Invoice%20J-801265.pdf.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 9/55 Related 2056
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 214.00 KB (219136 bytes)
Compile time: 2016-09-08 09:51:45
MD5: fd4dc9b2bff8d75a704e8fe33c63da4b
SHA1: d45d764fad516464ae784ed61a71e234b10dba42
SHA256: 9ed8b4e2db6d4feb162a0b1109ba4ca92065bd7d1256b6d234e9840dd36ef581
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 4 import resource debug relocation
First submission: 2016-09-08 11:51:03
Last submission: 2016-09-08 11:51:03
Filename detected: - Invoice%20J-801265.pdf.exe (1)
URL file hosting
hXXp://henanairway.tk/Invoice%20J-801265.pdf.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2016-09-08 09:28:28 [9/55] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x1bb54 113664 2de582f00219209b006b3562be67068c e8e0975e9ef3cfe080c096c3d749e2dd2f9da4aa
.rsrc 0x1e000 0x19688 104448 2c27ae44cce47e4650bd82f8e6a27cd4 69c833978c8fae3160b7ec35abefc017153be173
.reloc 0x38000 0xc 512 9028ffdc6101fdb11e2b98fd3d1cf61a f52f989e7edcec8379bd58c4b275111b4f950a6e
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x261f0 67624 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x36a18 76 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x1e1f0 800 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x36a68 3097 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright:
Assembly Version: 1.0.0.0
InternalName: inInvoice.exe
FileVersion: 1.0.0.0
CompanyName: Windows Explorer
Comments: Windows Explorer
ProductName: Windows Explorer
ProductVersion: 1.0.0.0
FileDescription: inInvoice
Translation: 0x0000 0x04b0
OriginalFilename: inInvoice.exe
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Text
\Desktop\Read_Me.txt
FIle type: Library
USER32.dll
mscoree.dll
IP Found
No IP detected
URL(s)
http://www.henanairway.tk/h.jpg
http://www.henanairway.tk/inject.php?inject=
http://www.w3.org/2001/XMLSchema-instance
\Downloads
.dotx
\Pictures
Comments
.dwg
.ppam
.3ds
Read the file Read_Me.txt on the Desktop
InternalName
inInvoice
.mkv
.crt
.rar
.stw
Translation
flyper01@sigaint.org
.avi
.PPT
.bmp
.vsx
.vstx
userprofile
LegalCopyright
.ott
.sql
.csv
.wma
.csr
$()1234567890ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrstuvwxyzUVWXYZ1234567890*!=&?&/
.vob
\Desktop
.slk
.wmv
we accept a payment with Bitcoin, there are many methods to get them.
.sln
.p12
VarFileInfo
On these sites you can buy Bitcoin
.7z
.jpg
.mdb
Your personal files have been encrypted with strongest encryption RSA 2048 and unique key generated for this computer.
.xml
.jpeg
.zip
.asp
.locked
.tbk
To get KEY and Decrypter Program :
1.0.0.0
.asf
.vbs
inInvoice.exe
http://www.henanairway.tk/inject.php?inject=
.sh
Invoice
.xlm
.xlc
.xls
.xlw
.xlt
http://www.henanairway.tk/h.jpg
.DOC
.pdf
.php
C:\Users\
1)Send 0.5 BTC bitcoins to this address and specify your ID on the bitcoin transaction
.html
ProductVersion
Windows Explorer
.uot
.flv
.aspx
.tif
.mpeg
.fla
.gif
.ppt
Bitcoin Address 1PniPmm5kiuuAhXpBWR3QJiUtpfAAFm2SS
.pps
IMPORTANT: You have 36 hours to pay because the key will be destroyed
.bat
.mov
VS_VERSION_INFO
.sxw
.dct
\my.jpg
Your ID is
.png
Assembly Version
.pptm
.xltm
CompanyName
.wav
localbitcoin.com cex.io btcdirect.eu
.xltx
.txt
.psd
.XLS
.vtx
FirstForm1
We present a decrypter software which allows to decrypt and return control to all your encrypted files.
