Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 1b53ecb99aba90ab37735dad266598cf --

Hashes
MD5: 1b53ecb99aba90ab37735dad266598cf
SHA1: c3012f05f7ae95229629c471cb11ba075ea1728f
SHA256: 08a0122bede05b01c5b966697fca15c5ed5cef322dda514701171b919c2ec0b8
SSDEEP: 6144:9fI9VatNaLhN6h0CHimcbsrROh9WKvW4hqKZU9OJlG2D0:dI9VaPa5xuROaqL0Omo0
Details
File Type: PE32
Yara Hits
YRP/yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/VM_Generic_Detection | YRP/Misc_Suspicious_Strings | YRP/network_tcp_listen | YRP/network_dropper | YRP/network_tcp_socket | YRP/win_registry | YRP/win_files_operation | YRP/android_meterpreter | YRP/Big_Numbers0 | YRP/VC6_Random | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API |
Source
http://122.114.166.61/i31.exe
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.text
yamqhmr
PSh|BA
PShlBA
PSh|BA
PShlBA
PSh|BA
PShlBA
PSh|BA
PShlBA
PSh|BA
PShlBA
PSh|BA
PShlBA
PSh|BA
PShlBA
SVWj	j
SUVWj	j
SVWj	j
SUVWj@Y3
tij	UW
SUVWj	j
t,j	SW
QSUVWj	j
VVPh2G@
VVPh/4@
VVPhy;@
~(VVPhRD@
SUVWj	j
j	_WUS
Vt7VVhnW@
D$ hlGA
D$ hTGA
D$ h<GA
D$ h(GA
D$lPhtuA
WWWh4Z@
T$$j	SU
UUUhNV@
SVWj@3
SVWj	j
PVh|BA
PVh|BA
PVh|BA
PVh|BA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
PVh|BA
PVhlBA
t.;t$$t(
VC20XC00U
QQSVWd
_9=hvA
YYhD0A
^;5lkA
HHtpHHtl
DSUVWh
sO;>|C;~
Y;5LKA
6;5hkA
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
QSUVW3
f9-bxA
>:uNFV
>:u#FV
Qf9=`xA
t/WWUPj
0B=`rA
VWuBhX
HHtYHHtF
"WWShd
+ttHHtd
QQSVW3
89=PvA
?cmd.exe
command.com
COMSPEC
`h````
ppxxxx
(null)
GAIsProcessorFeaturePresent
KERNEL32
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#SNAN
GetProcAddress
LoadLibraryA
GetTickCount
ExitThread
GetCurrentProcess
lstrcpyA
GetCurrentProcessId
MoveFileExA
MoveFileA
GetTempPathA
GetModuleFileNameA
CloseHandle
CreateThread
WaitForSingleObject
WinExec
GetSystemDefaultUILanguage
GetComputerNameA
GetSystemInfo
lstrlenA
GetLastError
CopyFileA
GlobalMemoryStatus
GetModuleHandleA
KERNEL32.dll
wsprintfA
USER32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyA
RegOpenKeyExA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
CloseServiceHandle
RegSetValueExA
StartServiceA
OpenServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
OpenSCManagerA
ADVAPI32.dll
WSASocketA
WSAIoctl
WS2_32.dll
InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetCloseHandle
WININET.dll
GetIfTable
iphlpapi.dll
RtlUnwind
GetTimeZoneInformation
GetSystemTime
GetLocalTime
ExitProcess
TerminateProcess
HeapFree
HeapAlloc
GetStartupInfoA
GetCommandLineA
GetVersion
SetHandleCount
GetStdHandle
GetFileType
HeapReAlloc
HeapSize
GetFileAttributesA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
WriteFile
SetFilePointer
FlushFileBuffers
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
GetExitCodeProcess
CreateProcessA
GetCPInfo
GetACP
GetOEMCP
SetStdHandle
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
WS2_32.dll
5A9F769FF57B7E1E994A964B211C5F1980FC12
