Sample details: 467150e4724bbbdfb1081ed4638cdefa --

Hashes
MD5: 467150e4724bbbdfb1081ed4638cdefa
SHA1: 3536107b3bde74aae1396d403600dc12a7d339b0
SHA256: 23bac2f2dbe2b7a58f293f0299d47fe84fb8fb74c60833837867df334a3bdbc8
SSDEEP: 3072:/caqyte6dV77snHLLxtYyaXOqdPNbnhW4IxZx5kCZuubFrhU1wKKrONmh:/caBtz77snHRrY7PNNW4IxZ7zbC0rONw
Details
File Type: MS-DOS
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasModified_DOS_Message | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/ThreadControl__Context | YRP/inject_thread | YRP/network_http | YRP/network_dns | YRP/network_dga | YRP/escalate_priv | YRP/screenshot | YRP/keylogger | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32_poly_Constant | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Source
http://www.macrosoft.gq/z/bot.exe
Strings
		`.data
.reloc
ZCWRP[
D/`2=j
/5vxJNn2
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
IsWow64Process
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
del "%s"
if exist "%s" goto d
@echo off
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
HTTP/1.1
Connection: close
urlmon.dll
ObtainUserAgentString
cabinet.dll
FCICreate
FCIAddFile
FCIFlushCabinet
FCIDestroy
bcdfghklmnpqrstvwxz
aeiouy
script
Basic 
PR_OpenTCPSocket
PR_Close
PR_Read
PR_Write
gdiplus.dll
GdiplusStartup
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipSaveImageToStream
ole32.dll
CreateStreamOnHGlobal
gdi32.dll
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
GetDeviceCaps
SelectObject
BitBlt
DeleteObject
DeleteDC
NLH_sir{cqgwFqde`geyZ
YCEAG^D
mKUSAMNgMYK
=1)\55-X4$,$'75Q
,0;&">*<o%;'
vIMQQE
Ljaekk,ym#eycdqq
;{vsr}sv3qe6{}{O
Vvn;ysqjwy2~qxyeq'
>7;&<':0)6 
>*#&>.
Z]H^tLEITNUHB[DR`YXH
`grdNx|
xl~y|Gh
EBWAkVSELJeIYPQIE
 /.%&)>
9-$9!1
^JeHY\L\XnSWP
amu_orqtbdcmlzRi}ss|r
+650& ')(>
,>%46?7
7;#	33
q}eObfquo
(<,.)/-
kT[IH{jo
yTJ\xkl
:'->:-=+=
cpwjhsw,yt{
VFWVULRE
1/16+1*$,:
db}{fhgn
^CIZ^IYOYiftuim"mnvukawFb}yer`3 q_J]ZADDV
ECS jgkelo{
zj{zy`~i
= *9=*:,:!
lBDLtF@AC
37157J
t6,.-2,:>}
`drfdhp
jw}nj}m{mYCAB]CUAt\YrJ[^
:rqrq|t
HPJXTXWQ
5&!99?;56?
(;<c+-)
_tziuZGN
koymmeelbt
33*,0,$r73%
*9>ugfo
I@89!E
KdiX_JLTop][ZRU]ADD
0# %2.;l
o8	*- 9#6c. +"~e
s2=4>ipt%]
tKODHQV
9=6:#$v
(,'+25g
+,9!;6:!%
*+2$10
**+=:.233q
L4?>9I
&")%<;i
(*1# 42
AVVZbv~
GZPCGP@V@Pw|jvitbqZPAC^G@A^n|a
G@UCiGFP\
[LPKNGQ
RRFVQ_[
AABI]stu3:760i91"
ingq_qtbb-(izfy|i
]P]SJ[ll
FKZEEMvEN^@@
42BEPFlBCUi&/
ni|znr|*tcsn@htylsw
H{|lvv?c
*-8>">0f0'7*
14"27)
24*=4#'1q~q6
x[EMEAK
&%;3;?5"p624
ru`v-hr
	4>-)>.8
92$8':,?
