| File Path | Type and Hashes |
|---|
| Match Rules |
|---|
| File Name: | Mandela.exe |
| File Type: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| SHA1: | eac84b6bc1be332af4bafc1bdac30b40041a1295 |
| MD5: | 68558a4a7df242046a8a7345501adcf7 |
| First Seen Date: | 2023-05-08 19:13:51.614309 ( ) |
| Number of Clients Seen: | 7 |
| Last Analysis Date: | 2023-05-10 13:26:12.441919 ( ) |
| Human Expert Analysis Date: | 2023-05-09 18:31:37.031624 ( ) |
| Human Expert Analysis Result: | Malware |
| Property | Value |
|---|---|
| magic literal enum | 3 |
| file type enum | 6 |
| debug artifacts | [{u'Path': u'Mandela.pdb\x00', u'GUID': u'{320a1dd0-1273-4a78-bf61-5e545759ba5e}', u'timestamp': u'1970-01-01 00:00:00'}] |
| number of sections | 3 |
| trid | [[62.0, u'Generic CIL Executable (.NET, Mono, etc.)'], [23.4, u'Win64 Executable (generic)'], [5.5, u'Win32 Dynamic Link Library (generic)'], [3.8, u'Win32 Executable (generic)'], [1.7, u'OS/2 Executable (generic)']] |
| compilation time stamp | 0x9E7C08C7 [Sat Apr 4 15:20:39 2054 UTC] [SUSPICIOUS] |
| Translation | 0x0000 0x04b0 |
| LegalCopyright | NOTHING IS WORTH THE RISK |
| Assembly Version | 1.0.0.0 |
| InternalName | Mandela.exe |
| FileVersion | 1.0.0.0 |
| CompanyName | NOTHING IS WORTH THE RISK |
| LegalTrademarks | NOTHING IS WORTH THE RISK |
| Comments | NOTHING IS WORTH THE RISK |
| ProductName | NOTHING IS WORTH THE RISK |
| ProductVersion | 1.0.0.0 |
| FileDescription | NOTHING IS WORTH THE RISK |
| OriginalFilename | Mandela.exe |
| entry point | 0x13151de (.text) |
| machine type | Intel 386 or later - 32Bit |
| file size | 15917568 |
| ssdeep | 393216:3S2Jj2w9YgIrP/gHase3j3LINmWuwd6CZ/OK4jXo/jH599s:Cm3YgIrXg6sELLIQWXsCZGKgY/jx |
| sha256 | c6818da28a36a7ed628e5a86ede3a642b609b34b2f61ae4dba9a4814d6822d2f |
| exifinfo | [{u'EXE:FileSubtype': 0, u'File:FilePermissions': u'rw-r--r--', u'SourceFile': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/e/a/c/8/eac84b6bc1be332af4bafc1bdac30b40041a1295', u'EXE:OriginalFileName': u'Mandela.exe', u'EXE:ProductName': u'NOTHING IS WORTH THE RISK', u'EXE:InternalName': u'Mandela.exe', u'File:MIMEType': u'application/octet-stream', u'File:FileAccessDate': u'2023:05:10 05:44:58+00:00', u'EXE:InitializedDataSize': 110080, u'File:FileModifyDate': u'2023:05:08 19:12:47+00:00', u'EXE:AssemblyVersion': u'1.0.0.0', u'EXE:FileVersionNumber': u'1.0.0.0', u'EXE:FileVersion': u'1.0.0.0', u'File:FileSize': u'15 MB', u'EXE:CharacterSet': u'Unicode', u'EXE:MachineType': u'Intel 386 or later, and compatibles', u'EXE:FileOS': u'Win32', u'EXE:LegalTrademarks': u'NOTHING IS WORTH THE RISK', u'EXE:ProductVersion': u'1.0.0.0', u'EXE:ObjectFileType': u'Executable application', u'File:FileType': u'Win32 EXE', u'EXE:CompanyName': u'NOTHING IS WORTH THE RISK', u'File:FileName': u'eac84b6bc1be332af4bafc1bdac30b40041a1295', u'EXE:ImageVersion': 0.0, u'File:FileTypeExtension': u'exe', u'EXE:OSVersion': 4.0, u'EXE:PEType': u'PE32', u'EXE:TimeStamp': u'2054:04:04 15:20:39+00:00', u'EXE:FileFlagsMask': u'0x003f', u'EXE:LegalCopyright': u'NOTHING