5A9F769FF57B7E1E994A964B211C5F1980FC12
FAF9504677DD17D830601A924414B71FE8F512
ddos.tf
Mnopqrs Uabcde
Mnopqr Tuabcde Ghijklm Opqr
Mnop Rstuabc Efghijklmn P
Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 5.8 (build 4157); .NET CLR 2.0.50727; AskTbPTV/5.11.3.15590)
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 6.1; cs-CZ) AppleWebKit/533.3 (KHTML, like Gecko) QupZilla/1.1.5 Safari/533.3
Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60
Mozilla/5.0 (X11; U; Linux i686; en-US; SkipStone 0.8.3) Gecko/20020615 Debian/1.0.0-3 
Mozilla/4.0 (compatible; MSIE 6.0; Windows XP 5.1) Lobo/0.98.4
Mozilla/5.0 (X11; U; Linux; cs-CZ) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3)  rekonq
Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv:1.9.0.5) Gecko/2009021916 Songbird/1.1.2 (20090331142126)
Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5; en-us) AppleWebKit/525.26.2 (KHTML, like Gecko) Version/3.2 Safari/525.26.12
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; )
Opera/9.80 (Windows NT 5.1; U; cs) Presto/2.2.15 Version/10.00
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 BIDUBrowser/8.4 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
WS2_32.dll
WSASocketA
KERNEL32.dll
SetProcessWorkingSetSize
Set IP_HDRINCL Error!
WSASocket() failed: %d
WSAStartup failed: %d
x=%d, y=%d
i=%d, j=%d
%d.%d.%d.%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
192.168.1.244
Send err!
192.168.1.32
time err!
opt err!
sock err!
InitWSAStartup Error!
Head %s HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Range: bytes=0-18446744073709551615
Referer: %s
Host: %s
GET %s HTTP/1.1
Connection: Keep-Alive
Accept: text/html, */*
Accept-Language: zh-CN
User-Agent: %s
Referer: %s
Host: %s
POST %s HTTP/1.1
Accept: */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11
Host: %s
User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
Cache-Control: no-cache
Referer: http://www.baidu.com
GET %s HTTP/1.1
Accept: */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
User-Agent: %s
Host: %s
%.fKb/bps|%d%%
URLDownloadToFileA
urlmon.dll
\%c%c%c%c%c.exe
 Ver  8.0
Windows NT
Windows 2012
Windows 10
Windows 8
Windows 7
Windows 2008
Windows Vista
Windows 2003
Windows XP
Windows 2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
shutdown -s -t 5
%c%c%c%c%c%c.exe
NtQuerySystemInformation
wwwwww
pwwwwwp
HY_^Z[
VWQRSj
SRQWVj
mgr.exe
LoadLibraryA
GetProcAddress
GetModuleHandleA
kernel32.dll
FreeLibrary
OpenMutexA
CloseHandle
CreateFileA
WriteFile
GetModuleFileNameA
CreateProcessA
GetWindowsDirectoryA
GetVolumeInformationA
v]k3t.t
^NE&PB
epmB4`6
nL)V].
Y&i&S@GzYU
F")Tan;
s;gW/q
i"]I@Z
.0NSP`]F
fm1K]Ro
Oq4>k\
jB6l=Y
zkS6Q<
sETsx\c
Yk[+7i
9cbvh	YO
GxzTpK
 0$lR2
\^C[X`
FFo59K`a
)P)];Zt
VhK.*g
'/}24Q
&#1|l5
W|~Ov 
JZYrdc
sA8A"yd
,5GCJA
v{{vyR=	_
cmrAXd
Xq!fw1x
|]7u5gu
/4'bL4
<Vx|*a
	K.'	2
	YpW	>
|#0T=1
mDUM\J
rB7*?)
