Sample details: 1c84038a7aac6342894d5896a390913d --

Hashes
MD5: 1c84038a7aac6342894d5896a390913d
SHA1: 1b233af41106d7915f6fa6fd1448b7f070b47eb3
SHA256: d581b95b43c16407305f5d52631f044936b354ed921cb2efe8dfc9257960d2db
SSDEEP: 3072:VvB5pkqsQCR3f4R8APSazAi6840Vn/9f3b+ZnSAD:VvbTsQCR5Aaaki6By/9yZS
Details
File Type: PE32
Added: 2018-11-14 20:38:30
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Microsoft_Visual_Cpp_70_DLL | YRP/Microsoft_Visual_Cpp_70_DLL_additional | YRP/Microsoft_Visual_Cpp_v60_DLL | YRP/Microsoft_Visual_Cpp_70_DLL_Method_3 | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/System_Tools | YRP/Misc_Suspicious_Strings | YRP/DebuggerCheck__QueryInfo | YRP/anti_dbgtools | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32b_poly_Constant | YRP/BASE64_table | YRP/Turla_APT_Malware_Gen1 | YRP/Turla_APT_Malware_Gen3 | YRP/GenerateTLSClientHelloPacket_Test | FlorianRoth/carbon_metadata | FlorianRoth/Turla_APT_Malware_Gen1 | FlorianRoth/Turla_APT_Malware_Gen3 |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
tyItGIu
SUWj43
t\9XDu
!FK!FO
ut9^ct"9^ou
u<9^ct&S
t6Nt)Nt Nt
D$P9D$
f9D$pt3h
9D$ t6
uA9^(t
j@XSSPj
j@XSSPj
1L$ +D$ P
G 1L$03D$0P
G01L$@
GP1L$ 3D$ P
Gp1L$ +D$ P
3Mh3M0
 3Ml3M\3M
3Mh3M0
 3M<3M
}l3M$3M@3
 3Mh3M0
u83Mh3M$
 3M<3M\
3Mh3M0
 3M43Md3M`
 3E`3El3E<
 _3E@^
PQQhOb
 WWhF{
 WWhYl
D$Lj(Ph 
L$0+L$(i
D$,;D$4
D$(;D$0
L$(+L$$
 SSSSW
~@WjzXj0_
 WWWWV
<"ud9]
<"u"9M
D$0PhH
D$(+D$
 Y_^][
D$4PWV
uESSj<W
u,9t$$
uK9t$$t
t$$9t$(
uj9t$$t
t$$9t$(t
t$(9t$,
YY9|$$t
|$$9|$(t
|$(9|$,t
|$,9|$0t
 SSSSV
W9p8~(
NtiNtF
QP;QL}4
FD;FH|
FP;FL|
WPQRh4
F(;F$u
t$$9D$
t+9F,t&
|$,)|$
t%9~,t 
t&9F,t!
t'9N,t"
Y!t];t$
Y9\$(t
69\$(u 
 +D$03
Y9^tt4W
Y9^Hu$
;*VWud
Y!_^[]
Y!_^[]
VC20XC00U
t ;t$$t
ntdll.dll
ZwWriteVirtualMemory
CreateRemoteThread
ZwCreateThreadEx
ZwTerminateThread
LdrGetProcedureAddress
.apiset
"o;h(Y
T*_}x:
"%-U^7
W1O	g_?
