ead152233cb6712f2fb1920d08fe13b9
PE Executable | MD5: ead152233cb6712f2fb1920d08fe13b9 | Size: 53.25 KB | application/x-dosexec
Symbol Obfuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | ead152233cb6712f2fb1920d08fe13b9
|
| Sha1 | 31e179c2e6aaa4f0185f280069c094c1e2f6ef72
|
| Sha256 | bc1f349fc4db55e0ce087a043d3f7708994b65982f00599ddc52cfeaff55edba
|
| Sha384 | acb7c2affe8fd19d623ad8e5612c6e2f801c037bef74e1a2568cfb0bc2b26e072d1d5f15991e07d289af78c630e28437
|
| Sha512 | 8aa6e923ebd702162205f9158aaff24e2a0574356c9dd383054484f5c1191b2f190fea3dd961751da1888b3774d35d1a77751f5627d1b066dcfcbf778f7a6fa3
|
| SSDeep | 768:PfwStm8MpXwNGQYby2AfoacJahMOCiob2gbOvz+K1uprUn/SgzX2/RcXJYWz+:PHR6u2A7MOCvbpbwq2kYn6mG/RcX1z+
|
| TLSH | AC334C00F7E9C52AF1BD8B3898F322494679E557BA03DA5D0CC4159B0B13BC69A426FE
|
PeID
|
Config. Field0 | Value |
|---|---|
| Key (AES_256) | a0U5R3BCMGYzSnp2VVhtV1JZd2F2MGFlRk9xWWJJNkM= |
| Pastebin | - |
| Certificate | MIIE8DCCAtigAwIBAgIQAKHoVQTTKstu3ShgR1hlHTANBgkqhkiG9w0BAQ0FADAZMRcwFQYDVQQDDA5qYXdhcjNkIFNlcnZlcjAgFw0yNjAxMjIxMzQxMzdaGA85OTk5MTIzMTIzNTk1OVowGTEXMBUGA1UEAwwOamF3YXIzZCBTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCWL5ZUw7LR9BybGrwYNmRxxG8vLaau7D2Akl7kNFIkOBWHso/GYTzAJg/PrZxWO6xvhs8mASWRqIZ0mpgVTCN9kNymKybh+aezZyBELmKF52mzN94Pf2YjmmhmlB8KU1zazMnu2U2iBSN8zw3V29qa6tknbWy64mPFwRs/pTFLYbJrf+E5pBC5l9MFh8zqR+FSDZZuCVgq/YWn3Lifm0vM9TM+zU3E8VaZ3su0jHhjo3pXOSky0z1ImOQClPVbda+NCTjgn4GUcCqzd8s3JKMv2i0ydg+DjnkndKksCZTZGcBugUDBFNL38aacDtmcTTI/ZFEpYRVAM9jsaPQYGP/Qjzm+OvvEmMEnmAYohz+pzFfmLFhWgTlBQK/m/8EYY6zZ9jr/SNOR8zy4LlpUTrErx8Cb4qYGZW77J1dkOMbrWN65jEGk12C0V2345zM1CuCQajG4lQfapCfvAIYY3W9Swe0d8fkmqsbsxefLEz/Bqq5h1QB/bsAjX4aeCo2rBuZCZWb/ayxh4hO0Q2w4omupaIpBuNQeHw0WYFG9tLWjN3iuMdDYJe3nexh6m7Vyhgvojk6EyIa2QfSn4nmoi76ujj1MJd0DCxQBgrUSvMrscg3dUof7QPnUTXUA2I+L/N2qLXFHuEMSCzOKlsdrfnAjaWx20NjHEvbTU9yclwji9wIDAQABozIwMDAdBgNVHQ4EFgQUa/w+I6xQvuuaC0I7GPHfD8FNsD0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAY6nPkA5LfwvH+OQnjIz3trTKYsffBb4PmXrAnKF5TGb2KpDLQlu2pVhvdjWmalvIE/UzlFETq6WNbYH6iofLX+z/bTdeN+WY6ME/zl8RUF2Z3DbabT6eRJFqbiZnyAaVgBH2o73oE3ryb7JnVv9Ou1A366moUgG4IrUsN1h1Va1dZiKD0sHES/Smvwxa0/k08tkhsWG/uWNsgKzduXrgkQwwOJ/zHvPlAOEDGua0d4ypsOQou4o9cGMcZmiCKGBtwe7EbHiLFJidGye+dx+G/K22uDtc8QV8CZNCL3vQpyVN6usWz72GYcxulD02MAZvODLr4Hj/Ygh5T3DknY8IOjop8iw1ORVKGMz5biLXM/0o/p1ApPOEp6Snny6VWDErixBeKX9daJ4FklSEzdfxo//uPQiBgusN8kfX3Y55kqKrunskdctSd15kcOCKEtWYzOZTYUi8yuwCy/k8HML6kMGK/9m6ryRJ/wr2jdfEMYMN3adlaGOvDnOjSotZAuzFOYp+gJlQZgsQDUiyxAStZ47WaN9hQJ3Eliyq8omYU3NVQSYK6++dEoUxiLBrtzgEubjamVX2XmZ6yV5A7shCeaMgcw3kz4ioUkuSmoauuZNfWIn1Md/umbiBx2Nxt5mNsLQx6e+Hd1jFWEKxucCKnWP1g6JMlTlOrqDCZ8FjYgg= |
