Sample details: 4a8a0e41c3870a46df3db17bef5608c3 --

Hashes
MD5: 4a8a0e41c3870a46df3db17bef5608c3
SHA1: 648cd9c6db1e8a2867f59950d1fa12bdc1be5999
SHA256: 768736bb44d8d105ae2592162701182e1ac31950e65ed40f937fc6d963b3d213
SSDEEP: 6144:vqvDHt5GCCFwRY8PVfM+wmJB5dscJfbwSJ1To4dFS7F7KZuSxuF:yLHtrZRPwmb5dscJZkWc7wxS
Details
File Type: MS-DOS
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasModified_DOS_Message | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/ThreadControl__Context | YRP/inject_thread | YRP/network_http | YRP/network_tcp_socket | YRP/network_dns | YRP/network_dga | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | YRP/Atmos_Packed_Malware |
Source
http://kzkoicaalumni.com/dile/us.exe
Strings
          	            `.data
.reloc
SV"~th
:SV"~th
9|{2C4L
[I68$(
L&&jl66Z~??A
Oh44\Q
sb11S*
uB!!c 
D""fT**~;
;d22Vt::N
J%%o\..r8
yynf>>
aa_j55
UUxP((z
&jL&6Zl6?A~?
~=Gz=d
"fD"*~T*
2Vd2:Nt:
x%oJ%.r\.
NOvJ<v
;;MvYY
Q  `@>>
__1n99Kr
Q.UU/z
X22VdwwI>
00P`!!cB
WW)~++}V
uuO:@@
)){Rqq
\\4hTT,x
33UfBB
ZKlnFz
Hl\t8$4,
CePN*@\
'p\7?|
[G [)Z
a{l\tH
:AeS~HhXp
KlLpZ}Py
DYP<<D<L<T<\<d<l<t<|<
%?0?`L^
<\$H:]
B+RJ="
HjIp_rUK
:(:<:C:n:
;!<=<E<
rN&,0FR
4B.,$l2
s7ogkM
	/SG{+#7uQ
(hH(\VZZ2VvD6^X$
.X<6>L
CO9]%C
Wq7[w))
hd$vhn
(p*^*ND4vN:<<VNr$64HT
WVYRpUZT
kjimOJ
GXCOtY]GW
0%'=6;'/
<2)<>3;
EOTLIKFBvNBFH
*&<,?*&9
308(6>
<.27 &6
5'<-/&.
^]UE[SjQC_ZMK[bYMCCLB
WPESyBIDCGKEGJBYAlWTB
)8=!/)$(37
ebwaK`d{G{vt
pqzyvaJfr{f~n
' 5#	;;25=>
?=*"%;,
.305#%",-;
); 13:2
!&68*>>(
(,:00-)r6*4pz=u:.>:>,=
mR]ON}li
"?5&"5%3%
SNDWSDTBTzgj~yh{`Mq
}pxc8+4+@n{kTHLDWyABFLXJ@qHNF^@Z@PE
m~y|g{b:
]bfZM_
IN[MVXW^
`f{uzs
bWAJXL
lh~jhd|
B_UFBUESEqkijuk}i\tqZbsv
SVyATQ
c<$>, e-.-.#+ "4s
#%;=/# )+1
MPZIMZJ\JP||a
ucR[cykg(Jijidlges
,,,*9!:
^KSuKX_
+focvla~y"
bfpddllek}
hxnxcJFSId{la
NajK\HdzT[R
	^q|M[\NV
CXb5OM
#238!?(qjl;]
pYLMX_^{VWXC_D
-)".70b
~AENB[\
wJ@SW@PFp`GLZFYDRAj`Y_V\KN
wJ@SW@PFp`GLZFYDRAj`Y_V\KN
qJHQUTS
sODGW@C
|JODZBMGRT
%!*&?8j
&!4,6;7,(
#";-89
##"43';::x
51:6/(z
;9"03'!
w``lT@H
29/3,1'4
FMCPLUJFQLX
}^HZXT
qQK_]SE
CNMHM@U
QYE]U@m}%ulq-])p
e5u}ayq
8`lM$AuY
hh=9!D
Y1)9!E-
;wg;{#{S
7SJFVV
\p(X$P
F6J>f*
V:r*fN
ay]u)=|
6^FVN*B
AM%)QE(<
%UQQ))
6.*2z~
m73EYM?
