d5872083e5270ce860627c321c4a17ef

PE Executable
|
MD5: d5872083e5270ce860627c321c4a17ef
|
Size: 926.54 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	d5872083e5270ce860627c321c4a17ef
Sha1	a8c347c428a591ca38ebdaa905256a177288450f
Sha256	3f8981f1a4160417e2859c31255e030de9e488eb032994cdc13681b091da1504
Sha384	00d9e608ff6642e1edaab2a2a5809cf3f42976b8256a48a70883f772585205a14b1f1b24b3181670400e9838f9a641fd
Sha512	0a7d81e9d74e57e13f6f90d6df8e4d0b84ec06ff4ee6952c4f9c94c7713732c444a318d3086c729ce410713aae1dbec5a6236e855009c56a5d29cb35e312342e
SSDeep	12288:KV59KLyRs8MSnAvH8MSnAvH8MSnAvH8MSnAvH8MSnAvH8MSnAvH8MSnAvH8MSnAl:KVXKW6U6U6U6U6U6U6U6U6U6t
TLSH	F315D0B1F64EC721D7880E32A4CACCA954E192FBC691EE6660907ED44B043C77FBC659

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Malware Configuration - XBinder config.

Config. Field0	Value
	0
Ⴍ	0

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Info	Authenticode present at 0xD16C8 size 68744 bytes
Module Name	5959.exe
Full Name	5959.exe
EntryPoint	System.Void Ⴀ.Ⴜ::Ⴅ()
Scope Name	5959.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	5959
Assembly Version	1.3.36.372
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	2
Main Method	System.Void Ⴀ.Ⴜ::Ⴅ()
Main IL Instruction Count	306
Main IL	ldsfld System.Byte[] :: stloc.s V_11 ldloc.s V_12 ldc.i4 238 add <null> stloc.s V_12 ldsfld System.Int32 Ⴀ.Ⴗ::Ⴓ ldc.i4 1000 mul.ovf <null> ldc.i4.s 112 ldc.i4.s 86 call System.Void Ⴀ.ႤႣ::(System.Int32,System.Int16,System.Int32) ldc.i4.s 67 ldloc.0 <null> mul <null> ldloc.0 <null> ldc.i4 445 mul <null> add <null> ldc.i4 5181 sub <null> ldc.i4 357 and <null> ldc.i4 321 beq.s IL_00AC: ldc.i4.6 br IL_0192: nop ldc.i4 31380 stloc.0 <null> ldc.i4.1 <null> brtrue IL_014F: ldsfld System.String Ⴀ.Ⴗ::Ⴓ nop <null> ldsfld System.String Ⴀ.Ⴗ::Ⴄ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 469 ldc.i4 418 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴄ ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.1 <null> add <null> br IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) nop <null> ldloc.s V_12 ldloc.s V_12 ldc.i4 8591 and <null> add <null> ldloc.s V_12 ldloc.s V_12 add <null> ldloc.s V_12 and <null> add <null> ldc.i4 -1694875233 xor <null> ldc.i4.0 <null> beq.s IL_00AE: ldloc.2 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.2 <null> add <null> br IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) ldc.i4.6 <null> stloc.2 <null> ldloc.2 <null> switch dnlib.DotNet.Emit.Instruction[] ldsfld System.String Ⴀ.Ⴗ::Ⴍ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 809 ldc.i4 862 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴍ ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4 31380 add <null> stloc.0 <null> ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.3 <null> add <null> br.s IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) ldloc.s V_12 ldc.i4 462 div.un <null> ldc.i4 4866 add <null> ldc.i4.s 29 shr.un <null> not <null> ldloc.s V_12 ldc.i4.s 15 mul <null> ldloc.s V_12 add <null> ldc.i4 -7360 sub <null> beq.s IL_00AE: ldloc.2 ldc.i4.0 <null> brfalse IL_01FB: nop br IL_0049: ldc.i4 31380 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.0 <null> add <null> switch dnlib.DotNet.Emit.Instruction[] ldsfld System.String Ⴀ.