Sample details: 4644e2527025331e7f2107730aab9bbe --

Hashes
MD5: 4644e2527025331e7f2107730aab9bbe
SHA1: 2a219237d184a9b6dbfe44fcb90174ccc27d5a3b
SHA256: a9e167f6ca25c8660a7571bc8d628c397407478a1cea1c8764ba43ec61724bbf
SSDEEP: 384:hdqL2Uwbgo4hH7PEUzjp1FGcz2PZubotzX0N/0SjyWde2jWTMdL1a:M2U8VAva6GjGFjyWdR6IdL1
Details
File Type: PE32
Yara Hits
YRP/yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h | YRP/UPX_290_LZMA | YRP/UPX_290_LZMA_Markus_Oberhumer_Laszlo_Molnar_John_Reiser | YRP/UPX_290_LZMA_additional | YRP/UPXv20MarkusLaszloReiser | YRP/UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser | YRP/UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/IsBeyondImageSize | YRP/domain | YRP/contentis_base64 | YRP/UPX | YRP/suspicious_packer_section | FlorianRoth/DragonFly_APT_Sep17_3 |
Sub Files
630c21a445c205505221ce85753305a9
Source
http://94.130.104.170/3//psih.safe
http://94.130.104.170/3/psih.safe
Strings
		!This program cannot be run in DOS mode
XQRQh 
e&n0s^
;aIK\.
KpYQ,C
F0mbZ"_6
BhIW_Y
nB@&Y.
	4{<\]
Ikm25a
#67jkm
=6>+9l	
':+LMy
'WHj%H
~00}[6
#Wr=bKX
	b?NUB
znr~oz
Zla!lpj[
,'(JNb
,_=Q6]1}(
iaRZ}<
I!B|a\
>sS*6y
$:i?7g
1|8d%S
WaitForSingleObjec
tGetLastErr
ofi(Str0A
CloseHand
FreeLibra
ryTerm#2Th
ls &SlpExfVi
rtualAlloc_
Z3oycat@
<nueDebugEve
ChZkByTyp
ulpiv'
@.id66
XPTPSW
UNIQSTRING987654
KERNEL32.DLL
ADVAPI32.dll
COMDLG32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
AddAccessAllowedAce
ChooseFontA