~V$bF&&XZFd~BJBTF$N
fRD>:^2Z
Z48DVP8(
P88`$2@R
^B&^LJ
\@8"2Jrj
>NN>DR<V&RH`V"XL<X
LL,XND^F
IESWU9]]
MC'9=KC
@4<DN6<*
GetProcAddress
LoadLibraryA
NtCreateThread
NtCreateUserProcess
NtQueryInformationProcess
RtlUserThreadStart
LdrLoadDll
LdrGetDllHandle
.reloc
CreateThread
GetModuleHandleW
%s%s%s
hvnc_module
atmos_hvnc.module
cookie_module
atmos_ffcookie.module
video_module
atmos_video.module
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
ZwQueryInformationProcess
IsWow64Process
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
del "%s"
if exi
&curren;
&pound;
&cent;
&euro;
&#65509;
&#8369;
&#8366;
&#8365;
&#8363;
&#8362;
&#8361;
&#8360;
&#8359;
&#8358;
&#8357;
&#8356;
&#8354;
&#8353;
&#8372;
&#8364;
&#8355;
&#6107;
&#3647;
&#165;
&#164;
&#162;
&#163;
&nbsp;
value=[%s], code=[%s]
%COMMANDSERVER%
http://127.0.0.1:%u/
X-Type: %s
{{[Ks;q
c{;Ksq
Qq;{{;c+q
q;{{;c+q
ic{;Ksq
iQiQiQiQ)
b_?N_=
bQ>a0]
tT95T1D
tL95X1D
tD95\1D
t<95`1D
0T*xD*
0T*XD*
0T*xD*w
l: L"!
"!`\"!`
L"!`L"!
bU :lg
+5 ,tw!
L*FL*`
`\*&G~ 
_:\j@C19
(\>L*`
\*@S@L"!BS
&u3A.{&
@M.u ]
]9c],:^
bQ=bQ:bQ<NQ3
cS bQ$
B?=7TF
u	hlb@
_0S l*
Ls@Ls`
LqLs GX
65BE.1
 65#E.0
 .;E.1
Hc!	(@
t2;>s.W
D$0PWWj!W
	cS<Tc
cS=TcS?T
cS;TcS?T
cS;TcS?T
	cS=Tc
cS;TcS?T
cS6TcS?T
cS6TcS?T
K"?=7TF
C*8LCG
B\j@C19
@L0LxT
w`L*gl,-
]=:8s@
]<:6s@
];:4s@
]::2s@
]9:.s@
bS<bU=NS
bS>bS;
U=bS>P
4bS>:j6@
:!5.-t
SVWjD3
tE93tA
tshdg@
vd $J@
vd e:@
8ac'Y@
\~L*@G
;\GZ]9
]?:(+@
>b_:NW=]
bQ=c]*:
]=bQ,ca'
b_.c];c_<bQ7
bW<bW;:
cW*b]1bQ2:3y@
c_;:|2@
tBSVWj
t9WWWV
L"!#\"!
L"!C>"!c
b]>b_=
A ~B]A
{B1NKx
l"!#G]
_p\$!d
L"!`\"!
\Zbl"!`
\Z`l"!`
!C\Zb\6Y"!c
"!`l"@
!`S8C%T
\ZBY"!c
Q7:?\@
u$9uxt
\jG\*gl"@HGX
\*g\r@
2`\2`\r@\
LrBL2bl*
\*@L2 O?
@S C T
\F,Nx$
D$LPVh
SXl"!"
