Malicious
Malicious

ba291819f8130927770c508958d7581f

PE Executable
|
MD5: ba291819f8130927770c508958d7581f
|
Size: 138.75 KB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Very low

Hash
 Hash Value
MD5
ba291819f8130927770c508958d7581f
Sha1
417a9c42b6b22aff95c58fa4aa4218b264448e14
Sha256
15ee53d7416cb099f8c0805e4d8296b4f55fe10f2ad6a08a84d73091a8ab9a1c
Sha384
bbe15db3749652b083312a7b07cfbeaa8d22763a5bfd4db41f7ce2386462efca5a29605f31a2b2b671b5a73aa4c37455
Sha512
452830f6d657cc8e77fd2a4f9634af4be627d6c35fda04ad06e6d2ceb8b11a63b7f9e2caa68edd53eced8240c0c28a34429b1f277c562bcd2d0fc2f531994393
SSDeep
1536:eDKrwrVGIYzjB+y8S5Si97RtAiynO6ZGNsq6GjwwM5OKsO+I1QQt5obM/NeA6wvX:eDQwrVv3Ssi99t36ZNGjI5Ob
TLSH
59D3071872FC0A5AF8F7D7317AE6A2279431BEA045314E1D29C61B4A3E31724EF5137A

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
ba291819f8130927770c508958d7581f
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_BITMAP
ID:006E
ID:1033
RT_ICON
ID:0001
ID:1033
ID:0002
ID:1033
ID:0003
ID:1033
ID:0004
ID:1033
ID:1033-preview.png
ID:0005
ID:1033
ID:0006
ID:1033
ID:0007
ID:1033
RT_DIALOG
ID:0066
ID:1033
ID:0067
ID:1033
ID:0068
ID:1033
ID:0069
ID:1033
ID:006A
ID:1033
ID:006B
ID:1033
ID:006F
ID:1033
ID:00CA
ID:1033
ID:00CB
ID:1033
ID:00CC
ID:1033
ID:00CD
ID:1033
ID:00CE
ID:1033
ID:00CF
ID:1033
ID:00D3
ID:1033
RT_GROUP_CURSOR4
ID:0067
ID:1033
RT_VERSION
ID:0001
ID:1025
ID:1026
ID:1028
ID:1029
ID:1030
ID:1031
ID:1032
ID:1033
ID:1034
ID:1035
ID:1036
ID:1037
ID:1038
ID:1040
ID:1041
ID:1043
ID:1044
ID:1045
ID:1046
ID:1048
ID:1049
ID:1050
ID:1051
ID:1053
ID:1054
ID:1055
ID:1057
ID:1058
ID:1059
ID:1060
ID:1062
ID:1063
ID:1065
ID:1066
ID:1067
ID:1079
ID:1086
ID:1091
ID:1109
ID:2052
ID:2070
ID:2074
ID:2092
ID:3098
ID:4103
ID:5146
ID:9999
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Malicious
script.vbs
Malicious
script.vbs.deobfuscated.vbs
Malicious
script.vbs
Malicious
.executed
Malicious
.subscript.vbs
Malicious
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

Result.exe
Full Name

Result.exe
EntryPoint

System.Void Dropper.Program::Main(System.String[])
Scope Name

Result.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Result
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

4
Main Method

System.Void Dropper.Program::Main(System.String[])
Main IL Instruction Count

96
Main IL

nop <null> nop <null> ldstr script.vbs stloc.0 <null> call System.String System.IO.Path::GetTempPath() stloc.1 <null> ldloc.1 <null> ldloc.0 <null> call System.String System.IO.Path::Combine(System.String,System.String) stloc.2 <null> call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.0 <null> callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.3 <null> nop <null> ldloc.3 <null> ldnull <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0035: ldloc.2 leave IL_00D9: nop ldloc.2 <null> ldc.i4.2 <null> newobj System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode) stloc.s V_4 nop <null> ldloc.3 <null> ldloc.s V_4 callvirt System.Void System.IO.Stream::CopyTo(System.IO.Stream) nop <null> nop <null> leave.s IL_005F: nop ldloc.s V_4 ldnull <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_005E: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_0075: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0074: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> newobj System.Void System.Diagnostics.Process::.ctor() stloc.s V_5 ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldstr wscript.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) nop <null> ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldstr " ldloc.2 <null> ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) nop <null> ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) nop <null> ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) nop <null> ldloc.s V_5 callvirt System.Boolean System.Diagnostics.Process::Start() pop <null> nop <null> leave.s IL_00D8: nop pop <null> nop <null> nop <null> leave.s IL_00D8: nop nop <null> nop <null> ret <null>
Module Name

