PESCAN.IO - Analysis Report |
|||||
| File Structure: | |||||
|
|||||
| Information: |
Icon: Size: 3,40 MBSHA-256 Hash: A2FE636D908A624C2336538E4E84AE0C0818713087DC256F78E83B73BFF4DE91 SHA-1 Hash: A3E4A8464683B043FCA1B1946FD052CBAA23D926 MD5 Hash: FF70A90ED0F52E38931401BEB53098FD Imphash: F34D5F2D4577ED6D9CEEC516C1F5A744 MajorOSVersion: 4 CheckSum: 00366BBC EntryPoint (rva): 353AFA SizeOfHeaders: 200 SizeOfImage: 35C000 ImageBase: 400000 Architecture: x86 ImportTable: 353AA8 Characteristics: 22 TimeDateStamp: 93B215E8 Date: 09/07/2048 15:36:08 File Type: EXE Number Of Sections: 3 ASLR: Disabled Section Names: .text, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info: |
| Section Name | Flags | ROffset | RSize | VOffset | VSize |
|---|---|---|---|---|---|
| .text | 60000020 (Executable) | 200 | 351C00 | 2000 | 351B00 |
| .rsrc | 40000040 | 351E00 | 4E00 | 354000 | 4CA4 |
| .reloc | 42000040 | 356C00 | 200 | 35A000 | C |
| Description: |
| InternalName: wfc6setup.exe OriginalFilename: wfc6setup.exe CompanyName: Malwarebytes LegalCopyright: 2025 Malwarebytes. All rights reserved. ProductName: Malwarebytes Windows Firewall Control - Setup FileVersion: 6.17.0.0 |
| Binder/Joiner/Crypter: |
| Dropper code detected (EOF) - 36,76 KB |
| Entry Point: |
| The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 351CFA Code -> FF25002040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 • JMP DWORD PTR [0X402000] • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL • ADD BYTE PTR [EAX], AL |
| Signatures: |
| Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler: |
| Compiler: Microsoft Visual .NET - (You can use a decompiler for this...) • AnyCPU: True • Version: v4.0 Detect It Easy (die) • PE: library: .NET(v4.0.30319)[-] • PE: linker: Microsoft Linker(48.0)[EXE32,signed] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 7.98741 |
| Windows REG (UNICODE): |
| SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full' to determine existing .NET Framework version.m{0} was caught:!{1}Press OK to exit the installer. Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Firewall Control SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\App Paths\wfcUI.exe Software\Classes\CLSID\{WD2827D4-F8E0-B379-I229-D89D12E4642A}AuditMode Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access: |
| Setup.Resources.wfcs.exe Setup.Resources.wfcUI.exe wfc6setup.exe mscoree.dll Setup.Resources.System.Memory.dll Setup.Resources.mbcut.dll Setup.Resources.System.Numerics.Vectors.dll Setup.Resources.System.Buffers.dll Setup.Resources.GrpcDotNetNamedPipes.dll Setup.Resources.Newtonsoft.Json.dll Setup.Resources.Grpc.Core.Api.dll Setup.Resources.Google.Protobuf.dll Setup.Resources.System.Runtime.CompilerServices.Unsafe.dll Setup.Resources.mbcut32.dll Setup.Resources.Sys |
| File Access (UNICODE): |
| mbcut.dll mbcut32.dll wfc6setup.exe auditpol.exe netsh.exe taskkill.exe sc.exe wfcs.exe wfcUI.exe |
| Interest's Words: |
| exec attrib start pause ping |
| Interest's Words (UNICODE): |
| taskkill exec netsh taskkill start ping sc.exe |
| URLs: |
| http://schemas.microsoft.com/winfx/2006/xaml/presentation http://schemas.microsoft.com/winfx/2006/xaml http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://www.digicert.com/CPS0 http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl http://www.microsoft.com/pkiops/crl/Microsoft%20ID%20Verified%20CS%20AOC%20CA%2002.crl http://www.microsoft.com/pkiops/certs/Microsoft%20ID%20Verified%20CS%20AOC%20CA%2002.crt http://oneocsp.microsoft.com/ocsp0f http://www.microsoft.com/pkiops/Docs/Repository.htm http://www.microsoft.com/pkiops/crl/Microsoft%20ID%20Verified%20Code%20Signing%20PCA%202021.crl http://www.microsoft.com/pkiops/certs/Microsoft%20ID%20Verified%20Code%20Signing%20PCA%202021.crt http://oneocsp.microsoft.com/ocsp0 http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl http://www.microsoft.com/pkiops/certs/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crt http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl http://www.microsoft.com/pkiops/certs/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crt |