SRqDIK
mn`I:T`H
~?Pa w
(>nH&p
Sj~=eI
F_C)x;
+LVvuOx39]O#2
pqT3^-ZI
Global\MSCTF.Shared.MUTEX.ZRX
Global\DBWindowsBase
Global\IEFrame.LockDefaultBrowser
Global\WinSta0_DesktopSessionMut
Global\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}
Global\SENS.LockStarterCacheResource
miniport.dat
C_56743.NLS
b9s3coff.ax
a67ncodc.ax
vndkrmn.dic
qavscr.dat
TR|%d|
ST|NOID|
ST|NR:%d|
ST|4/01|%s:%d|
CR|-1|%d|
PVAGG|%d|
TP|%d|
SL|%d|
WP|%d|
IA|%d|
TS|%d|
ST|%d:END|
GSEFail
STOP|4/01|%d|
STOP|OK|
TTFail
STOP|FATAL|
user_winmin
user_winmax
lastconnect
OPER|Wrong config: no lastconnect|
W|0|NULL|0|Sleep:%d|
CW_INET
W|-1|%d|%s:/|nrt|
W|0|%s:%s|0|Ready...,%d|
checkmin
checkmax
check_lastconnect
P|0|NULL|0|Sleep:%d|
P|-4|0|%d
quantity
address
OPER|Wrong config: empty address|
/javascript/view.php
OPER|Wrong config: no auth|
OPER|Wrong config: no port|
OPER|Wrong config: bad address|
trans_timemax
sethttp11
TRANSPORT
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHttp1_1
ProxyHttp1.1
VERSION
www.google.com
www.yahoo.com
www.bing.com
update.microsoft.com
windowsupdate.microsoft.com
microsoft.com
W|-1|0|ALL|NOINET|
Microsoft Enhanced Cryptographic Provider v1.0
Container
(A;OICIID;GA
S:(ML;;NW;;;S-1-16-0)
%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s
WaitMutex Abandoned %p
ReleaseMutex %p
object_id
publicc
CRYPTO
keypair
%u|1|%s|%s
%02d/%02d/%02d|%02d:%02d:%02d|%s|u|
tcpdump.exe
windump.exe
ethereal.exe
wireshark.exe
ettercap.exe
snoop.exe
dsniff.exe
OPER|SniffeR '%s' running... ooopppsss...|
HTTP/1.1
http://%s/
PHPSESSID
Windows NT %d.%d
SOFTWARE\Microsoft\Internet Explorer\
Version
Mozilla/4.0 (compatible; MSIE %d.0; 
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
; Trident/4.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
W|-1|%d|%s:%s|HOR|
W|0|%s|0|Ready...HSR,%d|
Referer
%s: http://%s%s
W|-1|%d|%s:%s|HSR|
W|-1|%d|%s:%s|HQI|
W|-1|%d|%s:%s|NOCL|
W|-1|%d|%s:%s|NOD|
W|-1|%d|%s:%s|D<CL|
W|-1|0|%s:%s|CRYPTO|
W|0|%s:%s|%d|%d|
W|-1|%d|%s:%s|D<MIN|
W|-1|%d|%s:%s|D<FLR|
W|-1|%d|%s:%s|B64|
W|-1|%d|%s:%s|D<4|
M|-1|%d|%d|b64d|
SR|%d|
W|-1|%d|%s:%s|D<TF|
W|-1|%d|%s:%s|D<TA|
%u|%s|%s|%s|%s
%u|%s|%s|%s|%s|%d|%s|%s
%u|%s|%s|%s|%s|%d
W|1|%s|%d|%d|
W|-1|%d|%s:%s|D<TO|
frag.tcp
\\%s\pipe\%s
frag.np
m_create() failed.
frag_no_scrambling=1
write_peer_nfo=%c%s%c
allow=*everyone
net_user=%s
net_password=%s
net_user=
net_password=
m_setoptlist() failed.
m_connect() failed.
m_send() AUTH failed.
m_recv() AUTH failed.
AUTH failed.
m_send() WHO failed.
m_send() OBJECT failed.
m_recv() OBJECT failed.