L"!!GR
0bQ?a0
b]= _<
u|Pj<Z
\*G\@l
\*G\@l
@cU=cc"
cS?c/G>
bQ=b]?c]%.7
?=7TH+
D$ ;D$
L.U 66
. 6UcI.[IA
. 6UsI.[IA
cU=cc2
bS=b]>
b_>b_=:
]<cW?b_?:
bQ=:X3
b_?N_=
cQ>bW>:
bQ;NW>
c_?bQ<bW?:
B?=7TF
B?=7TF
*'Bx$M
3\*/3L*
MM65CEM
]]]]]]]6
bS>bU=
NbU<bQ?a
It=It0It#It
b];b]<
c]>:JE@
u&9t$hv 
S	\>\vGG
MY].cM
50ME60@
VVVPVV
WWVPWW
SSWPSS
=TRERt
Q@SVu	
<VWjHj
 \X6 @
tQf9:tL
WaitForSingleObject
GetModuleFileNameW
ExitThread
ExitProcess
GetThreadContext
SetThreadContext
InitializeCriticalSection
VirtualFreeEx
LeaveCriticalSection
VirtualAlloc
EnterCriticalSection
GetProcessId
GetFileAttributesExW
CloseHandle
GetFileSize
MapViewOfFile
UnmapViewOfFile
CreateProcessW
GetCurrentProcess
GetModuleHandleW
IsBadReadPtr
CreateRemoteThread
OpenProcess
CopyFileW
TerminateProcess
CreateFileW
GetProcAddress
Process32FirstW
CreateFileMappingA
Process32NextW
VirtualProtect
CreateToolhelp32Snapshot
DuplicateHandle
DeleteFileW
ResumeThread
CreateEventW
WaitForMultipleObjects
GetNativeSystemInfo
GetVersionExW
LocalFree
SetEvent
GetTickCount
OpenEventW
GetCurrentProcessId
GlobalLock
GlobalUnlock
GetFileAttributesW
FreeLibrary
LoadLibraryA
lstrcmpiW
GetDriveTypeW
GetLogicalDrives
SetFileAttributesW
CreateEventA
GetLastError
SetLastError
ResetEvent
VirtualFree
GetModuleHandleA
FindFirstFileW
GetCurrentThread
FileTimeToSystemTime
SetThreadPriority
FindClose
FindNextFileW
GetWindowsDirectoryW
GetCommandLineW
CreateDirectoryW
LoadLibraryW
lstrcmpiA
WTSGetActiveConsoleSessionId
MoveFileExW
SetFilePointer
SetEndOfFile
WriteFile
ExpandEnvironmentStringsW
GetPrivateProfileStringW
FlushFileBuffers
GetPrivateProfileIntW
GetUserDefaultUILanguage
CreateMutexW
SetErrorMode
GetComputerNameW
TerminateThread
WriteProcessMemory
CreateThread
SetHandleInformation
GetExitCodeProcess
ReadFile
GetExitCodeThread
CreatePipe
GetEnvironmentVariableW
FileTimeToDosDateTime
GetTempFileNameW
HeapReAlloc
HeapAlloc
SystemTimeToFileTime
SetFilePointerEx
GetLogicalDriveStringsW
HeapFree
GetProcessHeap
SetFileTime
VirtualQueryEx
Thread32First
WideCharToMultiByte
ReadProcessMemory
HeapDestroy
HeapCreate
lstrcpynW
Thread32Next
GetTimeZoneInformation
MultiByteToWideChar
lstrlenW
GetTempPathW
GetFileSizeEx
OpenMutexW
VirtualProtectEx
VirtualAllocEx
RemoveDirectoryW
QueryDosDeviceW
GetFileTime
ReleaseMutex
FileTimeToLocalFileTime
GetVolumeNameForVolumeMountPointW
GetFileInformationByHandle
GetSystemTime
InterlockedExchange
GetLocalTime
KERNEL32.dll
ToUnicode
PeekMessageW
GetClipboardData
GetKeyboardState
TranslateMessage
GetMessageW
GetCursorPos
GetIconInfo
DrawIcon
MessageBoxA
CharToOemW
ExitWindowsEx
CharLowerBuffA
GetForegroundWindow
DispatchMessageW
CharUpperW
CharLowerA
CharLowerW
MsgWaitForMultipleObjects
LoadImageW
USER32.dll
CreateProcessAsUserA
CreateProcessAsUserW
GetLengthSid
ConvertSidToStringSidW
RegQueryValueExA
RegQueryValueExW
EqualSid
RegCreateKeyW
RegQueryInfoKeyW
RegDeleteValueW
RegEnumValueW
RegCloseKey
InitiateSystemShutdownExW
IsWellKnownSid
