service.exe

SHA256 - ea568b732e66798cdc9f97f736cc77142d08e1996b7f5d6a996d9b941083e03c

MD5 - d3bb7d0cce1e7a1a1884f25d2a5370d2

Language - cs

link to malware - https://bazaar.abuse.ch/download/ea568b732e66798cdc9f97f736cc77142d08e1996b7f5d6a996d9b941083e03c/

link to any.run report -

Malware analysis ea568b732e66798cdc9f97f736cc77142d08e1996b7f5d6a996d9b941083e03c.exe Malicious activity | ANY.RUN - Malware Sandbox Online

Static Analysis

VirusTotal Link

image.png

image.png

Strings

null
Packet
Ping
Message
/c schtasks /create /f /sc onlogon /rl highest /tn "
" /tr '"
"' & exit
\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS
.bat
@echo off
timeout 3 > NUL
START "" "
DEL "
" /f /q
Select * from Win32_ComputerSystem
Manufacturer
microsoft corporation
Model
VIRTUAL
vmware
VirtualBox
SbieDll.dll
Err HWID
ClientInfo
HWID
User
Microsoft
True
64bit
False
32bit
Path
Version
Admin
true
false
Performance
Pastebin
Antivirus
Installed
Pong
Group
\\root\\SecurityCenter2
Select * from AntivirusProduct
...

Multiple Base64 enoded strings were found aswell

Analyzing the file using dnSpy (.NET decompiler) reveals its source code, where suspicious files and behaviors become evident.

image.png

Source code review

Client.Helper/Anti_Analysis