| URLs (UNICODE): |
| https://binisoft.org https://binisoft.org/eula |
| AV Services (UNICODE): |
| Antivirus name extract - (SecurityCenter2) |
| Strings/Hex Code Found With The File Rules: |
| • Rule Text (Ascii): WinAPI Sockets (connect) • Rule Text (Unicode): WinAPI Sockets (connect) • Rule Text (Ascii): WinAPI Sockets (send) • Rule Text (Ascii): Anti-Analysis VM (GetVersion) • Rule Text (Ascii): Execution (ShellExecute) • Rule Text (Ascii): Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) • Rule Text (Ascii): Software that records user activity (Logger) • EP Rules: Microsoft Visual C / Basic .NET • EP Rules: Microsoft Visual C++ 8 • EP Rules: Microsoft Visual C++ 8.0 • EP Rules: Microsoft Visual C v7.0 / Basic .NET • EP Rules: Microsoft Visual Studio .NET • EP Rules: .NET executable |
| Resources: |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \ICON\1\0 | 354160 | 25A8 | 351F60 | 2800000030000000600000000100200000000000802500000000000000000000000000000000000000000000000000000000 | (...0........ ......%............................ |
| \ICON\2\0 | 356718 | 10A8 | 354518 | 2800000020000000400000000100200000000000801000000000000000000000000000000000000000000000000000000000 | (... ...@..... ................................... |
| \ICON\3\0 | 3577D0 | 988 | 3555D0 | 2800000018000000300000000100200000000000600900000000000000000000000000000000000000000000000000000000 | (.......0..... .................................. |
| \ICON\4\0 | 358168 | 468 | 355F68 | 28000000100000002000000001002000000000004004000000000000000000000000000000000000FFFFFF02FFFFFF080000 | (....... ..... .....@............................. |
| \GROUP_ICON\32512\0 | 3585E0 | 3E | 3563E0 | 0000010004003030000001002000A825000001002020000001002000A8100000020018180000010020008809000003001010000001002000680400000400 | ......00.... ..%.... .... ............. ............. .h..... |
| \VERSION\1\0 | 358630 | 472 | 356430 | 720434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | r.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 358AB4 | 1EA | 3568B4 | EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E65 | ...<?xml version="1.0" encoding="UTF-8" standalone |
| Intelligent String: |
| • 6.17.0.0 • wfc6setup.exe • RNSystem.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089:x,http://schemas.microsoft.com/winfx/2006/xaml • NWindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35ZWindowsFormsIntegration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35H9http://schemas.microsoft.com/winfx/2006/xaml/presentation • runas • +Global\wfc.installer. • wfcUI.exe • mbcut.dll • mbcut32.dll • wfcs.exe • restore.wfw • sc.exe • taskkill.exe • .dll • .exe.rsx • .lng.rsx • )support@binisoft.org • https://binisoft.org • BiniSoft.org • {Software\Microsoft\Windows\CurrentVersion\App Paths\wfcUI.exe • netsh.exe • auditpol.exe • /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable /success:enable • SMalwarebytes Windows Firewall Control.lnk • https://binisoft.org/eula • icons/00.ico • .CDR • .AWW • _CorExeMainmscoree.dll • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Extra 4n4lysis: |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2415591 | 67,8499% |
| Null Byte Code | 37163 | 1,0438% |
© 2025 All rights reserved.