Trans task %d obj %s ACTIVE fail robj %s
OBJECT ACK failed.
m_send() ZERO failed.
m_send() TASK failed.
active_con
A|-1|%u|%s|%d|
m_recv() RESULT failed.
logmin
logmax
lastsend
logperiod
configlastsend
CONFIG
run_task
WORKDATA
task_min
task_max
T|0|%d|s|
T|0|%d|e|
T|-2|%d|%d|
T|-3|%d|%d|
time2task
cmd.exe
stdout
RESULT
COMPRESSION
DELETE
TCP|-1|%d|%d|
T|-1|%d|%d|
%u|%s|%s|%s
CrPr() wait timeout %d msec exceeded: %d
CrPr() WaitForSingleObject() error: %d
CrPr(),WL(),AU() error: %d
Task not execute. Arg file failed.
CopyFile(%s, %s):%d
Mem alloc err
%u|%u|%s|%s|%u
%u|%u|%s|%s|%s|%u
post_frag
Content-Type: application/x-www-form-urlencoded
%s: http://%s%s
Content-Range
%s: bytes %u-%u/%u; id=%u
Expect: 100-continue
P|-1|%d:%d|%s:%s|%d|
PP|0|%s:%s|%d|%d|
PP|-1|%s:%s|%d|%d|
P|0|%s|%d|
HC|%d|
P|-1|%d|NULL|%d|
P|-2|%d|
P|-3|%d|
P|-4|%d|%d
P|-5|%d|%d|%d|
Task %d failed %s,%d
%u|%s|%s
A|-1|%u|%s|%s|
CW_LOCAL
timestop
wh_min
wh_max
Stored success
Stored failed
127.0.0.1
W|2|%s|%d||
\\.\pipe\sdlrpc
Internal task %d obj %s not equal robj %s... very strange!!!
G|0|%d|%d|
D:AI(A;;GAFA;;;WD)
D:AI(A;;RPWPCCDCLCSWRCWDWOGA;;;WD)
SystemRoot
pfsgrowperiod
pfslastset
post_frag_size
        bucket sorting ...
        depth %6d has 
%6d unresolved strings
        reconstructing block ...
        main sort initialise ...
        qsort [0x%x, 0x%x]   done %d   this %d
        %d pointers, %d sorted, %d scanned
      %d work, %d block, ratio %5.2f
    too repetitive; using fallback sorting algorithm
CONFIG_ERROR
OUTBUFF_FULL
UNEXPECTED_EOF
IO_ERROR
DATA_ERROR_MAGIC
DATA_ERROR
MEM_ERROR
PARAM_ERROR
SEQUENCE_ERROR
      %d in block, %d after MTF & 1-2 coding, %d+2 syms in use
      initial group %d, [%d .. %d], has %d syms (%4.1f%%)
      pass %d: size is %d, grp uses are 
      bytes: mapping %d, 
selectors %d, 
code lengths %d, 
codes %d
    block %d: crc = 0x%8x, combined CRC = 0x%8x, size = %d
    final combined CRC = 0x%x
nodelay=1
TCP: closed.
TCP: connecting...
