Sample details: 379d4a0f24bb56569d6139946b7ccf88 --

Hashes
MD5: 379d4a0f24bb56569d6139946b7ccf88
SHA1: 78446a956e20ecaca21f0d9df59fd19f4087588c
SHA256: 9b5bde2629060682ff46566eb651024d438b7cb6110aa870f0e42bb77a14cc1d
SSDEEP: 1536:PQFl29mEkE0L1rDEKrxZKF2zf9g2Pl7W/MwbxMX+ees52z30rtrx:w29DkEGRQixVSjLaes5G30Bt
Details
File Type: PE32
Added: 2018-11-21 17:18:28
Yara Hits
YRP/VC8_Microsoft_Corporation | YRP/Microsoft_Visual_Cpp_8 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/anti_dbg | YRP/network_http | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | YRP/sakula_v1_3 | FlorianRoth/RAT_Sakula |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
PUVh`EA
L$DQUUUj
UUUWUU
QVVVVVVh 
^WWWWW
HHtXHHt
>If90t
teh<[@
t h`YA
<at9<rt,<wt
URPQQh
0WWWWW
j@j ^V
t$<"u	3
>=Yt1j
< tK<	tG
0A@@Ju
^SSSSS
j"^SSSSS
v	N+D$
0SSSSS
0SSSSS
0SSSSS
tGHt.Ht&
^SSSSS
8VVVVV
;t$,v-
UQPXY]Y[
t"SS9]
PPPPPPPP
PPPPPPPP
t+WWVPV
CorExitProcess
(null)
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
UTF-16LE
UNICODE
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
rss.tmp
http://
.jpg?resid=%d
=%s&type=%d&resid=%d
?resid=%d&photoid=
iexplorer
HTTP/1.1
%d_of_%d_for_%s_on_%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
cmd.exe /c 
Self Process Id:%d
C:\windows\system32\cmd.exe
Create Child Cmd.exe Process Succeed!
Child ProcessId is %d
Program Files (x86)
cmd.exe /c rundll32 "%s" 
Playx64
PlayWin32
/c ping 127.0.0.1 & del /q "%s"
cmd.exe
ExitProcess
GetComputerNameA
CreateFileA
GetFileSize
FindResourceA
SetPriorityClass
SetFilePointer
PeekNamedPipe
LoadResource
GetCurrentProcess
GetTickCount
GetCurrentThread
VirtualFree
ExpandEnvironmentStringsA
WriteFile
OpenProcess
WideCharToMultiByte
GetVolumeInformationA
SizeofResource
CreateProcessA
TerminateProcess
ReadFile
GetSystemDirectoryA
MultiByteToWideChar
SetThreadPriority
CreateDirectoryA
GetStartupInfoA
FindFirstFileA
GetLastError
VirtualAlloc
FindClose
LockResource
CreatePipe
GetModuleFileNameA
GetVersionExA
WinExec
CloseHandle
GetCurrentProcessId
GetTempPathA
KERNEL32.dll
OpenProcessToken
GetTokenInformation
RegSetValueExA
EqualSid
RegDeleteKeyA
AllocateAndInitializeSid
FreeSid
GetUserNameA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHChangeNotify
SHELL32.dll
InternetOpenUrlA
InternetConnectA
InternetReadFile
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
GetModuleHandleW
GetProcAddress
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapCreate
HeapReAlloc
RtlUnwind
GetConsoleCP
GetConsoleMode
SetHandleCount
GetFileType
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetEndOfFile
GetProcessHeap
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!!!x&9:7$$9#"3x59;
y&>9"9y
83!?;713x7%&
y ?3!&>9"9x7%&
?;713?2
38"3$x3.3
>983/!3::
!!!x89$">&9:3$9#"3x59;
y&>9"9y
83!?;713x7%&
y ?3!&>9"9x7%&
?;713?2
38"3$x3.3
>983/!3::
tVKCVEI
cKhMJO
cK`ARpKKH
4rswuvN
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
IWRGVP
 IEHHKG
 IAIWAP
/!WTVMJPB
oavjah
1&cAPiK@QHAbMHAjEIAs
0&cAPiK@QHAbMHAjEIAe
1!sMJa\AG
>%a\MPtVKGAWW
 wHAAT
@%bVAAhMFVEV]eJ@a\MPpLVAE@
mWqWAVeJe@IMJ
wlgVAEPAmPAIbVKItEVWMJCjEIA
%wLAHHa\AGQPAa\s
gKmJMPMEHM^A
gKcAPkFNAGP
qeg`HH
tHE]sMJ
tVKCVEI
cKhMJO
cK`ARpKKH
rswuvp
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
IWRGVP
 IEHHKG
 IAIWAP
/!WTVMJPB
oavjah
1&cAPiK@QHAbMHAjEIAs
0&cAPiK@QHAbMHAjEIAe
1!sMJa\AG
>%a\MPtVKGAWW
 wHAAT
@%bVAAhMFVEV]eJ@a\MPpLVAE@
mWqWAVeJe@IMJ
wlgVAEPAmPAIbVKItEVWMJCjEIA
%wLAHHa\AGQPAa\s
gKmJMPMEHM^A
gKcAPkFNAGP
qeg`HH
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
1$2/2M2W2a2s2
3Z3`3l3
3#4-4>4U4a4g4q4
4(5F5X5v5
6 6(616:6C6N6S6[6j6
7-7?7E7J7k7
8)919\9e9m9z9
<,<?<z<
<(=E=L=
>&>;>R>[>b>h>}>
?;?M?t?
6$61666<6E6N6V6a6f6k6p6z6
7"7'7,777<7D7J7S7X7_7e7
8:8V8|8
9B9k9q9
:):6:=:H:b:
; ;(;1;:;S;h;
;&<O<u<{<
>">:>@>I>`>h>v>
090?0q0
141E1P1x1
2!2K2w2
6%6:6z6
:':v:|:
;+;b;s;
6h6m6w6
6P7V7\7b7h7n7u7|7
8!8'8=8D8N9U9
;-<@<[<
0 2O2t2W4S6W6[6_6c6g6k6o6|6
6`7j7w7
8/8c8i8t8
9+929J9V9\9h9w9}9
:4:I:o:
<&<p<w<
=)=?=J=O=Z=_=j=o=|=
>F>^>i>
?8?]?p?
0,020U0\0u0
242]2b2y2
6[7a7z7
70858:8?8O8~8
9"9)9.959:9
9B:Q:`:i:~:
< ?.?4?N?S?b?k?x?
030:0@0N0U0Z0c0p0v0
8A8S8a8v8
<8<C<y<
=a=m=y>^?t?
;a<*=[=q=
1?1X1_1g1l1p1t1
2N2T2X2\2`2
3!3K3}3
3H4\4}4
6"6t6z6
8>8H8`8
8;:A:P:]:f:
:J;U;_;p;{;.=?=G=M=R=X=
?=?J?V?^?f?r?
2#444n4{4
8)8E8N8T8]8b8q8
<%<1<h<q<}<
0/040L0R0a0g0v0|0
6/7H7O7W7\7`7d7
7>8D8H8L8P8
9;9m9t9x9|9
98:Y:e:
9%9`9|9
:':g:y:
<&<;<B<H<^<y<
5 6-8?8Q8s8
=$=H=k=
4V5\5a5g5n5
7(7H7h7
8$8(80848P8\8x8
9 9<9@9`9
:(:H:h:
;(;H;h;t;
2$2,242<2D2h3l3p3t3x3|3
=0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>