Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 3410af519f791af5f9554cbff7ece24a --

Hashes
MD5: 3410af519f791af5f9554cbff7ece24a
SHA1: fc09b62155415a569bcea848743edfdfa74c1913
SHA256: 42b478381fa9422cf52c567235185dfd431dd2f89d24593a34f59a08654ab438
SSDEEP: 384:zbMQRgKfFZybqkTPBI1ZDjgqG/cqjlnzuw9VHHdWcWYUIiXt0JhYIp6DplijSbqs:7RVtRlkHjlnzth9WcWY4enrejI
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/win_files_operation | YRP/CRC32b_poly_Constant | YRP/BASE64_table | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://wuenschejetzterfuellen.com/Plugins/core.dll
http://wuenschejetzterfuellen.com/Plugins/core.dll
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
SVWjhj@
j:Xf9Ds
P4+S4t
tGHHtCHu
^$9^,t
^09^(t
t?9^(t:
PPPPPPPPPP
QQQQQW
WVVVj j
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
},"plugin_
User-Agent
Max-Forwards
Mozilla/4.0 (IE 11.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Mozilla/4.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/2.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; Ant.com Toolbar 1.6; MSIECrawler)
Mozilla/2.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Iceweasel/35.0a2
Mozilla/3.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-4)
Mozilla/3.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
User-Agent: 
Max-Forwards: 
connect
socket
closesocket
gethostbyname
WSAStartup
inet_addr
inet_pton
Transfer-Encoding: 
Content-Length: 
chunked
http://
 HTTP/1.1
Host: 
Cookie: 
Connection: 
keep-alive
aegislabs
agnitum
ahnlab
alibaba
antiy-avl
avast!
arcabit
antivir
avware
bitdefender
bytehero
quick heal
zonealarm
clamav
comodo
crowdstrike
endgame
emsisoft
fortinet
f-prot
the hacker
virobot
ikarus
invincea
nprotect
f4cky0ukasperskyyouwillnevergetfr3shsampleofthisbl4cken3rgy
jiangmin
k7antivirus
kingsoft
ad-aware
malwarebytes
mcafee
panda platinum
qihoo 360
rising
sentinelone
sophos
superantispyware
symantec
tencent
totaldefense
kaspersky
trendmicro
trustlook
zillya
webroot
whitearmor
RtlCreateUserThread
/Panel/callback.php
185.177.59.179
n1ghtly
@USAVAWH
D8!t4H
hA_A^[]
NtFreeVirtualMemory
_stricmp
NtAllocateVirtualMemory
RtlConvertSidToUnicodeString
RtlExpandEnvironmentStrings_U
NtProtectVirtualMemory
RtlEnterCriticalSection
NtOpenKey
NtWriteFile
LdrUnloadDll
NtQuerySystemInformation
NtFsControlFile
NtWriteVirtualMemory
LdrGetProcedureAddress
NtQueryInformationProcess
NtUnmapViewOfSection
NtWaitForSingleObject
NtCreateFile
RtlNtStatusToDosError
NtClose
NtDelayExecution
NtFlushBuffersFile
RtlSetCurrentDirectory_U
RtlLeaveCriticalSection
NtCreateNamedPipeFile
NtOpenProcessToken
NtQueryInformationToken
LdrLoadDll
NtOpenProcess
NtQueryValueKey
RtlInitializeCriticalSection
NtSuspendThread
NtReadFile
RtlDosPathNameToNtPathName_U
ntdll.dll
wsprintfW
wsprintfA
USER32.dll
GlobalSize
IsBadReadPtr
GlobalAlloc
IsDBCSLeadByte
VirtualAlloc
GlobalFree
GlobalReAlloc
KERNEL32.dll
_allmul
_chkstk
memcpy
memset
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
151N1S1\1
2*2A2b2
=%=,=6===G=N=X=_=i=p=z=
0K1\1t1
192_2s2
3,3M3p3
<3=:=K={=
0,0W0~0
2.2T2x2
3:4J4\4
6@6J6O6X6
0,1<1W1
3G4r4x4~4
p0t0x0|0
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1