nodelay
TCP: send
TCP: recv
Frag: send
frag_size
frag_no_scrambling
peer_frag_size
\\.\pipe\
*everyone
read_peer_nfo
write_peer_nfo
net_user
net_password
imp_level
every1
anonymous
\pipe\
MPR.dll
WNetAddConnection2A
transports
licence error
secure connection failed
invalid credentials
invalid remote port
invalid remote address
invalid local port
invalid local address
invalid address specified
sanity check: invalid parameter 9 in function call
sanity check: invalid parameter 8 in function call
sanity check: invalid parameter 7 in function call
sanity check: invalid parameter 6 in function call
sanity check: invalid parameter 5 in function call
sanity check: invalid parameter 4 in function call
sanity check: invalid parameter 3 in function call
sanity check: invalid parameter 2 in function call
sanity check: invalid parameter 1 in function call
invalid function call
no data was received
too long data for this type of transport
invalid network buffer received
socket error
access violation
not enough server resources to complete operation
execution has been canceled
object not found
no memory
peer has closed the connection
timeout condition has been occured inside call of function
function unsupported
error has been suddenly occured
no error
%s: (%d) %s
%s: (0x%08x) %s
%s: (%u) %s
%s: (%d)
%s: (0x%08x)
_wcsnicmp
RtlQueryRegistryValues
ZwQuerySystemInformation
wcslen
memset
RtlNtStatusToDosError
ZwClose
ZwQueryInformationProcess
wcscpy
memcpy
wcschr
ZwTerminateThread
sprintf
strncat
mbstowcs
wcscat
strncmp
memcmp
strlen
ZwMapViewOfSection
RtlInitUnicodeString
wcsncpy
wcsncat
ZwOpenThread
ZwReadVirtualMemory
ZwWaitForSingleObject
ZwCreateFile
wcsrchr
ZwUnmapViewOfSection
ZwFreeVirtualMemory
strrchr
ZwCreateSection
ZwQueryInformationThread
ZwAllocateVirtualMemory
_stricmp
strcpy
strncpy
_ultoa
strtoul
VerSetConditionMask
strcat
sscanf
_strlwr
strstr
strchr
_strcmpi
strcmp
toupper
strpbrk
_vsnprintf
ntdll.dll
NetGetDCName
NetApiBufferFree
NETAPI32.dll
GetVersionExA
TryEnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
WaitForSingleObject
CreateSemaphoreA
ReleaseSemaphore
GetCurrentThreadId
CloseHandle
TerminateThread
GetExitCodeThread
OpenProcess
GetLastError
GetProcAddress
GetModuleHandleA
lstrlenA
CreateFileA
GetFileSize
SetErrorMode
HeapAlloc
HeapFree
SetEvent
GetProcessHeap
WriteFile
GetCommandLineA
WaitForMultipleObjectsEx
CreateEventA
HeapDestroy
lstrcatA
FlushFileBuffers
GetPrivateProfileStringA
OpenMutexA
WritePrivateProfileStringA
HeapReAlloc
SetFilePointer
MapViewOfFile
UnmapViewOfFile
ReadFile
CreateFileMappingA
DeleteFileA
LocalFree
GetComputerNameA
MoveFileExA
Process32First
SetHandleInformation
TerminateProcess
GetEnvironmentVariableA
CreateDirectoryA
FindFirstFileA
CopyFileA
GetTempFileNameA
FindClose
GetLocalTime
Process32Next
WaitForMultipleObjects
FindNextFileA
GetPrivateProfileSectionA
CreateToolhelp32Snapshot
ReleaseMutex
GetTempPathA
SetLastError
GetTickCount
PeekNamedPipe
CallNamedPipeA
WaitNamedPipeA
ConnectNamedPipe
TransactNamedPipe
GetOverlappedResult
InterlockedExchange
CreateNamedPipeA
SetNamedPipeHandleState
CancelIo
GetCurrentProcess
GetCurrentThread
FreeLibrary
InterlockedIncrement
InterlockedDecrement
FormatMessageA
KERNEL32.dll
RegSetValueExA
RegCreateKeyExA
RegCloseKey
CryptExportKey
CryptReleaseContext
CryptSignHashA
CryptAcquireContextA
CryptImportKey
CryptEncrypt
CryptCreateHash
CryptGenKey
CryptVerifySignatureA
CryptDecrypt
CryptDestroyHash
CryptHashData
CryptGenRandom
MakeAbsoluteSD
SetFileSecurityA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegQueryValueExA
RegOpenKeyExA
RegEnumValueA
ImpersonateNamedPipeClient
RevertToSelf
OpenProcessToken
OpenThreadToken
LookupAccountNameA
InitializeAcl
AddAccessAllowedAce
ADVAPI32.dll
malloc
_endthreadex
_beginthreadex
_filelength
_wopen
_close
_lrotl
_errno
strtok
_time64
rewind
fflush
fprintf
_strdup
_tzset
vfprintf
_localtime64
fclose
__iob_func
ferror
fwrite
msvcrt.dll
_initterm
_adjust_fdiv
_strnicmp
_chkstk
RtlUnwind
SHLWAPI.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
?456789:;<=
 !"#$%&'()*+,-./0123
0!070}0
2!2.242W2m2|2
343>3O3b3
3]5S8f8
162G2|2
5W6`6s6
;);D;c;
<)<5<B<V<z<
="='=6===G=
2,535^667*8
9!;1;X;
<*<:<V<
3'343G3
4/4=4K4
5?6U6c7s7
8,9;9K9V9x9
:2;Z;e;s;};
< <.<;<\<e<t<}<
= =,=8=_=h=w=
>#>/>;>m>x>
?(?3?A?K?