IS WORTH THE RISK', u'EXE:LinkerVersion': 48.0, u'EXE:FileFlags': u'(none)', u'EXE:Subsystem': u'Windows GUI', u'File:Directory': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/e/a/c/8', u'EXE:FileDescription': u'NOTHING IS WORTH THE RISK', u'EXE:EntryPoint': u'0xf151de', u'EXE:SubsystemVersion': 4.0, u'EXE:CodeSize': 15806976, u'EXE:Comments': u'NOTHING IS WORTH THE RISK', u'File:FileInodeChangeDate': u'2023:05:08 19:12:48+00:00', u'EXE:UninitializedDataSize': 0, u'EXE:LanguageCode': u'Neutral', u'ExifTool:ExifToolVersion': 10.1, u'EXE:ProductVersionNumber': u'1.0.0.0'}] |
| mime type | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|---|---|---|---|---|
| .text | 0x2000 | 0xf131e4 | 0xf13200 | 7.99862829207 | 5bdd14bfd0ec1263974ef121a3e4c082 |
| .rsrc | 0xf16000 | 0x1abb4 | 0x1ac00 | 3.70244799619 | d1306ad754fba4290afad884b3463766 |
| .reloc | 0xf32000 | 0xc | 0x200 | 0.101910425663 | 0a13644d62e9472fdfdef09bf9f99cfd |
-
mscoree.dll
- _CorExeMain
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 15819296, u'sha256': u'4a56de346d6d743440564bbd71fc81dc708c8040200815e288637e5bcdcb8d3a', u'type': u'PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced', u'size': 4841}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 15824140, u'sha256': u'd09629eeb9967e430fd162d1fc5bed95af0e6b2b9d10b919697b4613e48c3bc5', u'type': u'dBase III DBT, version number 0, next free block index 40', u'size': 67624}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 15891764, u'sha256': u'74aec4d723ab6f00c09dc6ec90d4dda0b40740ec06746091b58745f7f36c09b1', u'type': u'dBase IV DBT of \\200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0', u'size': 16936}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 15908700, u'sha256': u'b4851c686fbc00630170bd847f4187243dcc7f2ba21545bbd61409918ae39a6c', u'type': u'dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0', u'size': 9640}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 15918340, u'sha256': u'cee3375cefaf04b4e34d51f0e216af1da9717ebdaf11caae85fcb358636ead61', u'type': u'dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0', u'size': 4264}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 15922604, u'sha256': u'33c4cd3c14f70d240b2059ed0eff3b2d270c367b98016469ff44498aebe8d1b6', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 1128}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_GROUP_ICON', u'offset': 15923732, u'sha256': u'83c6326d43b96e585eebc0a962c6f0c5f1eabfb292695e4527f98c3776af6bf2', u'type': u'MS Windows icon resource - 6 icons, 256x256', u'size': 90}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_VERSION', u'offset': 15923824, u'sha256': u'c78bd30f719f8256ec6a045296d10b2d8e4202e9ac9528520b501b35c71250c1', u'type': u'data', u'size': 1012}
{u'lang': u'LANG_NEUTRAL', u'name': u'RT_MANIFEST', u'offset': 15924836, u'sha256': u'44f705d4035aca6816883007e5533d0dbf3b8e7dfca873d5a35e37609e09be92', u'type': u'XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators', u'size': 3407}