Malicious
Malicious

a6487fbf732770f7ebf1aec9324157f8

PE Executable
|
MD5: a6487fbf732770f7ebf1aec9324157f8
|
Size: 651.26 KB
|
application/x-dosexec

Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
a6487fbf732770f7ebf1aec9324157f8
Sha1
6d884e2894d6cfa4427f123a19a49f86dd52d9c1
Sha256
e9e9b6b8d6597bc10168304dfa63f25652533b9a9a8ae3206ef0c6b558dd6fec
Sha384
1c0108e7f54a58fc639856b4e7b06a72a22a93a760b736433cfefee35887d3ad656d9e24c21844e2a4ec7f4ef921e27b
Sha512
7206015fcaf090477117cc7f676408b73f7a1e2e05e96992eab939562d23804942b0f02e960936aa015f585eaa53d28fb10fa847e610a6d99237bdb0bfec4509
SSDeep
6144:5dSf9cg/62WcaLDC02yzsXjCn8o0CC8OhrhajycWaMN+VO3YHlZWHEnlKS:5dSKgGLex08oBLO2WaDnll
TLSH
35D46C91AE85CA53C9370EB547B6C33883B6DFB8BD534707A4BB7E2DBC366452901242

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
a6487fbf732770f7ebf1aec9324157f8
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
AFX_DIALOG_LAYOUT
ID:0065
ID:2048
RT_CURSOR
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
RT_BITMAP
ID:009F
ID:2048
ID:00A9
ID:2048
ID:00AA
ID:2048
RT_ICON
ID:0001
ID:0
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
ID:0008
ID:0
ID:0009
ID:0
RT_MENU
ID:0080
ID:1024
RT_DIALOG
ID:0065
ID:2048
ID:0067
ID:2048
ID:0083
ID:2048
ID:008E
ID:2048
ID:0091
ID:2048
ID:0094
ID:2048
ID:009A
ID:2048
ID:009B
ID:2048
ID:009C
ID:2048
ID:00A0
ID:2048
RT_STRING
ID:0009
ID:1024
ID:0272
ID:1024
ID:0E11
ID:1024
ID:0E12
ID:1024
ID:0E15
ID:1024
RT_GROUP_CURSOR2
ID:0068
ID:0
ID:0095
ID:0
ID:0097
ID:0
ID:0098
ID:0
ID:00B2
ID:0
ID:00B3
ID:0
RT_GROUP_CURSOR4
ID:0080
ID:0
RT_VERSION
ID:0001
ID:0
ID:1033
RT_MANIFEST
ID:0001
ID:0
ID:1033
.Net Resources
Malicious
oirw.vbs
Malicious
oirw.vbs.deobfuscated.vbs
Malicious
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

69816bd1403f5.exe
Full Name

69816bd1403f5.exe
EntryPoint

System.Void Microsoft.CLR.Hosting.RuntimeBootstrap::Main()
Scope Name

69816bd1403f5.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

69816bd1403f5
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

10
Main Method

System.Void Microsoft.CLR.Hosting.RuntimeBootstrap::Main()
Main IL Instruction Count

7
Main IL

nop <null> call System.Int32 Microsoft.CLR.Hosting.RuntimeBootstrap::InitializeComponent() stloc.0 <null> ldloc.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ret <null>
Module Name

69816bd1403f5.exe
Full Name

69816bd1403f5.exe
EntryPoint

System.Void Microsoft.CLR.Hosting.RuntimeBootstrap::Main()
Scope Name

69816bd1403f5.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

69816bd1403f5
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

10
Main Method

System.Void Microsoft.CLR.Hosting.RuntimeBootstrap::Main()
Main IL Instruction Count

7
Main IL

nop <null> call System.Int32 Microsoft.CLR.Hosting.RuntimeBootstrap::InitializeComponent() stloc.0 <null> ldloc.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ret <null>
Artefacts
Name
 Value
URLs in VB Code - #1

http://schemas.microsoft.com/SMI/2005/WindowsSettings
a6487fbf732770f7ebf1aec9324157f8 (651.26 KB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