#1*141>1H1
1$2/2?2J2S2~2
3#3,383H3T3]3m3w3
4$404;4M4o4}4
5'50595B5T5e5r5y5
6O6Z6f6o6x6
7%7,797I7R7Y7`7r7|7
8$8.8J8X8_8t8
9"9(9/9>9G9P9W9c9m9t9
:":b:n:z:
;';8;B;I;R;d;v;
<!</<9<B<r<
=3===C=R=y=
>H>Q>]>g>p>
? ?)?3?9?f?l?v?|?
0/050<0\0t0z0
1#1J1Q1`1j1y1
1'222:2d2j2o2y2
3-343D3K3[3b3r3y3
4"4(4=4I4T4e4o4y4
5%51595?5F5O5U5]5c5l5r5z5
6 6(636T6Z6_6l6r6|6
7/7B7X7d7o7
8+8H8S8Y8j8u8
9(959A9H9T9a9m9t9
:$:.:D:V:h:z:
;5;E;Q;[;h;t;
<&<,<<<G<f<n<z<
>'>8>>>l>
>>?P?Y?e?s?}?
0/1<1^1t1{1
2U2a2o2}2
3!4*4e4
5"5B5W5`5l5z5
526J6`6v6|6
7 7-747?7D7I7U7n7
8+808g8
939<9H9V9a9f9k9q9w9
9/:5:@:P:[:`:e:k:q:~:
;*;;;O;U;`;o;t;y;~;
<(<9<J<[<l<}<
="=1=8=?=E=X=^=c=m={=
>0>5>C>K>Z>_>n>s>
?"?'?1?A?N?[?f?q?|?
0)050A0M0[0j0u0
1 1%14191H1M1\1d1s1x1
2*2/2>2C2R2W2f2k2z2
3%3=3P3V3[3e3u3
4+4;4S4d4j4t4z4
4/555D5d5j5
6)666<6F6T6Z6_6m6t6|6
6A7G7\7b7s7
8)8Z8q8w8
9#9)969W9]9
: :-:8:T:g:q:
:1;B;L;V;i;o;
<'<;<A<Z<c<
= =-=4=J=P=]=g=u=
>!>+>_>e>
?"?1?A?H?c?k?
0B0N0\0
1%1;1Q1]1n1~1
2A2M2e2}2
3.3K3\3
3$404:4G4N4
4)5/5M5b5k5w5
6A6K6W6e6q6v6|6
7"7+71777E7P7
8+898I8O8U8c8
8'9-9A9z9
:3:9:F:X:l:s:
;!;/;?;T;~;
=&=6=<=V=d=w=
=8>@>]>i>
?$?+?9?C?N?X?q?x?
1<1w1}1
1/2S2a2f2k2
3+343Z3l3w3
454Q4X4j4u4
5-585h5y5
6!6'686X6h6
:":(:5:L:l:r:
:/;8;x;
=#=;=A=T=Z=
>#>4>:>E>K>b>h>
?8?>?L?]?c?o?}?