)zf9F9y
%Bz~f 
#.@k4H
d'+C|cN
t",gR9
@8ADXf
:_$Px^G
7)oq>,
Xj1<z{1
e\o_s&
%6.3f;4
&I;f$>
B^nBz'
r%@&@S
VK_~`.
S(;d$Y
C+G)?L
g*.[co
~	- #k
Ge	c5c
3'D|>v
Uiq}C5rx
?1nJjG
~3M7&]M
R:-%Bu-`
KvYTF_3
1\&u"?o
kyi`[M
Wy[5;J
IB){q;U
I1v*r(
vs{"c%
maRlHRy
FX+~a	
$>kMln
GK]HXgo-
9R$Q7Y
/yMNd9t
5z1TEY
#XBn,xq
-}_1lr
Ec@(}v
HK~[k<7
r+}MouE
eo>u+fQ
Cq'MC9
#63{JR(
!xsm u
n*!oy0!	
)d*Dw3RJ
-u,s0 %
T.(@~B
%t)]iXnt
q3,R0e
4]A,5-#
OaxMcT
wA]~/g
)ZM"G8
njkM]	[;
T2Gco[
>@90"n
HJ!AM$
aL8_l6
NH3j9Jc
u.m,KK
7_~N<5
+M|\vZ(
9$F}$SR
RRAvp\c
"n6jzFc9
v% ]3p
oE%fq3
,w`o3w
^fpGU5X);q
&}kWbl
_	_IXn
#9g=Y/
3f5@ld(
xv&>tk
(4WUe"
F	QmdBC
PP.nd`
yfV2:U
}.~ydC-
3ac#^h'
4A:W#gm
58Efaom
j,i;?K
Z|qBn_o
sE7Wnv
Du{q8'
#5#r	3
3Gc3 E[
U>=kt'
o7d:Vn
)xlu1R
]=I2n}[
g|>cp"6
N"^n9cV
n&4Gy!
-7yI4p)
tSX"[@
j8C$us
$RNf ,
NfD}VNi
yGrX0GRIiPwN
vC\]vmlq8)
[p"VpK
:NWt=8
`T@F9L
@|h+1k
G.5n54
dn6%6O
g}'L(<H*
$]&xe]
g}'}.W
g}'L?M
\/e~}]
<]Exe]
e~%Q5k
e~%NJ0
Ent{5n
Pqa[9Av]
Ibts1j
qa[9UlP
qwP2;v]
|&eo3K
HNy"Bm
bGe'S{
Doo{5n
xqwP2q
hG;V O
'"o-c7
wT~S{Q
EUm8`+B
=9oJ^`A}!a0s{2[Z
jch>w	
ikuO?rO
D:oo<q
[ 	f=/_V
&R+{mV/
tgt@M*
-	B}L&*
`%B7;rB
'8UwX/
qd?Wk+
3Gd!$C	
(SJ..?
Ycs_#i
Yx1:P0
g0e/YIW
yes;9S
B3l$P%
dso@E|
j$`/|NX2v
-0RN3[
VcRiBl
c	f__&7l
ha^{<g
LOiPX?
efBq#!
#3_Oxn
F{;L_3
>k;26GoN.
Hpo`[rz
L2-z'16
`eA#'i
1J/kd]
 EjY+<
J=pV	@B
Z*&m(N
us=>e=xH
>U="u(
vu0T8O
<b/XKc
!gV{;n
,Jf]VhB
HTDf6u 
HY_^Z[
VWQRSj
SRQWVj
TCmgr.exe
LoadLibraryA
GetProcAddress
GetModuleHandleA
kernel32.dll
FreeLibrary
OpenMutexA
CloseHandle
CreateFileA
WriteFile
GetModuleFileNameA
CreateProcessA
GetWindowsDirectoryA
GetVolumeInformationA
33.(mz
r4+z/|
	6;X~X
[YEF;1
P3iNa,
E,XYM-nv
)5<p@"
d2 i/:3j
r]@qJI?
