Sample details: 2bd5c4a9f2ba5c2463f90ea0773bc30d --

Hashes
MD5: 2bd5c4a9f2ba5c2463f90ea0773bc30d
SHA1: 96037c823dac80b63176c7a7e399591112f9afa7
SHA256: 065dca2f7b7a12f8fc8d40b984867ab0c27ecf35f11e437ae0522fc528f1d1b7
SSDEEP: 1536:pl2LanYqTjKNvS0439aureEhOUqvvFkzLA/0Zd/krGCq2iW7z:v40N0439aceiOUU/0ZwGCH
Details
File Type: PE32
Added: 2019-10-09 09:59:59
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/Browsers | YRP/network_dropper | YRP/network_tcp_socket | YRP/network_dns | YRP/escalate_priv | YRP/cred_local | YRP/cred_ff | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/MD5_Constants | YRP/RIPEMD160_Constants | YRP/SHA1_Constants | YRP/DES_sbox | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/with_sqlite | YRP/suspicious_packer_section | YRP/Unidentified_Malware_Two | YRP/pony | FlorianRoth/Unidentified_Malware_Two | BAMFDetect/pony |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
PSQRWV
^_ZY[X
VWPSQR
ZY[X_^
C:\1.bin
9D$(ub
L$(9L$@
v89l$D|0
uM9l$D}G
D$0;D$(
9|$4r4
9|$4r4
+L$PRQW
+D$P][_^
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
1DA409EB2825851644CCDAB
3TerPWG34|rL:wFcFsn{iT92c\n4qiygu
http://reninparwil.com/zapoy/gate.php
http://leftthenhispar.ru/zapoy/gate.php
http://reptertinrom.ru/zapoy/gate.php
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
Software\WinRAR
vaultcli.dll
VaultOpenVault
VaultEnumerateItems
VaultGetItem
VaultCloseVault
VaultFree
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
shell32.dll
SHGetFolderPathA
My Documents
AppData
Local AppData
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
S-1-5-18
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
GetNativeSystemInfo
kernel32.dll
IsWow64Process
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
_cx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\_hisler\Windows Commander
Software\_hisler\Total Commander
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 9\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
_oftware\FlashFXP\3
_oftware\FlashFXP
_oftware\FlashFXP\4
InstallerDathPath
Install Path
DataFolder
\Sites.dat
\Quick.dat
\_istory.dat
\FlashFXP\3
\FlashFXP\4
\FileZilla
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Software\FileZilla
Software\FileZilla Client
Install_Dir
Remote Dir
Server Type
Server.Host
Server.User
Server.Pass
Server.Port
ServerType
Last Server Host
Last Server User
Last Server Pass
Last Server Port
Last Server Path
Last Server Type
Software\FTPWare\COREFTP\Sites
_VanDyke\Config\Sessions
\Sessions
Software\VanDyke\SecureFX
Config Path
Password
HostName
UserName
RemoteDirectory
PortNumber
FSProtocol
Software\Martin Prikryl
http://
https://
ftp://
wand.dat
_Software\Opera Software
Last Directory3
Last Install Path
Opera.HTML\shell\open\command
\Opera Software
nss3.dll
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
profiles.ini
Profile
IsRelative
PathToExe
prefs.js
logins.json
signons.sqlite
signons.txt
signons2.txt
signons3.txt
encryptedPassword":"
encryptedUsername":"
hostname":"
Firefox
\Mozilla\Firefox\
Software\Mozilla
ftp://
http://
https://
Mozilla
\Mozilla\Profiles\
Favorites.dat
WinFTP
Internet Explorer
WininetCacheCredentials
MS IE FTP Passwords
DPAPI: 
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms\FormData
Microsoft_WinInet_*
ftp://
SspiPfc
;USQLite format 3
CONSTRAINT
PRIMARY
UNIQUE
FOREIGN
Web Data
Login Data
logins
origin_url
password_value
username_value
ftp://
http://
https://
moz_logins
hostname
encryptedPassword
encryptedUsername
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
Install_Dir
TERMSRV/*
password 51:b:
username:s:
full address:s:
TERMSRV/
.oeaccount
<_OP3_Password2
<_MTP_Password2
<IMAP_Password2
<HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
_mtpServer
_mtpPort
_mtpAccount
_mtpPassword
