Sample details: 340eb5a11f918efbc0a41766802a2561 --

Hashes
MD5: 340eb5a11f918efbc0a41766802a2561
SHA1: 7e8aa70c95bea6073f0c428daa356223c33ea999
SHA256: fbb8a42c1a9f92a784ec5fee7c74817b5cf6d084d93da0c3654231f30d436b7b
SSDEEP: 384:QeycLFOteA3XubHceelnDAl1h5FAQ1sgBH59tUrEMpb1Z:QgDvceYnsl5FFr9KQMRv
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsDLL | YRP/IsConsole | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/Misc_Suspicious_Strings | YRP/ThreadControl__Context | YRP/disable_dep | FlorianRoth/DragonFly_APT_Sep17_3 |
Parent Files
f8da1e713c1a8fedfb722048bdbeb0fd
Source
http://103.68.190.250/Sources//ActiveMalwares/MCRYPT/Resources/RunNet
http://103.68.190.250/Sources//ActiveMalwares/MCRYPT/Resources/RunNet.dll
http://103.68.190.250/Sources//ActiveMalwares/MCRYPT/bin/Debug/RunNet
Strings
		!This program cannot be run in DOS mode.
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADPTtY
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2014-10-25T14:27:44.8929027</Date>
    <Author>[USERID]</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <UserId>[USERID]</UserId>
    </LogonTrigger>
    <RegistrationTrigger>
      <Enabled>false</Enabled>
    </RegistrationTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>[USERID]</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>[LOCATION]</Command>
    </Exec>
  </Actions>
</Task>
v2.0.50727
#Strings
<Module>
RunNet.dll
Resources
Properties
RunLib
ThreadAccess
CONTEXT
FLOATING_SAVE_AREA
IMAGE_DATA_DIRECTORY
IMAGE_DOS_HEADER
IMAGE_FILE_HEADER
IMAGE_NT_HEADERS
IMAGE_OPTIONAL_HEADER32
IMAGE_SECTION_HEADER
PROCESS_INFORMATION
mscorlib
System
Object
ValueType
System.Resources
ResourceManager
resourceMan
System.Globalization
CultureInfo
resourceCulture
get_ResourceManager
get_Culture
set_Culture
get_TE
Culture
System.Diagnostics
Process
Random
native
isDotNet
RndString
RndString2
RunNetBackup
RunNet
checkreg
defBrowser
DeleteFile
remove
modify
KillProcess
IdToPtr
CriticalProcess
GetKernelObjectSecurity
ElevateProcess
CheckRunning
OpenThread
ProcessPers
GetProcAddress
GetThreadContext
CreateProcess
SetKernelObjectSecurity
SetThreadContext
TerminateProcess
VirtualAllocEx
VirtualProtectEx
Wow64GetThreadContext
Wow64SetThreadContext
WriteProcessMemory
NtSetInformationProcess
NtUnmapViewOfSection
ResumeThread
value__
TERMINATE
SUSPEND_RESUME
GET_CONTEXT
SET_CONTEXT
SET_INFORMATION
QUERY_INFORMATION
SET_THREAD_TOKEN
IMPERSONATE
DIRECT_IMPERSONATION
ContextFlags
FloatSave
EFlags
ExtendedRegisters
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
VirtualAddress
e_magic
e_cblp
e_crlc
e_cparhdr
e_minalloc
e_maxalloc
e_csum
e_lfarlc
e_ovno
e_res1
e_oemid
e_oeminfo
e_res2
e_lfanew
Machine
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics
Signature
FileHeader
OptionalHeader
MajorLinkerVersion
MinorLinkerVersion
SizeOfCode
SizeOfInitializedData
SizeOfUninitializedData
AddressOfEntryPoint
BaseOfCode
BaseOfData
ImageBase
SectionAlignment
FileAlignment
MajorOperatingSystemVersion
MinorOperatingSystemVersion
MajorImageVersion
MinorImageVersion
MajorSubsystemVersion
MinorSubsystemVersion
Win32VersionValue
SizeOfImage
SizeOfHeaders
CheckSum
Subsystem
DllCharacteristics
SizeOfStackReserve
SizeOfStackCommit
SizeOfHeapReserve
SizeOfHeapCommit
LoaderFlags
NumberOfRvaAndSizes
DataDirectory
VirtualSize
SizeOfRawData
PointerToRawData
PointerToRelocations
PointerToLinenumbers
NumberOfRelocations
NumberOfLinenumbers
