Sample details: 013e486c63065f8cdd20481a0e2a5bae --

Hashes
MD5: 013e486c63065f8cdd20481a0e2a5bae
SHA1: ab5573d804307935f223d3b84f955ef85ebc8b27
SHA256: 15f4c0a589dff62200fd7c885f1e7aa8863b8efa91e23c020de271061f4918eb
SSDEEP: 384:N5Z+nE4kgyVSskrLvd5sYKFHXGLpSWpuwvVi/YgbsQk4SwwcnNJm72A06NdvuJ2:cmgrsmLXRKFHANU//bRkjcnq72fIdvM
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v1xx_v2xx_additional | YRP/Microsoft_Visual_Cpp_60_DLL_additional | YRP/Microsoft_Visual_Cpp_v70_DLL | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Microsoft_Visual_Cpp_60_DLL_Debug | YRP/Armadillo_v1xx_v2xx | YRP/Microsoft_Visual_Cpp_v60_DLL | YRP/Microsoft_Visual_Cpp_60_DLL | YRP/Microsoft_Visual_Cpp_60 | YRP/Armadillov1xxv2xx | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/Check_OutputDebugStringA_iat | YRP/anti_dbg | YRP/disable_antivirus | YRP/inject_thread | YRP/create_service | YRP/network_tcp_socket | YRP/network_dns | YRP/escalate_priv | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Str_Win32_Winsock2_Library | YRP/IronTiger_NBDDos_Gh0stvariant_dropper | FlorianRoth/DragonFly_APT_Sep17_3 |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
PQQQQQQf
 SVWhlc
t[VVVVVVVj
VVVVVVVj
tMSVWP
PVWVVV
PWSWWW
SSSWSS
HtHHt3Ht
SVWj@3
Yt:WWh
QQPh02
t)SSSh
RegDeleteKeyExA
ADVAPI32.dll
??2@YAPAXI@Z
strcpy
memset
strlen
fclose
fwrite
??3@YAXPAX@Z
sprintf
__CxxFrameHandler
_except_handler3
strrchr
memcpy
fflush
wcstombs
strncpy
_stricmp
_CxxThrowException
MSVCRT.dll
??1type_info@@UAE@XZ
_initterm
malloc
_adjust_fdiv
wvsprintfA
wsprintfA
USER32.dll
GetProcAddress
LoadLibraryA
CloseHandle
GetLastError
OutputDebugStringA
GetModuleHandleA
lstrlenA
GetFileAttributesA
GetSystemInfo
CreateThread
lstrcpyA
GetLocalTime
GetCurrentProcess
WinExec
GetTickCount
KERNEL32.dll
_strrev
remove
RunningDll.dll
HookExitWindowsEx
Install
NewCopyOutOfUAC
Rundll32Call
ServiceMain
WinLogonCallFunc
WinLogonProtectThread
gethostbyname
inet_addr
ws2_32.dll
WS2_32.dll
WSAIoctl
setsockopt
closesocket
WinSta0\Default
KERNEL32.DLL
CreateProcessA
connect
socket
CreateFileA
WriteFile
MapViewOfFile
CreateFileMappingA
OpenFileMappingA
kernel32.dll
UnmapViewOfFile
ADVAPI32.dll
RegCreateKeyExA
RegCloseKey
RegSaveKeyA
RegRestoreKeyA
OpenServiceA
CloseServiceHandle
RegOpenKeyExA
ChangeServiceConfigA
QueryServiceStatus
QueryServiceConfigA
RegQueryValueExA
OpenSCManagerA
RegSetValueExA
MoveFileExA
ControlService
StartServiceA
DeleteService
RegOpenKeyA
CreateServiceA
RegCreateKeyA
CloseHandle
AdjustTokenPrivileges
LookupPrivilegeValueA
GetCurrentProcess
OpenProcessToken
advapi32.dll
GetLastError
scvsten