Ⴗ::Ⴓ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 851 ldc.i4 804 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴓ ldloc.2 <null> ldc.i4 3000 ldloc.2 <null> add <null> xor <null> ldloc.2 <null> add <null> ldc.i4 5101 sub <null> ldloc.2 <null> neg <null> beq IL_00AE: ldloc.2 ldloc.0 <null> ldc.i4 31380 beq IL_0081: nop br.s IL_01D5: ldc.i4 1535 nop <null> ldc.i4.2 <null> stloc.2 <null> br IL_00AE: ldloc.2 ldsfld System.String Ⴀ.Ⴗ::Ⴐ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 129 ldc.i4 246 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴐ ldc.i4 -8949 stloc.0 <null> ldc.i4 9870 ldc.i4 8761 add <null> ldc.i4 18631 beq.s IL_01D5: ldc.i4 1535 br IL_00AC: ldc.i4.6 ldc.i4 1535 ldloc.s V_12 neg <null> or <null> ldc.i4 269 and <null> ldc.i4 269 bne.un IL_00AE: ldloc.2 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.0 <null> add <null> br IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) nop <null> ldc.i4.5 <null> stloc.2 <null> br IL_00AE: ldloc.2 ldsfld System.String Ⴀ.Ⴗ::Ⴗ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 742 ldc.i4 657 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴗ ldsfld System.String Ⴀ.Ⴗ::Ⴅ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 394 ldc.i4 509 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴅ leave.s IL_0278: ldc.i4.6 dup <null> ldc.i4 302 ldc.i4 322 call System.Void ::<System.Exception>(System.Exception,System.Char,System.Int32) stloc.s V_4 ldc.i4.0 <null> ldc.i4 213 ldc.i4 242 call System.Void Ⴀ.ႤႣ::(System.Int32,System.Int16,System.Int32) ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 235 sub <null> ldelem.i <null> calli System.Void () leave.s IL_0278: ldc.i4.6 ldc.i4.6 <null> stloc.1 <null> ldc.i4 18942 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4 18941 add <null> beq.s IL_02EC: br.s IL_027A nop <null> ldloc.s V_12 ldc.i4.s -71 and <null> ldc.i4.1 <null> or <null> stloc.s V_12 ldloc.1 <null> switch dnlib.DotNet.Emit.Instruction[] ldc.i4 17463 stloc.s V_8 ldc.r8 -30311 conv.ovf.i4 <null> ldc.i4 -18303 beq.s IL_028E: ldloc.s V_12 nop <null> call System.Boolean ::() brtrue.s IL_02EE: ldc.i4.1 ldloc.s V_11 ldc.i4.s 112 ldelem.u1 <null> ldc.i4 136 sub <null> stloc.1 <null> ldc.i4.0 <null> brfalse.s IL_02EC: br.s IL_027A br.s IL_027A: ldc.i4 18942 ldc.i4.1 <null> br.s IL_02E8: stloc.1 ldc.i4.0 <null> ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 167 sub <null> ldelem.i <null> calli System.Void (System.Int32) call System.Void :: () ldloc.1 <null> ldc.i4 7787902 div.un <null> ldc.i4 268435456 mul <null> ldc.i4.1 <null> shr.un <null> ldc.i4 -1693593404 add <null> ldloc.1 <null> ldc.i4.s 17 shl <null> beq IL_0278: ldc.i4.6 nop <null> ldnull <null> ldftn System.Void Ⴀ.Ⴜ::() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.s V_9 ldnull <null> ldftn System.Void Ⴀ.Ⴜ::() ldc.i4 1952428595 box System.Int32 stsfld System.Object Ⴀ.ႤႣ:: newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.s V_5 ldloc.1 <null> ldc.i4.s 12 shl <null> ldc.i4 -7463 bne.un.s IL_036E: ldc.i4.2 br IL_0278: ldc.i4.6 ldc.i4.2 <null> stloc.1 <null> br IL_027A: ldc.i4 18942 ldloc.s V_9 castclass System.Threading.Thread ldloc.s V_12 ldc.i4 267 add <null> stloc.s V_12 ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 436 sub <null> ldelem.i <null> calli System.Void () ldloc.s V_5 isinst System.Threading.Thread ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 436 sub <null> ldelem.i <null> calli System.Void () ldloc.s V_5 isinst System.Threading.Thread ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 435 sub <null> ldelem.i <null> calli System.Void () ret <null> ldtoken System.Void Ⴀ.Ⴜ::Ⴅ() pop <null> ret <null>
