Sample details: 34409aba1f76045aa0255e49de16d586 --

Hashes
MD5: 34409aba1f76045aa0255e49de16d586
SHA1: dc9a8cb16fd0850bfa1ef06c536f4b6319611a13
SHA256: 0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300
SSDEEP: 192:t3sPXGUN/fP1oyngv7XlO1Ogs+o8Oy/oCLeeckL6LbEJoXboF:t3I/n1yDXgICLQgsmaE+XbG
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/WMI_strings | YRP/WimmieStrings | YRP/Wimmie | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://94.130.104.170/0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300
http://94.130.104.170/WMIGhost//0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300
http://94.130.104.170/WMIGhost/0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
InterlockedDecrement
DeleteFileA
KERNEL32.dll
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoInitializeEx
ole32.dll
OLEAUT32.dll
mbstowcs
memset
??2@YAPAXI@Z
strlen
__CxxFrameHandler
??3@YAXPAX@Z
_CxxThrowException
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
??1type_info@@UAE@XZ
_controlfp
LocalFree
GetModuleHandleA
GetStartupInfoA
C:\Windows\system32\sysprep\cryptbase.dll
C:\Users\itbp\AppData\Local\Temp\dw20.EXE
.?AV_com_error@@
.?AVtype_info@@