Malicious
PE Executable
MD5: 867703b3792be3dc03dbd1e2db81bdbc
Size: 70.95 KB
application/x-dosexec
Ctrl + scroll to zoom · drag to pan
Get an AI-generated breakdown of this malware's behaviour, IOCs and recommendations.
AI analysis is available with Essential.
Unlock with Essential
Symbol Obfuscation Score
Low
| MD5 | 867703b3792be3dc03dbd1e2db81bdbc |
| Sha1 | c1cfd55b43721b26d1a2f2274628f0f014c5a6d9 |
| Sha256 | 1dbda668c852a6992af32a9f16f53c2b5af3930f1c71d7d1608d32360dcc65d5 |
| Sha384 | 3afe8bd47b1a01a6d9f8b1026ff5bf21626a1f74c75c00eda7ce7ca3cbd01aa5989653b5d975a4b998f7b21d81e266ec |
| Sha512 | 39b450c34cc905a5596092ef43e480542b60cc615d811501b2a7ff756f1d73886c9a536feb3e871f6f3c82e65a8aaebf187f9db92eb7879e1594d68d8476c275 |
| SSDeep | 768:Gm0vnfEXf78awC8A+XUPvKJ1o8c3SSPD1+T4tSBGHmDbDMph0oXADzFAa6SuAdph:OEXiFa80/DCYUbCh92zOGuAdpqKmY7 |
| TLSH | 7C636B003B98C965E6AD4AB4BCF3550106B5C1772102DA1E3CC850DBABAFFC64A527FE |
PeID
.NET executableMicrosoft Visual C# / Basic .NETMicrosoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL Microsoft Visual C# v7.0 / Basic .NETMicrosoft Visual Studio .NET
| Config. Field | Value |
|---|---|
| Key (AES_256) | S3BpdHhuhuhuhuhuhuhuhuhuhuhu |
| Pastebin | -huhuhuhu |
| Certificate | MIICKThuhuhuhuhuhuhuhuhuhuhu |
| ServerSignature | YlXk2bhuhuhuhuhuhuhuhuhuhuhu |
| Install | fhuhuhuhu |
| BDOS | fhuhuhuhu |
| Anti-VM | fhuhuhuhu |
| Install-Folder | %Aphuhuhuhu |
| Hosts | 127.0.huhuhuhuhuhuhu |
| Ports | 8huhuhuhu |
| Delay | 1huhuhuhu |
| Group | Dehuhuhuhu |
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
| Name | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Info | Overlay extracted: Overlay_60851e5c.bin (6440 bytes) |
| Module Name | ap.exe |
| Full Name | ap.exe |
| EntryPoint | System.Void Client.Program::Main() |
| Scope Name | ap.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | ap |
| Assembly Version | 3.6.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.0 |
| Total Strings | 163 |
| Main Method | System.Void Client.Program::Main() |
| Main IL Instruction Count | 77 |
| Main IL | |
| Module Name | ap.exe |
| Full Name | ap.exe |
| EntryPoint | System.Void Client.Program::Main() |
| Scope Name | ap.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | ap |
| Assembly Version | 3.6.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.0 |
| Total Strings | 163 |
| Main Method | System.Void Client.Program::Main() |
| Main IL Instruction Count | 77 |
| Main IL | |
Key (AES_256)
MUTEXmalicious
S3BpdHhuhuhuhuhuhuhuhuhuhuhu
CnC
CNCmalicious
127huhuhuhu
CnC
CNCmalicious
162.huhuhuhuhuhuhu
Ports
PORTmalicious
8huhuhuhu
Full artefact values (URLs, paths, registry keys, scripts…) are available with Essential.
Unlock with Essential
| Config. Field | Value |
|---|---|
| Key (AES_256) | S3BpdHhuhuhuhuhuhuhuhuhuhuhu |
| Pastebin | -huhuhuhu |
| Certificate | MIICKThuhuhuhuhuhuhuhuhuhuhu |
| ServerSignature | YlXk2bhuhuhuhuhuhuhuhuhuhuhu |
| Install | fhuhuhuhu |
| BDOS | fhuhuhuhu |
| Anti-VM | fhuhuhuhu |
| Install-Folder | %Aphuhuhuhu |
| Hosts | 127.0.huhuhuhuhuhuhu |
| Ports | 8huhuhuhu |
| Delay | 1huhuhuhu |
| Group | Dehuhuhuhu |
We extracted this malware's full configuration (C2, credentials, campaign IDs…).
Unlock with Essential
Key (AES_256)
MUTEXmalicious
S3BpdHhuhuhuhuhuhuhuhuhuhuhu
867703b3792be3dc03dbd1e2db81bdbc
CnC
CNCmalicious
127huhuhuhu
867703b3792be3dc03dbd1e2db81bdbc
CnC
CNCmalicious
162.huhuhuhuhuhuhu
867703b3792be3dc03dbd1e2db81bdbc
Ports
PORTmalicious
8huhuhuhu
867703b3792be3dc03dbd1e2db81bdbc
Full artefact values (URLs, paths, registry keys, scripts…) are available with Essential.
Unlock with Essential
You must be signed in to view YARA rules.