51564e8fb697a6673ce9006d2dc105bf1ec731b49a0a973ba8ede88e6c16f4bf9c10c7c95855fb3ff9d8f5d5ce8a93777d888a62dcf43
SSDeep 98304:cm9yZooTkL/oxmlkXDIe9eXrODgFRHW+Q:cm9yhTTIeebOIR
TLSH A8F533DF320175AEC067D4368AA66C70A6616D7F6706D207881B3E1F3A3D6C79F214E2
PeID
.NET executableMicrosoft Visual C# / Basic .NETMicrosoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL Microsoft Visual C# v7.0 / Basic .NETMicrosoft Visual C++ v6.0 DLLMicrosoft Visual Studio .NET
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Name Value
Info
PE Detect: PeReader OK (file layout)
Module Name
server1.exe
Full Name
server1.exe
EntryPoint
System.Void server.Module2::main()
Scope Name
server1.exe
Scope Type
ModuleDef
Kind
Windows
Runtime Version
v4.0.30319
Tables Header Version
512
WinMD Version
<null>
Assembly Name
server1
Assembly Version
2.3.8.8
Assembly Culture
<null>
Has PublicKey
False
PublicKey Token
<null>
Target Framework
.NETFramework,Version=v4.8
Total Strings
43
Main Method
System.Void server.Module2::main()
Main IL Instruction Count
48
Main IL
nop <null>
call System.String server.My.Resources.Resources::get_encrypted()
ldstr JspDHUTMKvQys[WV~w€cSYTNnp[x>
call System.String server.Module2::AES_Decrypt(System.String,System.String)
stsfld System.String server.Module2::Hex
ldsfld System.String server.Module2::Hex
call System.Byte[] server.Module2::wmnRszMchj(System.String)
stsfld System.Byte[] server.Module2::Bytes
ldc.i4 386607703
ldc.i4 929206166
xor <null>
dup <null>
stloc.2 <null>
ldc.i4.4 <null>
rem.un <null>
switch dnlib.DotNet.Emit.Instruction[]
br.s IL_008F: ldloc.1
newobj System.Void server.gBYfYCFlNn::.ctor()
stloc.0 <null>
ldloc.0 <null>
ldsfld System.Byte[] server.Module2::Bytes
call System.Diagnostics.Process server.Module2::‫‮‎‬‌‮‬‫‪‫‮‭‫‮‮​‏‏‮‫‎‮()
call System.Diagnostics.ProcessModule server.Module2::‪‭‌‫‭‪‎‏‏‍‍‮‏​‬‫‫‍‌‌‍‭‮(System.Diagnostics.Process)
call System.String server.Module2::‏‭‍‏‫‏‍‌‌‫​‭‬‮‪‎​‍‫‍‏‬‎‍‏‫‮(System.Diagnostics.ProcessModule)
callvirt System.Boolean server.gBYfYCFlNn::yndsLJCPZjl(System.Byte[],System.String)
pop <null>
ldloc.2 <null>
ldc.i4 -1320171207
mul <null>
ldc.i4 -1262534807
xor <null>
br.s IL_0029: ldc.i4 929206166
newobj System.Void server.homMKuRBcGK::.ctor()
stloc.1 <null>
ldloc.2 <null>
ldc.i4 579483009
mul <null>
ldc.i4 -1218648512
xor <null>
br.s IL_0029: ldc.i4 929206166
ldloc.1 <null>
ldsfld System.Byte[] server.Module2::Bytes
call System.Diagnostics.Process server.Module2::‫‮‎‬‌‮‬‫‪‫‮‭‫‮‮​‏‏‮‫‎‮()
call System.Diagnostics.ProcessModule server.Module2::‪‭‌‫‭‪‎‏‏‍‍‮‏​‬‫‫‍‌‌‍‭‮(System.Diagnostics.Process)
call System.String server.Module2::‏‭‍‏‫‏‍‌‌‫​‭‬‮‪‎​‍‫‍‏‬‎‍‏‫‮(System.Diagnostics.ProcessModule)
callvirt System.Boolean server.homMKuRBcGK::ZrZxBOQQcJ(System.Byte[],System.String)
pop <null>
ret <null>
Module Name
server1.exe
Full Name
server1.exe
EntryPoint
System.Void server.Module2::main()
Scope Name
server1.exe
Scope Type
ModuleDef
Kind
Windows
Runtime Version
v4.0.30319
Tables Header Version
512
WinMD Version
<null>
Assembly Name
server1
Assembly Version
2.3.8.8
Assembly Culture
<null>
Has PublicKey
False
PublicKey Token
<null>
Target Framework
.NETFramework,Version=v4.8
Total Strings
43
Main Method
System.Void server.Module2::main()
Main IL Instruction Count
48
Main IL
nop <null>
call System.String server.My.Resources.Resources::get_encrypted()
ldstr JspDHUTMKvQys[WV~w€cSYTNnp[x>
call System.String server.Module2::AES_Decrypt(System.String,System.String)
stsfld System.String server.Module2::Hex
ldsfld System.String server.Module2::Hex
call System.Byte[] server.Module2::wmnRszMchj(System.String)
stsfld System.Byte[] server.Module2::Bytes
ldc.i4 386607703
ldc.i4 929206166
xor <null>
dup <null>
stloc.2 <null>
ldc.i4.4 <null>
rem.un <null>
switch dnlib.DotNet.Emit.Instruction[]
br.s IL_008F: ldloc.1
newobj System.Void server.gBYfYCFlNn::.ctor()
stloc.0 <null>
ldloc.0 <null>
ldsfld System.Byte[] server.Module2::Bytes
call System.Diagnostics.Process server.Module2::‫‮‎‬‌‮‬‫‪‫‮‭‫‮‮​‏‏‮‫‎‮()
call System.Diagnostics.ProcessModule server.Module2::‪‭‌‫‭‪‎‏‏‍‍‮‏​‬‫‫‍‌‌‍‭‮(System.Diagnostics.Process)
call System.String server.Module2::‏‭‍‏‫‏‍‌‌‫​‭‬‮‪‎​‍‫‍‏‬‎‍‏‫‮(System.Diagnostics.ProcessModule)
callvirt System.Boolean server.gBYfYCFlNn::yndsLJCPZjl(System.Byte[],System.String)
pop <null>
ldloc.2 <null>
ldc.i4 -1320171207
mul <null>
ldc.i4 -1262534807
xor <null>
br.s IL_0029: ldc.i4 929206166
newobj System.Void server.homMKuRBcGK::.ctor()
stloc.1 <null>
ldloc.2 <null>
ldc.i4 579483009
mul <null>
ldc.i4 -1218648512
xor <null>
br.s IL_0029: ldc.i4 929206166
ldloc.1 <null>
ldsfld System.Byte[] server.Module2::Bytes
call System.Diagnostics.Process server.Module2::‫‮‎‬‌‮‬‫‪‫‮‭‫‮‮​‏‏‮‫‎‮()
call System.Diagnostics.ProcessModule server.Module2::‪‭‌‫‭‪‎‏‏‍‍‮‏​‬‫‫‍‌‌‍‭‮(System.Diagnostics.Process)
call System.String server.Module2::‏‭‍‏‫‏‍‌‌‫​‭‬‮‪‎​‍‫‍‏‬‎‍‏‫‮(System.Diagnostics.ProcessModule)
callvirt System.Boolean server.homMKuRBcGK::ZrZxBOQQcJ(System.Byte[],System.String)
pop <null>
ret <null>
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
No malware configuration was found at this point.
You must be signed in to view YARA rules.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