Sample details: 43800e15dcb111a2cf8b9da694e50fea --

Hashes
MD5: 43800e15dcb111a2cf8b9da694e50fea
SHA1: 1897d4d4df6e0f08e7590e9193c480c174d72df6
SHA256: 02f8d4cdbbdc7ef1dbce71bef3352ed9a35baf449d980a1aa250fbf6a82e46ec
SSDEEP: 768:w0vHyXDJkh+jbUr1F3+NZvNLb/9eb4MD//QQI/Bw207E1ihF7j9:w0vHyXVkD5nCw207E1iv
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/VM_Generic_Detection | YRP/Misc_Suspicious_Strings | YRP/network_tcp_listen | YRP/network_tcp_socket | YRP/network_dns | YRP/win_registry | YRP/win_files_operation | YRP/BASE64_table | YRP/VC6_Random | YRP/Str_Win32_Winsock2_Library | FlorianRoth/ZxShell_Related_Malware_CN_Group_Jul17_2 | FlorianRoth/Backdoor_Nitol_Jun17 |
Source
http://118.24.0.88/qxxxx.exe
http://118.24.0.88/qxxxx.exe
Strings
          	            !This program cannot be run in DOS mode.
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
WS2_32.dll
KERNEL32.dll
CopyFileA
closesocket
ADVAPI32.dll
RegisterServiceCtrlHandlerA
LockServiceDatabase
CreateServiceA
ChangeServiceConfig2A
UnlockServiceDatabase
RegOpenKeyA
StartServiceA
RegSetValueExA
SetServiceStatus
RegQueryValueExA
RegCloseKey
GetVersionExA
OpenSCManagerA
OpenServiceA
DeleteService
CloseServiceHandle
lstrcpyA
lstrcatA
EhILHREXHRMdCwsJCxMLE0M=
Vwxyab Defghijk Mno
Vwxyab Defghijk Mnopqrst Vwxy
Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij
KERNEL32.dll
mpr.dll
WNetAddConnection2A
\\%s\ipc$
\\%s\admin$\g1fd.exe
admin$\
\\%s\C$\NewArean.exe
C:\g1fd.exe
\\%s\D$\g1fd.exe
D:\g1fd.exe
\\%s\E$\g1fd.exe
E:\g1fd.exe
\\%s\F$\g1fd.exe
F:\g1fd.exe
at \\%s %d:%d %s
administrator
xpuser
password
123456
qwerty
abc123
memory
12345678
bbbbbb
caonima
5201314
1314520
asdfgh
woaini
%d.%d.%d.%d
hra%u.dll
KERNEL32.dll
COMSPEC
/c del 
 > nul
kernel32.dll
GetTempPathA
kernel32.dll
KERNEL32.dll
%c%c%c%c%ccn.exe
kernel32.dll
GetTempPathA
kernel32.dll
KERNEL32.dll
%c%c%c%c%ccn.exe
kernel32.dll
GetTempPathA
kernel32.dll
KERNEL32.dll
%c%c%c%c%ccn.exe
%04d%02d%02d
SizeofResource
kernel32.dll
hra%u.dll
KERNEL32.dll
KERNEL32.dll
hra%u.dll
%c%c%c%c%c%c.exe
%s %s %s%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
%d*%u%s
0.0.0.0
%u Gbps
%u Mbps
GetTickCount
gethostbyname
GetSystemDirectoryA
lstrcatA
lstrcpyA
setsockopt
WSAStartup
closesocket
WSASocketA
gethostname
KERNEL32.dll
WS2_32.dll
GET %s HTTP/1.1
Content-Type: text/html
Host: %s
Accept: text/html, */*
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
GET %s HTTP/1.1
Referer: http://%s:80/http://%s
Host: %s
Connection: Close
Cache-Control: no-cache
%s %s%s
GET %s HTTP/1.1
Content-Type: text/html
Host: %s:%d
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
GET %s HTTP/1.1
Content-Type: text/html
Host: %s
Accept: text/html, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
GET %s HTTP/1.1
Host: %s:%d
GET %s HTTP/1.1
Host: %s
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s:%d
Connection: Keep-Alive
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
Connection: Keep-Alive
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: %s
Connection: Keep-Alive
%d.%d.%d.%d
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
txHtnHtaHtTHtG
tOHt>Ht#
HHtrHH
HHtrHH
HHtrHH
PPPh$Q@
@PVSjej
HtGHHu4j
T$ @j|P
L$`j3QR
SUVWhP
D$ RPj
SUVWhP
T$ QRj
D$lRPQ
SUVWhP
SUVWhP
BRh`#@
D$xj(P
L$DPh`#@
D$tj R
D$xj(P
T$|j(RP
T$@h`#@
SUVWhP
GetProcAddress
LoadLibraryA
GetModuleFileNameA
WinExec
GetLocalTime
lstrcmpA
CreateThread
SetThreadPriority
GetCurrentThread
GetCurrentProcess
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
ExitProcess
GetTickCount
CloseHandle
ReleaseMutex
OpenMutexA
lstrlenA
lstrcpynA
WaitForSingleObject
SetFilePointer
WriteFile
CreateFileA
LockResource
LoadResource
FindResourceA
EnumResourceNamesA
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
GlobalFree
ReadFile
GlobalAlloc
GetFileSize
GetFileAttributesA
GetLastError
GetWindowsDirectoryA
GlobalMemoryStatusEx
GetSystemInfo
lstrcpyA
GetSystemDefaultUILanguage
KERNEL32.dll
wsprintfA
GetDesktopWindow
USER32.dll
DeleteService
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegOpenKeyExA
StartServiceCtrlDispatcherA
RegQueryValueExA
ADVAPI32.dll
SHChangeNotify
ShellExecuteExA
ShellExecuteA
SHELL32.dll
WSAIoctl
WS2_32.dll
SHDeleteKeyA
SHLWAPI.dll
GetIfTable
GetAdaptersInfo
iphlpapi.dll
realloc
malloc
strlen
sprintf
memset
memcpy
strncpy
strcspn
strstr
strcpy
localtime
strcat
strncmp
_except_handler3
??3@YAXPAX@Z
??2@YAPAXI@Z
strcmp
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
GetModuleHandleA
GetStartupInfoA
ExitThread
TerminateProcess
CreateProcessA