Module Name	5959.exe
Full Name	5959.exe
EntryPoint	System.Void Ⴀ.Ⴜ::Ⴅ()
Scope Name	5959.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	5959
Assembly Version	1.3.36.372
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	2
Main Method	System.Void Ⴀ.Ⴜ::Ⴅ()
Main IL Instruction Count	306
Main IL	ldsfld System.Byte[] :: stloc.s V_11 ldloc.s V_12 ldc.i4 238 add <null> stloc.s V_12 ldsfld System.Int32 Ⴀ.Ⴗ::Ⴓ ldc.i4 1000 mul.ovf <null> ldc.i4.s 112 ldc.i4.s 86 call System.Void Ⴀ.ႤႣ::(System.Int32,System.Int16,System.Int32) ldc.i4.s 67 ldloc.0 <null> mul <null> ldloc.0 <null> ldc.i4 445 mul <null> add <null> ldc.i4 5181 sub <null> ldc.i4 357 and <null> ldc.i4 321 beq.s IL_00AC: ldc.i4.6 br IL_0192: nop ldc.i4 31380 stloc.0 <null> ldc.i4.1 <null> brtrue IL_014F: ldsfld System.String Ⴀ.Ⴗ::Ⴓ nop <null> ldsfld System.String Ⴀ.Ⴗ::Ⴄ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 469 ldc.i4 418 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴄ ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.1 <null> add <null> br IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) nop <null> ldloc.s V_12 ldloc.s V_12 ldc.i4 8591 and <null> add <null> ldloc.s V_12 ldloc.s V_12 add <null> ldloc.s V_12 and <null> add <null> ldc.i4 -1694875233 xor <null> ldc.i4.0 <null> beq.s IL_00AE: ldloc.2 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.2 <null> add <null> br IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) ldc.i4.6 <null> stloc.2 <null> ldloc.2 <null> switch dnlib.DotNet.Emit.Instruction[] ldsfld System.String Ⴀ.Ⴗ::Ⴍ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 809 ldc.i4 862 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴍ ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4 31380 add <null> stloc.0 <null> ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.3 <null> add <null> br.s IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) ldloc.s V_12 ldc.i4 462 div.un <null> ldc.i4 4866 add <null> ldc.i4.s 29 shr.un <null> not <null> ldloc.s V_12 ldc.i4.s 15 mul <null> ldloc.s V_12 add <null> ldc.i4 -7360 sub <null> beq.s IL_00AE: ldloc.2 ldc.i4.0 <null> brfalse IL_01FB: nop br IL_0049: ldc.i4 31380 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.0 <null> add <null> switch dnlib.DotNet.Emit.Instruction[] ldsfld System.String Ⴀ.Ⴗ::Ⴓ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 851 ldc.i4 804 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴓ ldloc.2 <null> ldc.i4 3000 ldloc.2 <null> add <null> xor <null> ldloc.2 <null> add <null> ldc.i4 5101 sub <null> ldloc.2 <null> neg <null> beq IL_00AE: ldloc.2 ldloc.0 <null> ldc.i4 31380 beq IL_0081: nop br.s IL_01D5: ldc.i4 1535 nop <null> ldc.i4.2 <null> stloc.2 <null> br IL_00AE: ldloc.2 ldsfld System.String Ⴀ.