 ;)?,&4a
TicptcseSCdoyezgqbI]}ftbq{i<^bitHT@V
mcaaqde~w
LPV?obo8(983*4#}cg0~W
SC@]_TUASTV
FNTJ	PXGMGM@HHv
5+#+/%
(#5)6+=.
6093$!q
5./=--43=
PR_GetNameForIdentity
PR_SetError
PR_GetError
Content-Length
http://
NSS layer
https://
Referer
Content-Type
Authorization
HTTP/1.
Transfer-Encoding
chunked
Connection
Proxy-Connection
identity
Accept-Encoding
If-Modified-Since
http://www.google.com/webhp
RFB 003.003
GetProcAddress
LoadLibraryA
NtCreateThread
NtCreateUserProcess
NtQueryInformationProcess
RtlUserThreadStart
LdrLoadDll
LdrGetDllHandle
0xF52BE0F5
t	A;L$
t	A;L$
u	j\Xf
WtRj V
t h`1@
PSSSQS
w@jDZRj
F,;F8u
@,9H,u
@09H0u
@49H4u
K@;KHv
H4;H8s
L$|9|$
s(;L$<t"
9D$0vh=
L$4+L$
N(hh3@
PSSj$S
<Sj<ZR3
t@<	t<<&u-
vzh<4@
>DAVEWu1h
\u)SPW
\YOi&$
t4SSSS
f;t$rt
,;D$$u
D$DPWWj
D$PPh~f
tQf9:tL
SSSh87@
W8D$ t
8SWjHj
L$<PQV
H4;H0u
QQSVWh
Qj<ZRj
~ !r-j
 @;F(r
D$<9D$0
D$PPVV
0t$Iuj
D$pPVSj
f98tz;
tvf9;tq
t$ 9t$
D$ ;D$
EDjwXf
f9;t|9}
t%WWWW
t6f97t1j
D$0PWWj!W
9t$0t5
VWh 4B
9\$|u&
=\[EPt
PWh\J@
D$JPVh
tv!\$0j
PWWj%W
tajDZRW
D$LPWW
GAHt8Ht HHt
f;GHsJ
tBSVWj
A8MvuJ
u|Pj<Z
D$6@uFj
EhPh`c
ELPSVS
Eo8]ot_j
E#+E/^ZY
GlobalLock
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
GlobalUnlock
EnterCriticalSection
WaitForSingleObject
CreateRemoteThread
OpenProcess
VirtualFreeEx
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
CloseHandle
GetEnvironmentVariableW
FileTimeToDosDateTime
GetTempFileNameW
HeapReAlloc
CreateMutexW
FindFirstFileW
SetEndOfFile
FreeLibrary
CreateProcessW
HeapAlloc
SystemTimeToFileTime
SetFilePointerEx
HeapFree
CreateDirectoryW
GetModuleHandleW
GetCurrentThread
VirtualFree
GetProcessHeap
IsBadReadPtr
SetFileTime
VirtualQueryEx
WriteFile
Thread32First
WideCharToMultiByte
LoadLibraryW
ReadProcessMemory
HeapDestroy
HeapCreate
GetFileAttributesW
Thread32Next
ReadFile
GetTimeZoneInformation
CreateFileW
MultiByteToWideChar
FlushFileBuffers
GetTempPathW
GetFileSizeEx
OpenMutexW
GetLastError
SetLastError
GetProcAddress
VirtualAlloc
VirtualProtectEx
VirtualAllocEx
FindClose
LoadLibraryA
RemoveDirectoryW
WaitForMultipleObjects
lstrcmpiW
FindNextFileW
VirtualProtect
GetFileTime
ReleaseMutex
FileTimeToLocalFileTime
GetVolumeNameForVolumeMountPointW
DeleteFileW
GetFileInformationByHandle
LocalFree
GetSystemTime
WriteProcessMemory
SetFileAttributesW
CreateThread
ExpandEnvironmentStringsW
GetCurrentThreadId
ExitProcess
SetEvent
lstrcmpiA
WTSGetActiveConsoleSessionId
CreateEventW
MapViewOfFile
UnmapViewOfFile
SetThreadPriority
CreateFileMappingW
TlsAlloc
TlsFree
GetFileAttributesExW
GetPrivateProfileStringW
GetPrivateProfileIntW
GetLocalTime
ResetEvent
TlsGetValue
TlsSetValue
TerminateProcess
MoveFileExW
GetModuleFileNameW
GetUserDefaultUILanguage
GetThreadContext
SetThreadContext
GetProcessId
GetNativeSystemInfo
GetVersionExW
GetCommandLineW
SetErrorMode
GetComputerNameW
OpenEventW
DuplicateHandle
GetCurrentProcessId
KERNEL32.dll
ToUnicode
GetClipboardData
GetKeyboardState
TranslateMessage
DispatchMessageW
GetWindow
SendMessageTimeoutW
SetWindowLongW
CharUpperW
ReleaseDC
PeekMessageW
CharLowerA
GetWindowLongW
CharToOemW
WindowFromPoint
MsgWaitForMultipleObjects
LoadImageW
GetTopWindow
OpenWindowStationW
GetUserObjectInformationW
SetThreadDesktop
CloseDesktop