CryptGetHashParam
OpenProcessToken
GetSidSubAuthority
CryptAcquireContextW
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
RegCreateKeyExW
CryptReleaseContext
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetNamedSecurityInfoW
LookupPrivilegeValueW
AllocateAndInitializeSid
CryptCreateHash
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityInfo
FreeSid
RegOpenKeyExW
GetSecurityDescriptorSacl
CheckTokenMembership
SetSecurityDescriptorSacl
CryptDestroyHash
AdjustTokenPrivileges
RegSetValueExW
GetSecurityDescriptorDacl
CryptHashData
RegEnumKeyExW
RegEnumKeyW
ADVAPI32.dll
PathFindFileNameW
PathRemoveFileSpecW
StrCmpNIW
PathRenameExtensionW
PathUnquoteSpacesW
PathRemoveBackslashW
PathQuoteSpacesW
PathIsURLW
StrCmpNIA
UrlUnescapeA
wvnsprintfW
PathIsDirectoryW
PathAddBackslashW
SHDeleteValueW
PathSkipRootW
SHDeleteKeyW
PathCombineW
PathAddExtensionW
PathMatchSpecW
wvnsprintfA
StrStrIA
StrStrIW
SHLWAPI.dll
SHGetFolderPathW
ShellExecuteW
CommandLineToArgvW
ShellExecuteExW
SHELL32.dll
GetUserNameExW
Secur32.dll
CoCreateInstance
CoSetProxyBlanket
CoUninitialize
CLSIDFromString
CoInitializeSecurity
CoInitialize
CoInitializeEx
StringFromGUID2
CoGetObject
ole32.dll
GetDeviceCaps
GDI32.dll
WSAWaitForMultipleEvents
WSASocketA
WSAResetEvent
WSACreateEvent
WSAGetOverlappedResult
WSAEventSelect
WSAEnumNetworkEvents
WSAConnect
WSASend
WSARecv
WSACloseEvent
freeaddrinfo
getaddrinfo
WSAAddressToStringW
WSAIoctl
WS2_32.dll
CryptUnprotectData
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFileExA
InternetReadFile
HttpSendRequestW
GetUrlCacheEntryInfoW
InternetSetStatusCallbackW
HttpAddRequestHeadersW
HttpOpenRequestA
HttpOpenRequestW
InternetGetCookieA
InternetSetFilePointer
HttpEndRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestW
InternetCloseHandle
InternetQueryOptionA
InternetConnectA
InternetQueryOptionW
InternetCrackUrlA
InternetCrackUrlW
InternetSetOptionA
InternetOpenA
InternetSetStatusCallbackA
WININET.dll
OLEAUT32.dll
NetUserGetInfo
NetApiBufferFree
NetUserEnum
NETAPI32.dll
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW
VERSION.dll
NtQueryKey
ntdll.dll
L*@\*@
\"! T@
\b!`3,
{&yP&y`
.Yp.90*0<
w&y`&yp
@S5bS<bQ>b
cS3bQ8:
Q>bS5cS3bQ::
bQ:bU;:
cS8bQ<
bQ7bS9: 
bQ:bU;:
cS7bQ<
bQ:bU;:
cS8bQ<
El*Elj
.50&Ub&u
AMMMEM
]bW=NW
2bS=ar
K@;KHv
H4;H8s
AMMMMMM
pMUY].
Kz?=TH/
PSSj$S
L2`3\*
L2`3\*
 .50MY]6
EE.5 MY].c
b@,@zF
B?=7TF
tZSj W
\*GL2@\*gL2`_u
\*GL2@\*gL2`_u
cW?b_?:
b_>b_?
?;7=H-
H?=7TH-
BA=H'/
tJJJt?JJt4Jt*
(j\Zj/
!j\Zj"
j\Zjbf
<s,tY\*
O@Dj@D*H3\*@
@Dj@D*H3\*@
\g\*@\F
O@DjPD*X\*@
\g\*@\F
@DjPD*X\*@
\*`\j@\
\g\j`\
\FDjX\
Djh\Vxe
S.#.C<
c_;cW<:
b_6bW<
"Q/bW<
Q~bU;	
0b_7b_8
bU8bQ7
QiQQQi
tHHt"Hu_
tpSSPh'
; ;$;(;,;0;4;8;<;@;D;H;L;
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
X5\5`5d5h5l5p5t5x5|5
5h?l?p?t?x?|?
555E5M5x5
7,7A7z7
8#8*8Q8X8q8x8
9.9Y9u9
:(:<:C:n:
;!<=<E<_<
? ?*?0?:?@?L?R?Z?b?j?r?
22C2V2f2r2
4@5K5p5
1T2f2w2
3$4Z4s4
6Y7f7y7
>!>'>2>R>\>b>m>
?&?0?8???
>V?\?f?l?r?|?