Ⴗ::Ⴐ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 129 ldc.i4 246 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴐ ldc.i4 -8949 stloc.0 <null> ldc.i4 9870 ldc.i4 8761 add <null> ldc.i4 18631 beq.s IL_01D5: ldc.i4 1535 br IL_00AC: ldc.i4.6 ldc.i4 1535 ldloc.s V_12 neg <null> or <null> ldc.i4 269 and <null> ldc.i4 269 bne.un IL_00AE: ldloc.2 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4.0 <null> add <null> br IL_013A: switch(IL_0055,IL_0105,IL_0192,IL_0049) nop <null> ldc.i4.5 <null> stloc.2 <null> br IL_00AE: ldloc.2 ldsfld System.String Ⴀ.Ⴗ::Ⴗ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 742 ldc.i4 657 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴗ ldsfld System.String Ⴀ.Ⴗ::Ⴅ call System.Object Ⴀ.ႤႷ::Ⴃ(System.String) ldc.i4 394 ldc.i4 509 call System.String Ⴀ.ႤႣ::<System.Object>(System.Object,System.Int32,System.Int32) stsfld System.String Ⴀ.Ⴗ::Ⴅ leave.s IL_0278: ldc.i4.6 dup <null> ldc.i4 302 ldc.i4 322 call System.Void ::<System.Exception>(System.Exception,System.Char,System.Int32) stloc.s V_4 ldc.i4.0 <null> ldc.i4 213 ldc.i4 242 call System.Void Ⴀ.ႤႣ::(System.Int32,System.Int16,System.Int32) ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 235 sub <null> ldelem.i <null> calli System.Void () leave.s IL_0278: ldc.i4.6 ldc.i4.6 <null> stloc.1 <null> ldc.i4 18942 ldsfld System.Type[] System.Type::EmptyTypes ldlen <null> ldc.i4 18941 add <null> beq.s IL_02EC: br.s IL_027A nop <null> ldloc.s V_12 ldc.i4.s -71 and <null> ldc.i4.1 <null> or <null> stloc.s V_12 ldloc.1 <null> switch dnlib.DotNet.Emit.Instruction[] ldc.i4 17463 stloc.s V_8 ldc.r8 -30311 conv.ovf.i4 <null> ldc.i4 -18303 beq.s IL_028E: ldloc.s V_12 nop <null> call System.Boolean ::() brtrue.s IL_02EE: ldc.i4.1 ldloc.s V_11 ldc.i4.s 112 ldelem.u1 <null> ldc.i4 136 sub <null> stloc.1 <null> ldc.i4.0 <null> brfalse.s IL_02EC: br.s IL_027A br.s IL_027A: ldc.i4 18942 ldc.i4.1 <null> br.s IL_02E8: stloc.1 ldc.i4.0 <null> ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 167 sub <null> ldelem.i <null> calli System.Void (System.Int32) call System.Void :: () ldloc.1 <null> ldc.i4 7787902 div.un <null> ldc.i4 268435456 mul <null> ldc.i4.1 <null> shr.un <null> ldc.i4 -1693593404 add <null> ldloc.1 <null> ldc.i4.s 17 shl <null> beq IL_0278: ldc.i4.6 nop <null> ldnull <null> ldftn System.Void Ⴀ.Ⴜ::() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.s V_9 ldnull <null> ldftn System.Void Ⴀ.Ⴜ::() ldc.i4 1952428595 box System.Int32 stsfld System.Object Ⴀ.ႤႣ:: newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.s V_5 ldloc.1 <null> ldc.i4.s 12 shl <null> ldc.i4 -7463 bne.un.s IL_036E: ldc.i4.2 br IL_0278: ldc.i4.6 ldc.i4.2 <null> stloc.1 <null> br IL_027A: ldc.i4 18942 ldloc.s V_9 castclass System.Threading.Thread ldloc.s V_12 ldc.i4 267 add <null> stloc.s V_12 ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 436 sub <null> ldelem.i <null> calli System.Void () ldloc.s V_5 isinst System.Threading.Thread ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 436 sub <null> ldelem.i <null> calli System.Void () ldloc.s V_5 isinst System.Threading.Thread ldsfld System.IntPtr[] :: ldloc.s V_12 ldc.i4 435 sub <null> ldelem.i <null> calli System.Void () ret <null> ldtoken System.Void Ⴀ.Ⴜ::Ⴅ() pop <null> ret <null>

d5872083e5270ce860627c321c4a17ef (926.54 KB)

d5872083e5270ce860627c321c4a17ef

PE Executable | MD5: d5872083e5270ce860627c321c4a17ef | Size: 926.54 KB | application/x-dosexec

PE Executable
|
MD5: d5872083e5270ce860627c321c4a17ef
|
Size: 926.54 KB
|
application/x-dosexec