OpenDesktopW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
GetThreadDesktop
SetProcessWindowStation
CreateDesktopW
CharLowerW
GetShellWindow
RegisterClassA
GetWindowThreadProcessId
DefFrameProcW
DefWindowProcW
CallWindowProcW
EndMenu
CallWindowProcA
SendMessageW
RegisterClassW
HiliteMenuItem
DefMDIChildProcA
PostThreadMessageW
DefDlgProcA
GetMenuItemCount
SwitchDesktop
DefMDIChildProcW
DefWindowProcA
GetMenuState
GetClassNameW
SystemParametersInfoW
TrackPopupMenuEx
GetMenuItemRect
RegisterClassExW
GetMenu
MenuItemFromPoint
OpenInputDesktop
DefFrameProcA
DefDlgProcW
GetSubMenu
SetKeyboardState
GetMenuItemID
RegisterWindowMessageW
RegisterClassExA
GetMessagePos
ReleaseCapture
GetCursorPos
PeekMessageA
GetDCEx
SetCursorPos
GetCapture
GetUpdateRect
BeginPaint
SetCapture
GetWindowDC
GetMessageW
GetUpdateRgn
GetMessageA
EndPaint
GetIconInfo
DrawIcon
IsRectEmpty
MapWindowPoints
IsWindow
SetWindowPos
GetAncestor
GetClassLongW
GetWindowInfo
GetParent
PostMessageW
GetWindowRect
PrintWindow
EqualRect
IntersectRect
DrawEdge
FillRect
ExitWindowsEx
CharLowerBuffA
MapVirtualKeyW
GetSystemMetrics
USER32.dll
GetLengthSid
CryptGetHashParam
OpenProcessToken
GetSidSubAuthority
CryptAcquireContextW
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
RegCreateKeyExW
CryptReleaseContext
RegQueryValueExW
CreateProcessAsUserW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetNamedSecurityInfoW
LookupPrivilegeValueW
CryptCreateHash
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegOpenKeyExW
GetSecurityDescriptorSacl
SetSecurityDescriptorSacl
CryptDestroyHash
AdjustTokenPrivileges
RegCloseKey
RegSetValueExW
CryptHashData
EqualSid
RegEnumKeyExW
InitiateSystemShutdownExW
ConvertSidToStringSidW
IsWellKnownSid
ADVAPI32.dll
UrlUnescapeA
wvnsprintfW
PathIsDirectoryW
PathFindFileNameW
PathRemoveFileSpecW
PathAddBackslashW
SHDeleteValueW
PathSkipRootW
SHDeleteKeyW
PathCombineW
PathAddExtensionW
PathUnquoteSpacesW
PathRemoveBackslashW
PathMatchSpecW
StrCmpNIA
wvnsprintfA
StrCmpNIW
StrStrIA
StrStrIW
PathRenameExtensionW
PathIsURLW
PathQuoteSpacesW
SHLWAPI.dll
SHGetFolderPathW
ShellExecuteW
CommandLineToArgvW
SHELL32.dll
GetUserNameExW
Secur32.dll
CoCreateInstance
CoUninitialize
CLSIDFromString
StringFromGUID2
CoInitializeEx
ole32.dll
CreateCompatibleBitmap
DeleteObject
GetDIBits
GetDeviceCaps
CreateDIBSection
CreateCompatibleDC
SelectObject
DeleteDC
RestoreDC
SaveDC
SetRectRgn
GdiFlush
SetViewportOrgEx
GDI32.dll
freeaddrinfo
getaddrinfo
WSAAddressToStringW
WSAIoctl
WSAEventSelect
WSASend
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CryptUnprotectData
CRYPT32.dll
HttpQueryInfoA
InternetConnectA
InternetQueryOptionW
InternetCrackUrlA
InternetReadFile
InternetSetOptionA
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
InternetQueryOptionA
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFileExA
HttpSendRequestW
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
InternetSetStatusCallbackW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NetUserGetInfo
NetApiBufferFree
NetUserEnum
NETAPI32.dll
45<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;4;<;D;L;T;\;d;l;t;|;
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=0=<=H=T=`=l=
<,<:<K<`<t<
=*>0>J>r>
>/?6?;?M?`?