:e;l;r;};
<,<1<7<D<K<T<Z<c<
<(=.=5=H=Y=
>.>D>\>n>
313F3K3l3q3|3
4(4/4:4F4S4`4m4z4
575L5Z5+6
30383A3
6	727}7
7'8m8G9X9f9t9
:0;>;K;o;
 101v1
3"3H3W3]3h3y3
454A4L4Z4`4
5C5O5Z5p5x5
:,;;;B;j;
<!<7<D<v<
> >)>O>
6$6+6:6^6m6
7%7.777A7M7Y7f7x7
;(;1;>;R;Y;q;y;
<F<^<e<{<
0+26274E4q5z5
9i;~;	<P<[<}<
<8=c>n>
>K?X?c?j?y?
5S6Y6^6l6
7"7o7z7
:H;e;t;~;
6/7I7 9&969
<@<F<k<
><?B?_?
0-0S0Z0
2?3M3T3
8.8@8S8Z8
:V;W<a<
0!090L0
1#171]1l1r1}1
3"3'3-353=3E3M3U3]3l3s3x3}3
9 979r9x9
<&<T<`<l<x<
?V?[?g?z?
2W2]2j2=3B3N3Z3
4&4?4|4
4$5+575O5c5j5
8-8J8m8
;!;*;0;H;
1=1C1P1c1i1
2,2;2A2L2
2&3>3g3s3~3
455a5+6Q6
738:8?8D8J8S8\8e8j8t8{8
<9=N=j=
0W0\0u0
2	373C3O3[3g3s3
5!6(6G6
8I9]9i9{9
:":<:K:;;
1,24292]2c2x2
384'5z5
4&4<4R4
8s8y8:9
>'>:>^>p>
? ?)?R?W?b?h?n?t?z?
0"0(0C0I0d0u0z0
2#2)2.252;2C2K2S2m2r2|2
3%3+313>3J3Z3_3e3t3
4'4-43494?4E4K4Q4W4g4
5I5Q5{5
7%7;7A7h7
939B9];d;k;r;y;
?*?3?D?P?\?h?|?
%0?0a0
3Q4e4j4t4
6%6`6v6
;&;B;];y;
=0=>=h=
2S2c2 4a4
3F3k4~4'5
585c5i5
;A<K<x<
>9?E?O?q?
10w0F1a1y1
4"4'4,41464;4@4E4J4O4T4Y4^4c4h4m4r4w4|4
5!5&5+52575E5J5R5X5_5e5l5r5{5
6/6;6T6Z6
>:>?>E>K>]>c>i>
?!?%?)?-?1?5?Z?q?
Q0U0Y0]0a0e0i0m0q0u0
1!1<1u1
3)3@3X3c3i3s3y3
6-6E6q6
7A7f7x7
8,8<8L8\8l8|8
9(9<9L9\9l9|9
=?=-?[?a?
1A1}1-2
8'8.848?8T8d8j8
:):0:Q:^:k:}:
=U=[=y=
?0?p?z?
20<0H0a0
9%9@9G9h9
<T>f>w>
>*?[?}?
132B2x2
3E3[3x3
4/4D4^4
6*696l6
:	;2;G;l;~;
;K<V<h<
40:0H0N0b0h0z0
7D:a:h:q:
<#<[<s<
=I=l={=
2$3+383D3c3j3t3
4!4-4H4Q4^4i4
5(5J5T5^5j5y5
6'696N6_6o6
7f8m8z8
9%939N9W9d9o9
: :S:]:j:v:
;4;@;T;g;~;
<!<-<C<
>">)>6>]>h>s>
1#1A1H1Z1~1
3$4-4?4E4M4
5/5r5}5
7%7,737P7\7
7N8U8\8b8o8
0#020=0
2.252C2
3<3G3x3
515E5^5{5
616H6Q6f6r6
8!818^8d8m8{8
<0=B=R=
>#>(>2>8>B>L>T>Z>`>f>
?!?&?+?0?8???
011=1n1
323L3n3}3
3(4Q4l4|4
5*676[6m6
7#707j7
5B5c5n5
9#:):|:
0)0Q0i0
2>3X3d3
3)4=4I4a4
4I5T5`5g5
2	4@4S4
8;8k869:9>9B9F9J9N9R9
?'?M?a?
4"4&4*4.42464:4>4B4F4
=#='=+=/=3=7=;=?=
}0!2-2X2
565F5T5b5h5t5
0$0,040<0D0L0T0\0d0l0p0t0x0|0
1,1<1L1\1l1|1
2,2<2L2\2l2|2
4 4$4(4,40444<4@4H4L4T4X4\4`4d4h4l4p4x:
; ;,;8;D;P;\;h;t;
z$(\0Q
#2Zc2}