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords
identities
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Thunderbird
\Thunderbird
r`l`oui`
lhbidmmd
dlhodl
rbnnuds
`reg`reg
eh`lnoe
l`yvdmm
ktruho
bihbjdo
e`ohdmmd
hmnwdxnt3
gtbjngg
qshobd
ktohns
s`hocnv
003322
gtbjxnt0
ohoudoen
qd`otu
bitsbi
ctccmdr
sncdsu
333333
edruhox
mnwhof
fgikjl
lxmnwd
k`rqds
032230
bnb`bnm`
idmqld
ohbnmd
fthu`s
chmmf`udr
mnnjhof
rbnncx
knrdqi
fdodrhr
dll`otdm
b`rrhd
whbunsx
q`rrv1se
gnnc`s
hmnwdfne
o`ui`o
cm`cm`
ehfhu`m
qd`bidr
gnnuc`mm0
00000000
uitoeds
f`udv`x
hmnwdxnt 
gnnuc`mm
uhffds
bnswduud
jhmmds
bsd`uhwd
032547698
fnnfmd
{ybwcol
ru`susdj
`rimdx
biddrd
rtorihod
bishru
111111
rnbbds
pvdsux0
gshdoe
rtllds
0325476
ldsmho
03254769
knse`o
edyuds
vhoods
rq`sjx
vhoenvr
032`cb
`ouinox
ficeuo
inuenf
c`rdc`mm
q`rrvnse0
es`fno
ustruon0
houdsodu
ltruehd
mduldho
johfiu
knse`o32
`cb032
sde032
qs`hrd
gsddenl
kdrtr0
mnoeno
bnlqtuds
lhbsnrngu
ltggho
lnuids
l`ruds
000000
p`{vry
r`ltdm
b`o`e`
rm`xds
s`bidm
nodmnwd
pvdsux
qs`xds
hmnwdxnt0
vi`udwds
q`rrvnse
cmdrrhof
ronnqx
0p3v2d5s
bnnjhd
bidmrd`
qnjdlno
i`i`i`
``````
i`sebnsd
ri`env
vdmbnld
ltru`of
745230
c`hmdx
cm`icm`i
l`ushy
kdrrhb`
rudmm`
cdok`lho
udruhof
rdbsdu
ushohux
shbi`se
ri`mnl
lnojdx
hmnwdxnt
uinl`r
cmhoj093
k`rlhod
qtsqmd
`ofdmr
cmdrrde
0325476981
id`wdo
itouds
qdqqds
knio207
ctruds
`oesdv
fhofds
6666666
inbjdx
idmmn0
`ofdm0
rtqdsl`o
e`ohdm
032032
gnsdwds
onuihof
e`jnu`
jhuudo
c`o`o`
gmnvds
u`xmns
mnwdmx
i`oo`i
qshobdrr
bnlq`p
kdoohgds
lxrq`bd0
rlnjdx
l`uuidv
i`smdx
snuhlh
gtbjxnt
rnbbds0
032547
rhofmd
knrit`
032pvd
ru`sv`sr
rhmwds
`truho
lhbi`dm
`l`oe`
bi`smhd
c`oehu
l`ffhd
l`wdshbj
nomhod
rqhshu
fdnsfd
gshdoer
e`mm`r
`ehe`r
0p3v2d
ns`ofd
udruudru
`rrinmd
chudld
777777
vhmmh`l
lhbjdx
`regfi
vhrenl
c`ul`o
Client Hash
STATUS-IMPORT-OK
;3+#>6.&
'2, /+0&7!4-)1#
inet_addr
gethostbyname
socket
connect
closesocket
select
setsockopt
WSAStartup
wsock32.dll
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
GetModuleHandleA
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileStringA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
kernel32.dll
ObtainUserAgentString
urlmon.dll
LoadUserProfileA
UnloadUserProfile
userenv.dll
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
CoCreateInstance
OleInitialize
ole32.dll
wsprintfA
user32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
advapi32.dll
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
StrStrIA
StrRChrIA
StrToIntA
StrCmpNIA
StrStrIW
StrStrA
shlwapi.dll
5'8p:8=v=
0/141j1
5(5-575<5F5K5U5Z5d5i5s5x5
788J9S9\9~9
E6O6Y6c6m6
7%7+70767?7E7O7m7t7
<(<]<q<l>~>
172T2s2
9.:@:E:K:y:~:
: ;^;e;l;
< <&<;<@<F<l<q<w<
?'?:?H?[?i?|?
-0:0G0T0a0n0{0
2)2.242A2F2L2Y2^2d2q2v2|2
3-323D3I3[3`3r3w3
454b4x4
6"6'6,61666N6
7	7(7-737R7W7{7
7'8K8W8i8u8
9"9E:w:
:7;a;|;
; <]=c=p=
7+7K7_7
81868<8K8b8
9"9+979=9J9P9Y9_9s9|9
9 :D:{:
=*=5=E=M=X=
1-1_1s1
6#6(6m6s6}6
=F>_>h>q>
>1>6>K>i>{>
1$1-161>1z1
2-2B2{2
3>3J3V3n3
4-484H4P4[4k4%5]5
: ;4;=;h;
>(>?>X>]>f>t>
	0$0D0_0
0 2'2.252>2D2Q2
7>8W8j8
9#9(9;9K9_9e9v9|9
: :-:2:7:V:p:u:z:
<!<K<n<
0(040_0
0F1_1n1w1}1
2-2<2G2Z2q2
333H3N3T3Z3`3f3l3r3x3~3
4 4&4,42484>4D4J4P4V4\4b4h4n4t4z4
5"5(5.545:5@5F5L5R5X5
0$050F0W0o0
242B2\2j2
454D4K4Z4v4
5(565\5j5x5
@5D5H5L5P5T5X5\5`5d5h5l5p5
GetMuR
oduluI
eHanu@
dleAu7
!This program cannot be run in DOS mode.
.rdata
.reloc
.aspack
.adata
F	B^^Vd
#]Q)/=J
BefJ<Z0
2M+-'3
QWn,n#
0xIJD/
 ;/VDA
E2<2wz
	8 [[@
~f	2bY
Zh&wP}M
Wqct q!
{mo?F&
?w"^D{
hlBT7!2
VirtualAlloc
VirtualFree
VirtualProtect
u6AQVj
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
 (08@P`p
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
msvcrt.dll
shlwapi.dll
urlmon.dll
user32.dll
advapi32.dll
shell32.dll
??2@YAPAXI@Z
PathFileExistsA
URLDownloadToFileA
wsprintfA
OpenProcessToken
SHGetSpecialFolderPathA