4#4+404D4K4Q4Z4`4
5!5'50555;5Y5a5
8;8P8j8
9 9/9L9[9r9
;-;3;;;
;1<<<b<o<
<-=V=\=
>G>P>}>
?/???d?|?
192A2M2T2
2#3<3v3
1 292Y2d2
233S3b3m3
616<6m6x6
8$888E8o8
879I9\9w9
? ?'?-?2?9?@?H?P?c?h?r?x?
"050H0M0R0W0\0a0f0k0p0x0
0*1/141<1D1
2"282q2}2
4/5K5[5
3)4<4d4|4
5/5S5]5
6 6%6]6
8.8<8w8
949\9r9
9,:@:L:S:e:w:
?C?S?_?v?
C0I0N0\0
1!1n1y1
2-2t3l4
5/585G527
939J9i9
9;:N:r:
0'1K1]1g1t1
3 3-3T3u3
4+4H4Y4w4
5M5S5h5v5
646R6r6
6X7_7y7
909@9P9t9
:%:+:B:q:
:	;+;9;O;q;
<$<I<W<m<
=,=B=g=r=y=
>.?D?^?}?
1#1(1-12171<1A1F1K1P1U1Z1_1d1i1n1s1x1}1
2"2(2-22272<2A2F2K2P2U2Z2_2d2i2n2s2x2}2
3,313R3W3b3o3|3
4 4,494F4S4`4m4
1!1'1J1[1e1{1
2'2?2P2^2
6*737V7g7m7	8
8(818:8?8I8P8U8\8b8g8n8t8y8
<F=T=u=T>l>y?
(0-0G0b0o0
32393U3
4I5U5h5
9\99:U:
1&9F9Y9h9
='=O=r=}=
7 7A7N7
<3<O<?=
>->P?c?
4'5-5I5
929G9U9_9i9s9
<(<9<@<V<
=&=-=C=^=g=m={=
=0>=>_>j>
4)434C4N4i4
5$5F5Z5`5
6&6,6k6v6
7(7.7F7P7g7m7
8/8A8V8e8|8
;>;P;u;
5(676P6
;8;N;W;t;
;-<I<i<
7D8N8i8
8(9-9@9
1C2K2P2[2m2|2
3A3U3]3{3
4	4'4-484>4D4J4P4V4\4b4
5*5]5j5
5U6Z6h6m6u6{6
7!7*70767<7C7S7Y7u7{7
7!8&8+8S8Y8_8e8k8q8w8
9+999i9q9
:-:3:N:S:i:n:
;%<1<7<}<
?(?1?=?U?a?g?o?
282D2T2q2~2
3N3_3x3
4&4,4R4
4 5,5J5U5f5w5
5*616H6N6j6
7,818F8
0,0<0L0\0l0|0
1,1<1L1\1l1|1
2,2<2L2\2l2|2
3,3<3L3\3l3|3
]$A}u&1
%I9l},