Sample details: 2ba1e2a63129517055ab3a63cb089e33 --

Hashes
MD5: 2ba1e2a63129517055ab3a63cb089e33
SHA1: 00d5eb5652968679c24fe40e486e739b688add15
SHA256: 60b2526b2dbe7c5b0d7b9f43d3dabf52042b5c6567fa042c7e4cc2cddc154faf
SSDEEP: 384:2T12pvmkta/VfpSybFdzJSODQ/6yPlCGuTROrAp3gg+FIIIy4qwH8AmudnGw:g2pvDstLbF6yhtvpwpFIIIxVw
Details
File Type: PE32
Yara Hits
YRP/MingWin32_GCC_3x | YRP/MingWin32_v_h_additional | YRP/MinGW_GCC_3x_additional | YRP/MinGW_GCC_3x | YRP/MingWin32_GCC_3x_additional | YRP/MingWin32_v_h | YRP/MingWin32_v | YRP/MinGWGCC3x | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/MinGW_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/network_tcp_socket | YRP/network_dns | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/Str_Win32_Winsock2_Library |
Strings
		!This program cannot be run in DOS mode.
`.data
.rdata
.idata
docu.docx
[Content_Types].xml 
6*%M%J/
xNZeME3iv
_rels/.rels 
A$>"f3
word/_rels/document.xml.rels 
,V{SE;
word/document.xml
~%}&H4RQ
word/media/image1.jpeg
;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 95
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
w~"]OH
word/theme/theme1.xml
w toc'v
3Vq%'#q
:\TZaG
IqbJ#x
T[XF64
word/settings.xml
3oLsP\
2F%ma96TP
;#S'iW
word/webSettings.xml
dgvg3;
docProps/core.xml 
OR6e:G[
k6g}qP
word/styles.xml
\^eBfB=
`iW|gT
Uxw;	.
word/fontTable.xml
gC#Z }
docProps/app.xml 
RxvN+)"y
)4.im^
[Content_Types].xmlPK
_rels/.relsPK
word/_rels/document.xml.relsPK
word/document.xmlPK
word/media/image1.jpegPK
word/theme/theme1.xmlPK
word/settings.xmlPK
word/webSettings.xmlPK
docProps/core.xmlPK
word/styles.xmlPK
word/fontTable.xmlPK
docProps/app.xmlPK
Mozilla/4.0 (compatible; MSIE 6.0; Win32) httpbot
httpb run key
httpb.exe
GET %s HTTP/1.1
Host: %s
User-Agent: %s
Accept: */*
Connection: close
Location:
Qkkbal
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
%s%s%s
Software\Microsoft\Windows\CurrentVersion\Run
%sremoveMe%i%i%i%i.bat
@echo off
:Repeat
del "%s">nul
ping 127.0.0.1 >nul
if exist "%s" goto Repeat
del %%0
"%s%s"
iexplore
UPDATE
DOWNLOAD
REMOVE
www.1.example.com
/info1.php
www.2.example.com
/info2.php
www.3.example.com
/info3.php
www.5.example.com
www.4.example.com
http://eastmedia3347.co.cc/d/dnl.php
This program has performed an illegal operation
Illegal Operation
Software\Microsoft\WajjoGraphy
%s:%s:%i:%s:%i
%s?sid=%s
MachineGuid
-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32
w32_sharedptr->size == sizeof(W32_EH_SHARED)
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
GetAtomNameA (atom, s, sizeof(s)) != 0
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
AddAtomA
CloseHandle
CopyFileA
CreateFileA
CreateMutexA
CreateProcessA
ExitProcess
FindAtomA
GetAtomNameA
GetCommandLineA
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetTempPathA
GetTickCount
GetVersionExA
ReleaseMutex
SetFileAttributesA
SetUnhandledExceptionFilter
WriteFile
lstrlenA
__getmainargs
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_assert
_cexit
_isctype
_onexit
_pctype
_setmode
atexit
fclose
fwrite
malloc
memset
realloc
signal
sprintf
strcmp
strcpy
strlen
strncmp
strrchr
strstr
strtok
strtol
ShellExecuteA
MessageBoxA
wsprintfA
WSACleanup
WSAStartup
closesocket
connect
gethostbyname
inet_addr
socket
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
USER32.dll
WS2_32.DLL