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
%s\%s\Parameters
%SystemRoot%\System32\svchost.exe -k netsvcs
Description
CreateThread
GetVersionExA
winsta0\default
user32.dll
CreateDesktopA
CreateProcessAsUserA
USERENV.dll
CreateEnvironmentBlock
SetTokenInformation
DuplicateTokenEx
WTSAPI32.dll
WTSQueryUserToken
Kernel32.dll
WTSGetActiveConsoleSessionId
Process32Next
Process32First
CreateToolhelp32Snapshot
KERNEL32.dll
SeDebugPrivilege
WriteProcessMemory
VirtualAllocEx
OpenProcess
SVWj{XjFf
Xj8Yj5f
Xj0ZjEf
js[jtf
]$j6[f
]&j3[f
].jC[f
]4jD[f
]8j1[j4f
]<[j3f
]>[jBf
]@[j1f
]B[j3f
uJ^jCf
EXXjFf
EZXj6f
E\Xj1f
Edj3Xf
QQSUVWj
_^][YY
kernel32
GetNativeSystemInfo
Software\Microsoft\Windows\CurrentVersion\Uninstall\{A16390FC-9D81-43B1-8A3C-82802F608193}
UninstallString
RegDeleteValueA
VirtualAlloc
SettingDatas3
MoveFileA
DeleteFileA
ExitWindowsEx
WaitForSingleObject
Once3Running
SetEvent
OpenEventA
User32.dll
HookExitWindowsEx
%s "%s", Install
MediaControl
MS Media Config
Provides support for media palyer. This service can't be stoped.
SetServiceStatus
GlobalShareData3
%s "%s",Rundll32Call
RegisterServiceCtrlHandlerA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CopyFileA
GetFileAttributesA
CreateEventA
SetUnhandledExceptionFilter
KST_106
%s "%s", NewCopyOutOfUAC %s
.?AUGlobalVariable@@
.PAUHINSTANCE__@@
GlobalFree
ExitThread
winlogon.exe
WinLogonCallFunc
ExpandEnvironmentStringsA
FreeLibrary
GlobalAlloc
SetFilePointer
%s\KingKong.dll
%s\drv1028.sys
%allusersprofile%\BaseKst
system
192.168.20.47
Wow64DisableWow64FsRedirection
GetUserNameA
GetModuleFileNameA
IsWow64Process
cmd /c rd "%s" /s /q
cmd /c del "%s\*.*" /f /q
cmd /c sc delete "%s"
cmd /c sc stop "%s"
Wow64RevertWow64FsRedirection
WSACleanup
WSAStartup
WaitForMultipleObjects
.?AVtype_info@@
InitializeCriticalSection
VirtualProtectEx
LeaveCriticalSection
EnterCriticalSection
VirtualFree
GetVersion
%s\AdminTt%d.dll
GetSystemDirectoryA
CloseDesktop
0!0]0c0h0p0x0}0
3'3Y3q3w3|3
5%565<5A5J5R5`5
6"6)6.696>6D6K6P6[6`6f6m6r6}6
7'7,72797>7I7N7T7[7`7k7p7v7}7
8 8'8,878<8B8I8N8Y8^8d8k8p8{8
9 929;9B9_9v9
=K=X=j=q>~>
?#?t?y?
0+00060A0F0
1S1a1s1y1~1
2&2.232A2O2~2
62686=6F6N6\6
6]7w7|7
818Y8o8
9&9-949Q9i9o9t9|9
;+;7;i;
<2<P<c<h<n<u<
=&=1=<=G=^=g=q=y=
> >(>->:>H>M>Z>a>i>p>x>}>
1H1^1t1
2:2@2E2M2U2\2a2l2z2
3 353:3?3G3O3T3_3n3{3
4"404h4s4
455a5h5v5
6,626:6C6]6b6w6
768;8Z8m8r8|8
8/949>9C9Q9]9b9w9
:;:T:Y:^:g:o:}:
; ;(;.;3;;;@;K;Q;Y;o;t;z;
<'<1<9<C<K<V<`<h<m<z<
<!=:=D=e=x=
>)>>>I>l>w>
?4?:?b?h?n?|?
1)2.252=2E2J2X2]2k2p2
6!6)61666
8#8X8]8c8j8
9$9)9.9:9?9I9N9\9a9
1$14181H1P1
282L2T2t2
0 0$0(0,0004080<0@0D0H0L0P0T0
(?H?X?