| ServerSignature | QGh69ylkJzItHvKb8QCZ74vzUpvTMhqwnG8PozaTwGzSBhJNpwM/88cAj9MODVuQAmB7oOkTqDvPWFehFzKwPAz19RBNlJPngBEwhsmuZLeCPLAtotMwziKAOCb6XignEbniO5S4gy+B6fSX9QXGodzCnP7kAP06WErsTwltqs31ooFYlJWOCv6lzRRnXA+jjSNrCh/edO5r/GceRJlLiwCA7MxCGjyPzOFTkGkg0HevaSFklpD6PTjiu6EMFfEW8X41q48dUQLgUwJodoxkSKji+CsstPEMYvEsbHZ9n3N2IIlEz1IGjpMH8dxF0+UTCe1m8u30NTeHr3byMSTnUeIu5FSOREihCIyS4HBZY8Qw+qdPtxPqfQQCh1r+r1PNiLTF+MzjLAFa4F7P9lWjsnOw3A7Q/BRecAjNReKXcBq9uyo1H5MfvtJB9m5FpoSmD1+M72kVLb0EeAnnWCi6ob/4FsRUKtJ3h2fEODm8Ff5DuM/sqeRvYK3gWJjyPoypo8pMJ+b0o92atSU4GR/+1aV4KVgW+n1WGcqylFY1Uyue4odik7MSFCC3yAskN4KR/3Sp06oziEpD1ehUVLp+IQ7kzCbTC2Fz04ltkarEgm275/aMQClrTz4CQ61slqr2xQrqgf7aMCU0hTVt7R+bJhiKxUFrBl3AE8ncoaXjUTo= |
| Install | true |
| BDOS | false |
| Anti-VM | false |
| Install File | WindowsUpdateService.exe |
| Install-Folder | %AppData% |
| Hosts | jawared1-63785.portmap.host |
| Ports | 3006,63785 |
| Mutex | QNtN6eFA02rO |
| Version | 0.5.8 |
| Delay | 3 |
| Group | Default |
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Module Name | iwn.exe |
| Full Name | iwn.exe |
| EntryPoint | System.Void Client.Program::Main() |
| Scope Name | iwn.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | iwn |
| Assembly Version | 1.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.8 |
| Total Strings | 126 |
| Main Method | System.Void Client.Program::Main() |
| Main IL Instruction Count | 70 |
| Main IL | ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: ldsfld System.String Client.Settings::RunPEProcess ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::RunPEProcess call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue IL_0081: nop call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() callvirt System.String System.Reflection.Assembly::get_Location() call System.Byte[] System.IO.File::ReadAllBytes(System.String) ldsfld System.String Client.Settings::RunPEProcess ldstr explorer.exe call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_006E: ldstr "C:\\Windows\\explorer.exe" ldstr C:\Windows\System32\svchost.exe br IL_0073: stloc.1 ldstr C:\Windows\explorer.exe stloc.1 <null> ldloc.1 <null> call System.Boolean Client.Helper.RunPE::Execute(System.Byte[],System.String) pop <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0092: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00A6: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00BA: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_00E8: nop pop <null> leave IL_00E8: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00FD: leave IL_0108 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_0108: ldc.i4 5000 pop <null> leave IL_0108: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00E8: nop |
| Module Name | iwn.exe |
| Full Name | iwn.exe |
| EntryPoint | System.Void Client.Program::Main() |
| Scope Name | iwn.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | iwn |
| Assembly Version | 1.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | .NETFramework,Version=v4.8 |
| Total Strings | 126 |
| Main Method | System.Void Client.Program::Main() |
| Main IL Instruction Count | 70 |