:*@|/`
E_PE%#
h/89]<
@%RgG{
UW~;`'c
t6eU*e
]}=|Z:*
VH(d&~
ZI^[YF
RYMh*4A
SfUTGe
(bo;7 
b4LY[YT{
{8#;48rz[
$4(Dr|,h6Bv"
~5,CVO
G]KoGlm0
?JPW{^
l()2(3OI
S[t-Dn7la
x2+VG|PN{T
9e&/1<
?@SnR4x
BCxc',
!XcdCN'
xT:{ZI
(gPR7:
Z]~swHP
:8"#G.
lh5fga
ixT'}vp
;1&H"S
f(l7dxN.Oq
%6K"!~
TKk#e,
J-8`_s
X6G8`TB
VC).1a
[Yi'^E
:,<@:JT
"/9\MO
EqgE`:	/
ro&apG
4g5"~q
g);Ua<4g#
H1mY#&
IB93y5
Iq#qZP}C
bxCq3K9
"PSkCF:
"D49;t
V%W	2zf[
x4YyS][
bzQ}k+
"-C1m:
4U>,&Q9[
CvfZBX
Pf{3Cr"y
iHz.m)
X-]$n8
<&EhK 
Ki;X08
PQ2DNzO
ijqBCx(3m86)H
q&z Q^
yf*J7I
	bz\_U
{.uRO:
'YgJRoG
L=$2ZQ
j.[^N]
jIy53"
+@H^)e
IPlLy2N
EQ<<45
-4{"-)!:s
T	sgJzM)
F)JV_J
"s-PZS
` Zs';
V[-`i)
z#%N4B
Eo^&0|
jY:o!QG
gK2gD'
4=v{3z
^ddK"z[
nvL}T=
[P+G]J
g^*,ay7
cNxE5y6
1';50]
F*6`ge:
=ZI`& 
0VV)=Y
#k<T"IgHvf
MYiWu]
Sx%fR+G
ZIpeZl
^`i^]\\:
Tc:e^B
#adk<2
m.#'6;-n
IoY{tC
SW{*o	h
vORn*=
*M!vOm
]i-6@y
!vORn*=
)mzAh}
5|aYmz
(!C?r}
{azA2J
 AY3-=
(AI#%=
9izAI/-=
He{N2%
@4Kw3$
mTI]<)
Sv{v2%
B{fZ3+
)mzAhu
AV80Af
(!C/Nm
aUlrv2%
RkJv2%Cj
<SA";-=
gm9C'~m
;Q52ifUlqM
1A\)m@
(/>)t]
? ?)m[
$)1)u_
U,_$'V
.f$"UF~
1U.7mU
7+1)n^
1"?)V2
%/?)mZ
15()mi
,K4#VLd
KVm5!1
3;&)mQ
ho<<d#
:,^CSV
1[sJms
=,!CTIn
f~GJ`s
Hq YP.
3{4Q*,
DEw"Is
vq:dh}$
9@G1ZFj
G$ o[5
_AYHfrJ0D
f^[ @|
!a9 N9t
~Mh/n3
9Ah(:<IK
Qb"e@@
^>&r%DC
+k[M_Q}
5urzTEx
F@Q'j~
^=w1Rx
|2Q+V]
VgM-Wj
zw>-$k
R*H0-Ldc 
taDY<@b
{zBdp$6
(]&.e")V
_e%#(oJ
J	YVG.}[S
{Gd_*bP`
!1F8m$y
"J7>7Sa
AM%nSQt=
Ah53E%
:@T|b%
$:"&vQ
<:aoUC
2mzM}d
H9/(tV-
D=B	L\L.uc\
0!n0T"
)z&j+ht
YEMEz^
cWFl(p]
:aVyV&
"jK*O8D>
65B<Yp
;#I7|Kys!x
ktk#r^
?sDC+S
V=\)ik