Sample details: 2ab5c24fe0b43a94c17825a54a33abfa --

Hashes
MD5: 2ab5c24fe0b43a94c17825a54a33abfa
SHA1: 7be588f1f47bb52f05c63f2185521b11d2baf739
SHA256: 2f163a303c0500f4179c41aa8956a2f3287db3c522e180a5ea5be04835725c90
SSDEEP: 96:Zh7zxF+JwRmHQASoETXSYuVfSRKu+R/ttK7iLLozNt:fzx117iKRKJR3oaq
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Studio_NET | YRP/Microsoft_Visual_C_v70_Basic_NET_additional | YRP/Microsoft_Visual_C_Basic_NET | YRP/Microsoft_Visual_Studio_NET_additional | YRP/Microsoft_Visual_C_v70_Basic_NET | YRP/NET_executable_ | YRP/NET_executable | YRP/NETexecutableMicrosoft | YRP/IsPE32 | YRP/IsNET_EXE | YRP/IsConsole | YRP/IsBeyondImageSize | YRP/domain | YRP/url | YRP/contentis_base64 | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://poc.howielab.com/C2/Agent/20171101085438
http://poc.howielab.com/C2/Agent/20171101085438
Strings
          	            !This program cannot be run in DOS mode.
`.rsrc
@.reloc
v4.0.30319
#Strings
<Module>
ScannerDriver.exe
Command
Agent2
Program
mscorlib
System
Object
get_cmd
set_cmd
<cmd>k__BackingField
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
ScannerDriver
CompilerGeneratedAttribute
System.Net
WebClient
String
Format
Console
WriteLine
DownloadString
System.Web.Extensions
System.Web.Script.Serialization
JavaScriptSerializer
Deserialize
op_Equality
System.Diagnostics
Process
ProcessStartInfo
get_StartInfo
set_FileName
set_UseShellExecute
set_RedirectStandardOutput
System.IO
StreamReader
get_StandardOutput
TextReader
ReadToEnd
WaitForExit
Environment
GetEnvironmentVariable
Combine
WriteAllText
UploadFile
Exception
get_Message
ToString
System.Threading
Thread
IDisposable
Dispose
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>