| Main IL | ldc.i4.0 <null> stloc.0 <null> br IL_0015: ldloc.0 ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.0 <null> ldc.i4.1 <null> add <null> stloc.0 <null> ldloc.0 <null> ldsfld System.String Client.Settings::Delay call System.Int32 System.Convert::ToInt32(System.String) blt.s IL_0007: ldc.i4 1000 call System.Boolean Client.Settings::InitializeSettings() brtrue IL_0032: ldsfld System.String Client.Settings::RunPEProcess ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::RunPEProcess call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue IL_0081: nop call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() callvirt System.String System.Reflection.Assembly::get_Location() call System.Byte[] System.IO.File::ReadAllBytes(System.String) ldsfld System.String Client.Settings::RunPEProcess ldstr explorer.exe call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_006E: ldstr "C:\\Windows\\explorer.exe" ldstr C:\Windows\System32\svchost.exe br IL_0073: stloc.1 ldstr C:\Windows\explorer.exe stloc.1 <null> ldloc.1 <null> call System.Boolean Client.Helper.RunPE::Execute(System.Byte[],System.String) pop <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> call System.Boolean Client.Helper.MutexControl::CreateMutex() brtrue IL_0092: ldsfld System.String Client.Settings::Anti ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Client.Settings::Anti call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00A6: ldsfld System.String Client.Settings::Install call System.Void Client.Helper.Anti_Analysis::RunAntiAnalysis() ldsfld System.String Client.Settings::Install call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00BA: ldsfld System.String Client.Settings::BDOS call System.Void Client.Install.NormalStartup::Install() ldsfld System.String Client.Settings::BDOS call System.Boolean System.Convert::ToBoolean(System.String) brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Boolean Client.Helper.Methods::IsAdmin() brfalse IL_00D8: call System.Void Client.Helper.Methods::PreventSleep() call System.Void Client.Helper.ProcessCritical::Set() call System.Void Client.Helper.Methods::PreventSleep() leave IL_00E8: nop pop <null> leave IL_00E8: nop nop <null> call System.Boolean Client.Connection.ClientSocket::get_IsConnected() brtrue IL_00FD: leave IL_0108 call System.Void Client.Connection.ClientSocket::Reconnect() call System.Void Client.Connection.ClientSocket::InitializeClient() leave IL_0108: ldc.i4 5000 pop <null> leave IL_0108: ldc.i4 5000 ldc.i4 5000 call System.Void System.Threading.Thread::Sleep(System.Int32) br.s IL_00E8: nop |
|
Name0 | Value |
|---|---|
| Key (AES_256) | a0U5R3BCMGYzSnp2VVhtV1JZd2F2MGFlRk9xWWJJNkM= |
| CnC | jawared1-63785.portmap.host |
| Ports | 3006 |
| Ports | 63785 |
| Mutex | QNtN6eFA02rO |
|
Config. Field0 | Value |
|---|---|
| Key (AES_256) | a0U5R3BCMGYzSnp2VVhtV1JZd2F2MGFlRk9xWWJJNkM= |
| Pastebin | - |