Result.exe
Full Name

Result.exe
EntryPoint

System.Void Dropper.Program::Main(System.String[])
Scope Name

Result.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Result
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

4
Main Method

System.Void Dropper.Program::Main(System.String[])
Main IL Instruction Count

96
Main IL

nop <null> nop <null> ldstr script.vbs stloc.0 <null> call System.String System.IO.Path::GetTempPath() stloc.1 <null> ldloc.1 <null> ldloc.0 <null> call System.String System.IO.Path::Combine(System.String,System.String) stloc.2 <null> call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.0 <null> callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.3 <null> nop <null> ldloc.3 <null> ldnull <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0035: ldloc.2 leave IL_00D9: nop ldloc.2 <null> ldc.i4.2 <null> newobj System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode) stloc.s V_4 nop <null> ldloc.3 <null> ldloc.s V_4 callvirt System.Void System.IO.Stream::CopyTo(System.IO.Stream) nop <null> nop <null> leave.s IL_005F: nop ldloc.s V_4 ldnull <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_005E: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_0075: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0074: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> newobj System.Void System.Diagnostics.Process::.ctor() stloc.s V_5 ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldstr wscript.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) nop <null> ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldstr " ldloc.2 <null> ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) nop <null> ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) nop <null> ldloc.s V_5 callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) nop <null> ldloc.s V_5 callvirt System.Boolean System.Diagnostics.Process::Start() pop <null> nop <null> leave.s IL_00D8: nop pop <null> nop <null> nop <null> leave.s IL_00D8: nop nop <null> nop <null> ret <null>
ba291819f8130927770c508958d7581f (138.75 KB)
File Structure
ba291819f8130927770c508958d7581f
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_BITMAP
ID:006E
ID:1033
RT_ICON
ID:0001
ID:1033
ID:0002
ID:1033
ID:0003
ID:1033
ID:0004
ID:1033
ID:1033-preview.png
ID:0005
ID:1033
ID:0006
ID:1033
ID:0007
ID:1033
RT_DIALOG
ID:0066
ID:1033
ID:0067
ID:1033
ID:0068
ID:1033
ID:0069
ID:1033
ID:006A
ID:1033
ID:006B
ID:1033
ID:006F
ID:1033
ID:00CA
ID:1033
ID:00CB
ID:1033
ID:00CC
ID:1033
ID:00CD
ID:1033
ID:00CE
ID:1033
ID:00CF
ID:1033
ID:00D3
ID:1033
RT_GROUP_CURSOR4
ID:0067
ID:1033
RT_VERSION
ID:0001
ID:1025
ID:1026
ID:1028
ID:1029
ID:1030
ID:1031
ID:1032
ID:1033
ID:1034
ID:1035
ID:1036
ID:1037
ID:1038
ID:1040
ID:1041
ID:1043
ID:1044
ID:1045
ID:1046
ID:1048
ID:1049
ID:1050
ID:1051
ID:1053
ID:1054
ID:1055
ID:1057
ID:1058
ID:1059
ID:1060
ID:1062
ID:1063
ID:1065
ID:1066
ID:1067
ID:1079
ID:1086
ID:1091
ID:1109
ID:2052
ID:2070
ID:2074
ID:2092
ID:3098
ID:4103
ID:5146
ID:9999
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Malicious
script.vbs
Malicious
script.vbs.deobfuscated.vbs
Malicious
script.vbs
Malicious
.executed
Malicious
.subscript.vbs
Malicious
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