Sample details: 001044a6b499dd529d056a11b3d20465 --

Hashes
MD5: 001044a6b499dd529d056a11b3d20465
SHA1: 010210da6f1b98558481a8af97bb9c994b533e74
SHA256: 423608db9e61ac63a7055a0e1fa94b51b877e3b076ee8db79c79483870e201d9
SSDEEP: 384:6vM2sPq2lpadckIyvEfWoidL39KA5FZdgAkTiM79mgLvKr67rcum:6vpsPq2lpaSkIZiJ9D3M7Yutn
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Basic_v50 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/FASM | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/hijack_network | YRP/win_files_operation | FlorianRoth/DragonFly_APT_Sep17_3 |
Parent Files
7e765ff1b5c152720d6909ac2477d15e
Source
Strings
		!This program cannot be run in DOS mode.
`.data
.idata
(3~U,gU
8}<3lI,\G
:y16k@2_B
n+pd(]U
&w}!bh
(9v56n@4fC0[C
d/w`,jZ*[Q
*~w)pl%`]
$u~"fl
b2e.exe
!This program cannot be run in DOS mode.
`.text
`.data
selfdel
rmdir 
batchfile.bat
memset
memcpy
remove
_mkdir
_chdir
_rmdir
malloc
CRTDLL.dll
GetModuleHandleA
HeapCreate
lstrlenA
GetModuleFileNameA
GetTempPathA
GetTempFileNameA
CreateFileA
GetFileSize
ReadFile
CloseHandle
WriteFile
HeapDestroy
ExitProcess
GetExitCodeProcess
KERNEL32.dll
strncpy
strlen
InitializeCriticalSection
GetCommandLineA
HeapAlloc
HeapFree
HeapReAlloc
ShellExecuteExA
ShellExecuteA
SHELL32.dll
PathQuoteSpacesA
PathAddBackslashA
PathRemoveBlanksA
PathFileExistsA
PathRemoveFileSpecA
SHLWAPI.dll
batchfile.bat                                                                                       
@echo off
        type               %systemroot%\system32\drivers\etc\hosts
        echo. & echo. & echo. & echo.
        
        rem -----
 hosts
        ipconfig | find "210.105.131"
        if %errorlevel%==0 goto next_skip
        ipconfig | find "172.20."
        if %errorlevel%==0 goto next_skip
        
        attrib -r -s -h    %systemroot%\system32\drivers\etc\hosts
        rem  Hosts 
 cuckoo.co.kr, cuckoo.domain
 host 
        copy /y %systemroot%\system32\drivers\etc\hosts   "%systemroot%\system32\drivers\etc\hosts_%date%.bak"
        echo # > %systemroot%\system32\drivers\etc\hosts
        echo # Copyright (c) 1993-1999 Microsoft Corp.                                 >> %systemroot%\system32\drivers\etc\hosts
        echo # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.       >> %systemroot%\system32\drivers\etc\hosts
        echo # This file contains the mappings of IP addresses to host names. Each     >> %systemroot%\system32\drivers\etc\hosts
        echo # entry should be kept on an individual line. The IP address should       >> %systemroot%\system32\drivers\etc\hosts
        echo # be placed in the first column followed by the corresponding host name.  >> %systemroot%\system32\drivers\etc\hosts
        echo # The IP address and the host name should be separated by at least one    >> %systemroot%\system32\drivers\etc\hosts
        echo # space.                                                                  >> %systemroot%\system32\drivers\etc\hosts
        echo # Additionally, comments (such as these) may be inserted on individual    >> %systemroot%\system32\drivers\etc\hosts
        echo # lines or following the machine name denoted by a '#' symbol.            >> %systemroot%\system32\drivers\etc\hosts
        echo # For example:                                                            >> %systemroot%\system32\drivers\etc\hosts
        echo #      102.54.94.97    rhino.acme.com          # source server            >> %systemroot%\system32\drivers\etc\hosts
        echo #      38.25.63.10     x.acme.com              # x client host            >> %systemroot%\system32\drivers\etc\hosts
        echo #                                                                         >> %systemroot%\system32\drivers\etc\hosts
        echo 127.0.0.1       localhost                                                 >> %systemroot%\system32\drivers\etc\hosts
        echo.
        echo.
        type               %systemroot%\system32\drivers\etc\hosts
        pause
        goto end
:next_skip
        echo. & echo. & echo. & echo.
        echo 
 hosts 
        echo. & echo. & echo. & echo.
        pause
        goto end
KERNEL32.DLL
crtdll.dll
shell32.dll
shlwapi.dll
user32.dll
CloseHandle
CreateFileA
DeleteFileA
ExitProcess
WriteFile
GetCommandLineA
lstrcatA
GetTempFileNameA
GetTempPathA
PathQuoteSpacesA
PathAddBackslashA
wsprintfA
_mkdir
_getcwd
ShellExecuteA