| Certificate | MIIE8DCCAtigAwIBAgIQAKHoVQTTKstu3ShgR1hlHTANBgkqhkiG9w0BAQ0FADAZMRcwFQYDVQQDDA5qYXdhcjNkIFNlcnZlcjAgFw0yNjAxMjIxMzQxMzdaGA85OTk5MTIzMTIzNTk1OVowGTEXMBUGA1UEAwwOamF3YXIzZCBTZXJ2ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCWL5ZUw7LR9BybGrwYNmRxxG8vLaau7D2Akl7kNFIkOBWHso/GYTzAJg/PrZxWO6xvhs8mASWRqIZ0mpgVTCN9kNymKybh+aezZyBELmKF52mzN94Pf2YjmmhmlB8KU1zazMnu2U2iBSN8zw3V29qa6tknbWy64mPFwRs/pTFLYbJrf+E5pBC5l9MFh8zqR+FSDZZuCVgq/YWn3Lifm0vM9TM+zU3E8VaZ3su0jHhjo3pXOSky0z1ImOQClPVbda+NCTjgn4GUcCqzd8s3JKMv2i0ydg+DjnkndKksCZTZGcBugUDBFNL38aacDtmcTTI/ZFEpYRVAM9jsaPQYGP/Qjzm+OvvEmMEnmAYohz+pzFfmLFhWgTlBQK/m/8EYY6zZ9jr/SNOR8zy4LlpUTrErx8Cb4qYGZW77J1dkOMbrWN65jEGk12C0V2345zM1CuCQajG4lQfapCfvAIYY3W9Swe0d8fkmqsbsxefLEz/Bqq5h1QB/bsAjX4aeCo2rBuZCZWb/ayxh4hO0Q2w4omupaIpBuNQeHw0WYFG9tLWjN3iuMdDYJe3nexh6m7Vyhgvojk6EyIa2QfSn4nmoi76ujj1MJd0DCxQBgrUSvMrscg3dUof7QPnUTXUA2I+L/N2qLXFHuEMSCzOKlsdrfnAjaWx20NjHEvbTU9yclwji9wIDAQABozIwMDAdBgNVHQ4EFgQUa/w+I6xQvuuaC0I7GPHfD8FNsD0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAY6nPkA5LfwvH+OQnjIz3trTKYsffBb4PmXrAnKF5TGb2KpDLQlu2pVhvdjWmalvIE/UzlFETq6WNbYH6iofLX+z/bTdeN+WY6ME/zl8RUF2Z3DbabT6eRJFqbiZnyAaVgBH2o73oE3ryb7JnVv9Ou1A366moUgG4IrUsN1h1Va1dZiKD0sHES/Smvwxa0/k08tkhsWG/uWNsgKzduXrgkQwwOJ/zHvPlAOEDGua0d4ypsOQou4o9cGMcZmiCKGBtwe7EbHiLFJidGye+dx+G/K22uDtc8QV8CZNCL3vQpyVN6usWz72GYcxulD02MAZvODLr4Hj/Ygh5T3DknY8IOjop8iw1ORVKGMz5biLXM/0o/p1ApPOEp6Snny6VWDErixBeKX9daJ4FklSEzdfxo//uPQiBgusN8kfX3Y55kqKrunskdctSd15kcOCKEtWYzOZTYUi8yuwCy/k8HML6kMGK/9m6ryRJ/wr2jdfEMYMN3adlaGOvDnOjSotZAuzFOYp+gJlQZgsQDUiyxAStZ47WaN9hQJ3Eliyq8omYU3NVQSYK6++dEoUxiLBrtzgEubjamVX2XmZ6yV5A7shCeaMgcw3kz4ioUkuSmoauuZNfWIn1Md/umbiBx2Nxt5mNsLQx6e+Hd1jFWEKxucCKnWP1g6JMlTlOrqDCZ8FjYgg= |
| ServerSignature | QGh69ylkJzItHvKb8QCZ74vzUpvTMhqwnG8PozaTwGzSBhJNpwM/88cAj9MODVuQAmB7oOkTqDvPWFehFzKwPAz19RBNlJPngBEwhsmuZLeCPLAtotMwziKAOCb6XignEbniO5S4gy+B6fSX9QXGodzCnP7kAP06WErsTwltqs31ooFYlJWOCv6lzRRnXA+jjSNrCh/edO5r/GceRJlLiwCA7MxCGjyPzOFTkGkg0HevaSFklpD6PTjiu6EMFfEW8X41q48dUQLgUwJodoxkSKji+CsstPEMYvEsbHZ9n3N2IIlEz1IGjpMH8dxF0+UTCe1m8u30NTeHr3byMSTnUeIu5FSOREihCIyS4HBZY8Qw+qdPtxPqfQQCh1r+r1PNiLTF+MzjLAFa4F7P9lWjsnOw3A7Q/BRecAjNReKXcBq9uyo1H5MfvtJB9m5FpoSmD1+M72kVLb0EeAnnWCi6ob/4FsRUKtJ3h2fEODm8Ff5DuM/sqeRvYK3gWJjyPoypo8pMJ+b0o92atSU4GR/+1aV4KVgW+n1WGcqylFY1Uyue4odik7MSFCC3yAskN4KR/3Sp06oziEpD1ehUVLp+IQ7kzCbTC2Fz04ltkarEgm275/aMQClrTz4CQ61slqr2xQrqgf7aMCU0hTVt7R+bJhiKxUFrBl3AE8ncoaXjUTo= |
| Install | true |
| BDOS | false |
| Anti-VM | false |
| Install File | WindowsUpdateService.exe |
| Install-Folder | %AppData% |
| Hosts | jawared1-63785.portmap.host |
| Ports | 3006,63785 |
| Mutex | QNtN6eFA02rO |
| Version | 0.5.8 |
| Delay | 3 |
| Group | Default |
|
Name0 | Value | Location |
|---|---|---|
| Key (AES_256) | a0U5R3BCMGYzSnp2VVhtV1JZd2F2MGFlRk9xWWJJNkM= Malicious |
ead152233cb6712f2fb1920d08fe13b9 |
| CnC | jawared1-63785.portmap.host Malicious |
ead152233cb6712f2fb1920d08fe13b9 |
| Ports | 3006 Malicious |
ead152233cb6712f2fb1920d08fe13b9 |
| Ports | 63785 Malicious |
ead152233cb6712f2fb1920d08fe13b9 |
| Mutex | QNtN6eFA02rO Malicious |
ead152233cb6712f2fb1920d08fe13b9 |