0%030>0O0X0e0w0
1.1:1_1e1p1
132]2c2t2z2
3/353F3L3]3c3o3u3
5K5]5i5{5
6-6<6B6H6
7(72787P7X7e7k7
8O8V8_8r8}8
9>9D9c9i9
:Q;^;r;
<-<6<L<R<c<i<
=.=4=S=\=e=o=u={=
=P>s>z>
1?1k1y1
2*2U2^2w2
4 4&4>4e4y4
5"5'585>5D5P5^5l5q5v5|5
5F6L6i6q6{6(7W7
8'84898A8Q8V8^8l8w8
9/:;:X:^:n:|:
;5;>;K;_;v;
;	<+<@<G<Q<W<
=#=6===C=O=[=a=k=w=
> >,>:>F>N>T>b>s>
0!0'0-0;0
051H1f1l1y1
2+232U2y2
4%4A4I4_4
5*585=5B5G5M5S5a5p5}5
696K6n6
7"7)7K7Q7i7s7y7
8:8@8Y8_8|8
9%9@9[9w9
:/:8:i:
;9;S;Y;f;s;~;
='=2=7=<=B=H=V=f=
>!>'>:>?>D>J>]>b>g>m>
?L?Y?_?y?
0$030@0I0r0
1'11171B1I1X1
3&3>3H3N3]3d3o3{3
4I4[4c4l4u4~4
5(515e5l5
6$606>6C6H6M6S6Y6g6s6
9%9/959?9M9T9_9l9}9
;);T;Z;
<9<D<Q<a<
>&>B>H>S>n>v>
?#?.?4?D?Z?c?
0 000F0O0p0
171O1[1n1|1
2#2,2J2s2
4(4.4?4H4Y4
6!6(696^6p6x6
7,7_7e7u7{7
9)9.93989>9D9R9^9t9
9G:M:S:
;2;8;R;b;h;z;
;&<,<;<A<P<V<a<
<%=E=L=R=X=
>#>*>:>_>h>n>z>
0N0c0p0y0
1!1.1C1N1S1X1g1m1
2%212:2F2O2]2m2{2
3!3)3<3H3P3c3o3w3
4#414=4F4T4d4|4
5)6?6a6l6
7F7L7[7o7
:!:F:M:t:
;";Q;[;
<-<6<?<f<{<
=C=T=]=n=
>B>K>2?C?I?O?\?a?n?
0,050~0
10191B1L1R1
2)2<2b2r2y2
3*3@3N3V3]3m3~3
4&4e4x4~4
575M5Y5n5{5
7"7+7B7M7c7n7
7%8A8[8c8q8
9!969<9O9W9^9h9v9
9#:,:2:;:x:
;+;<;W;c;q;{;
<$=)=0===O=r=
>%?@?a?o?
3-535=5b5h5r5
7V=\=f=>>D>N>
3I4^4q4
41:1D1
161A1]1
2'2W2e2
3+3<3P3s3}3
4.464?4Z4
5.5E5o5v5
5,6@6O6r6
7(787\7k7
:):0:O:i:
;*;7;D;{;
<!=Q=t=
162P2r2
5A6f6z6
9I:O:W:
<-=F=w=
010=0K0W0l0
0L1d1k1
5.5C5P5`5
6"7*717N7e7l7w7
:*:h:v:
:+;;;N;
<!<><Z<h<
=/=G=k=v=
?/?;?]?h?y?
0-040A0p0
1"1G1R1
2%242>2D2V2n2
333J3|3
:N:T:j:
;!<8<U<
=5=A=k=
455N5S5Y5o5x5
6,646D6K6`6p6
7(7.7<7D7M7U7h7v7{7
9D:^:e:
0$0(04080
0$0,040<0D0L0T0\0d0l0t0|0
1 1$1,10181H1L1T1
2 2$2(2,2024282<2@2D2H2l2p2t2x2|2
3 3$3(3,3034383<3@3D3H?L?P?T?X?\?`?d?h?l?p?t?x?|?