hProcess
hThread
dwProcessId
dwThreadId
bytesdotnet
Length
dataToRun
netobject
datatorun
original
fullbytes
location
filename
System.Runtime.InteropServices
MarshalAsAttribute
UnmanagedType
continuous
caption
handle
elevated
critical
startup
Handle
securityInformation
pSecurityDescriptor
OutAttribute
nLength
lpnLengthNeeded
dwDesiredAccess
bInheritHandle
hModule
procName
lpContext
lpApplicationName
lpCommandLine
lpProcessAttributes
lpThreadAttributes
bInheritHandles
dwCreationFlags
lpEnvironment
lpCurrentDirectory
lpStartupInfo
lpProcessInformation
InAttribute
uExitCode
lpAddress
dwSize
flAllocationType
flProtect
flNewProtect
lpflOldProtect
lpBaseAddress
lpBuffer
lpNumberOfBytesWritten
processInformationClass
processInformation
processInformationLength
System.Reflection
AssemblyProductAttribute
AssemblyTrademarkAttribute
AssemblyCompanyAttribute
AssemblyDescriptionAttribute
AssemblyTitleAttribute
AssemblyCopyrightAttribute
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
AssemblyFileVersionAttribute
GuidAttribute
ComVisibleAttribute
DebuggableAttribute
DebuggingModes
System.CodeDom.Compiler
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
CompilerGeneratedAttribute
ReferenceEquals
RuntimeTypeHandle
GetTypeFromHandle
Assembly
get_Assembly
GetString
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
Exception
String
get_Length
get_Chars
Concat
MethodInfo
get_EntryPoint
MethodBase
ParameterInfo
GetParameters
Invoke
System.Collections.Generic
List`1
ToString
ToArray
System.Threading
ParameterizedThreadStart
Thread
ApartmentState
SetApartmentState
GetCurrentProcess
get_Id
GetCallingAssembly
get_Location
System.Net
WebClient
System.Text.RegularExpressions
IsNullOrEmpty
System.IO
GetTempPath
DownloadFile
System.Text
Encoding
get_Default
op_Equality
GetBytes
WriteAllBytes
System.Security.Principal
WindowsIdentity
GetCurrent
get_Name
FileAttributes
GetAttributes
SetAttributes
Replace
WriteAllText
ProcessStartInfo
ProcessWindowStyle
set_WindowStyle
WaitForExit
Delete
Microsoft.Win32
Registry
RegistryKey
CurrentUser
OpenSubKey
CreateSubKey
SetValue
ClassesRoot
GetValue
DllImportAttribute
kernel32
<>c__DisplayClass2
<sk>b__0
ThreadStart
get_UTF8
Convert
FromBase64String
GetProcesses
ToLower
get_ProcessName
Contains
get_MainWindowTitle
get_Message
System.Windows.Forms
MessageBox
DialogResult
LocalMachine
MessageBoxButtons
MessageBoxIcon
get_Handle
IntPtr
GetEntryAssembly
Environment
GetEnvironmentVariable
get_StartInfo
set_FileName
set_Arguments
op_Inequality
ToInt32
advapi32.dll
System.Security.AccessControl
RawSecurityDescriptor
RawAcl
get_DiscretionaryAcl
SecurityIdentifier
WellKnownSidType
CommonAce
AceFlags
AceQualifier
GenericAce
InsertAce
GenericSecurityDescriptor
get_BinaryLength
GetBinaryForm
get_FileName
kernel32.dll
<>c__DisplayClass6
<ProcessPers>b__5
param0
ProcessThreadCollection
get_Threads
System.Collections
ReadOnlyCollectionBase
IEnumerator
GetEnumerator
get_Current
ProcessThread
MoveNext
IDisposable
Dispose
GCHandle
GCHandleType
AddrOfPinnedObject
Marshal
PtrToStructure
op_Explicit
get_Size
SizeOf
ToUInt32
BitConverter
ntdll.dll
.cctor
FlagsAttribute
StructLayoutAttribute
LayoutKind
Properties.Resources.resources
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
WrapNonExceptionThrows
1.0.0.0
$350cf1a5-93bd-4d7b-b80b-c5cf8a72bef4
c:\Users\Goncalo\Desktop\EladitosCrypter\RunNet\obj\x86\Debug\RunNet.pdb
_CorDllMain
mscoree.dll