\Desktop\Read_Me.txt
.docm
.odt
.docx
ProductName
.xlsx
.db
.mpg
.xlsb
.doc
StringFileInfo
.dotm
.xlsm
FileVersion
.ppsx
.3gp
000004b0
2)Contact me by email to get your key
FileDescription
OriginalFilename
$this.Icon
.vmdk
.tar
\Videos
inInvoice.Properties.Resources
.key
.m4u
.swf
.vmx
.mp3
.gz
.mp4
DebuggableAttribute
vParam
<<:i
Dispose
AutoScaleMode
@.reloc
GetMACAddress2
get_UTF8
inInvoice
Write
ApplicationSettingsBase
_CorExeMain
ComponentResourceManager
WrapNonExceptionThrows
@
System.Net
Resources
messageCreator
CipherMode
password
.cctor
Start
ComputeHash
Object
winIni
mscorlib
In.FirstForm1.resources
Random
PAsP
GetLogicalDrives
AAAi
Path
Byte
uuuz
maw9a3
Rfc2898DeriveBytes
WebClient
Icon
EventHandler
ComVisibleAttribute
STAThreadAttribute
MemoryStream
???i
get_Length
EditorBrowsableAttribute
$$method0x6000009-1
System.Runtime.CompilerServices
set_ClientSize
System.Runtime.Versioning
///Q
3System.Resources.Tools.StronglyTypedResourceBuilder
System.Core
eeeo
+#
System.Globalization
#Blob
Control
ResourceManager
YYYo
set_Opacity
p r
System.Diagnostics
`.rsrc
IconSize
Move
.NET Framework 4
DeriveBytes
inInvoice
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
myAction
<<<i
IconData
!!!5
get_Default
ContainerControl
get_Chars
Create
```o
System
EventArgs
Next
%%%e
Application
RSDSX
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
BSJB
milaf
GetAllNetworkInterfaces
openMess
resourceCulture
inInvoice.Properties.Resources.resources
System.Drawing.Icon
CultureInfo
Form
Culture
ssap
myMAC
get_UserName
DebuggerNonUserCodeAttribute
SizeF
get_KeySize
1.0.0.0
set_Visible
(((8
ICryptoTransform
RuntimeTypeHandle
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
inInvoice.exe
GetTypeFromHandle
&&&5
GetObject
yyy,
Settings
set_Culture
)))P
get_ResourceManager
AssemblyTitleAttribute
HashAlgorithm
inInvoice.Properties
GetFiles
DebuggingModes
GetExtension
Directory
myEncDirectory
my_load
NetworkInterface
ToArray
6aaa
WriteAllBytes
#Strings
IDisposable
myBytesToBeEncrypted
set_Text
sender
\\\n
longueur
myAes_Encrypt
set_BlockSize
$5Ab0DD04-14d6-4d89-ab53-67b354432454
c:\Users\Paco\Desktop\inInvoice\hIDDeN-teAr\obj\Debug\inInvoice.pdb
uParam
myForm_Shown
AssemblyCopyrightAttribute
cheminMess
AssemblyTrademarkAttribute
<?xml version="1.0" encoding="utf-8"?> <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app" /> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <!-- UAC Manifest Options If you want to change the Windows User Account Control level replace the requestedExecutionLevel node with one of the following. <requestedExecutionLevel level="asInvoker" uiAccess="false" /> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> <requestedExecutionLevel level="highestAvailable" uiAccess="false" /> Specifying requestedExecutionLevel node will disable file and registry virtualization. If you want to utilize File and Registry Virtualization for backward compatibility then delete the requestedExecutionLevel node. --> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> <applicationRequestMinimum> <defaultAssemblyRequest permissionSetReference="Custom" /> <PermissionSet class="System.Security.PermissionSet" version="1" ID="Custom" SameSite="site" Unrestricted="true" /> </applicationRequestMinimum> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of all Windows versions that this application is designed to work with. Windows will automatically select the most compatible environment.--> <!-- If your application is designed to work with Windows Vista, uncomment the following supportedOS node--> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>--> <!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node--> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>--> <!-- If your application is designed to work with Windows 8, uncomment the following supportedOS node--> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>--> <!-- If your application is designed to work with Windows 8.1, uncomment the following supportedOS node--> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>--> </application> </compatibility> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency>--> </asmv1:assembly>
action
System.Security.Cryptography
DllImportAttribute
myunAME
user32.dll
add_Load
AssemblyVersionAttribute
myProfUserr
AssemblyCompanyAttribute
set_Mode
RuntimeFieldHandle
myPasswordBytes
System.Linq
get_MachineName
SymmetricAlgorithm
height
Environment
RuntimeCompatibilityAttribute
Program
Exit
CompilationRelaxationsAttribute
path
InitializeArray
Empty
ppp+
Synchronized
mySetWallpaper
AssemblyProductAttribute
Assembly
4.0.0.0
String
,,,P
s!
<PrivateImplementationDetails>{64CEB7CE-99BE-4C0D-8018-2E19F3DE367D}
mydir
System.Net.NetworkInformation
width
++7i
'''@
<Module>
GetPhysicalAddress
get_Culture
DownloadString
Concat
AssemblyDescriptionAttribute
GetDirectories
Default
StringBuilder
System.Drawing.Size
RijndaelManaged
op_Equality
myEncFile
TargetFrameworkAttribute
SystemParametersInfo
IEnumerable`1
System.Collections.Generic
WriteAllLines
SuspendLayout
@"
GetBytes
.NETFramework,Version=v4.0
444?
AssemblyConfigurationAttribute
bbbm
Stream
(&
Process
GetEnvironmentVariable
t#@b
value
AssemblyFileVersionAttribute
.ctor
ReadAllBytes
>>>f
System.Windows.Forms
Encoding
Close
myBackgroundImageUrl
System.CodeDom.Compiler
Size
CompilerGeneratedAttribute
set_IV
FirstForm1
12.0.0.0
get_BlockSize
System.Runtime.InteropServices
~I
EditorBrowsableState
CryptoStreamMode
ResumeLayout
s0
set_AutoScaleDimensions
mySendPasss
Main
($
mycPass
.text
aaan
"vvv
set_Icon
ReferenceEquals
get_Assembly
Type
kalimatSir
System.ComponentModel
DownloadFile
GuidAttribute
Windows Explorer
Contains
SetCompatibleTextRenderingDefault
GGG`
PhysicalAddress
CryptoStream
Enumerable
#GUID
GeneratedCodeAttribute
disposing
v4.0.30319
resourceMan
InitializeComponent
File
SettingsBase
777@
IContainer
System.Text
set_AutoScaleMode
set_Key
*Bgq
set_Name
System.Configuration
defaultInstance
}
2
System.Resources
System.Reflection
]]]m
RuntimeHelpers
r
`...
EnableVisualStyles
System.IO
mscoree.dll
!This program cannot be run in DOS mode. $
PADPADP
AssemblyCultureAttribute
FrameworkDisplayName
set_KeySize
Append
components
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
mycrnAME
ToString
Array
mySetWallpaperFromWeb
CreateEncryptor
System.Drawing

#infosec #automation

TheSystem Itself @ 2016-09-08 11:51:03