MalShare

Sample details: 54a5af3d54b17c24d67267dd2a2b963c --

Hashes
MD5: 54a5af3d54b17c24d67267dd2a2b963c
SHA1: 9b20006140403022120b5c64981fed4a5ff93460
SHA256: 4affad4d4b02e99b4428516173cafecdc7e8e80c0ad0e2b78453eb40881a2062
SSDEEP: 384:0wWdgUeOU7iP0CB8C/QEcb2kB3kHItilwqdR8FfG8N06pX:7O+iMCcEcb2s3OpwOR8Ff+6pX

Details
File Type: PE32

Yara Hits
YRP/IsPE32 \| YRP/IsWindowsGUI \| YRP/IsPacked \| YRP/HasDebugData \| YRP/HasRichSignature \| YRP/maldoc_find_kernel32_base_method_1 \| YRP/domain \| YRP/IP \| YRP/url \| YRP/contentis_base64 \| YRP/ThreadControl__Context \| YRP/inject_thread \| YRP/network_http \| YRP/win_token \| YRP/win_files_operation \| YRP/Advapi_Hash_API \| YRP/BASE64_table \| YRP/Str_Win32_Wininet_Library \| YRP/Str_Win32_Internet_API \| YRP/Str_Win32_Http_API \| FlorianRoth/DragonFly_APT_Sep17_3 \|

Yara Hits

Strings
!This program cannot be run in DOS mode. .ddata `.rdata @.data vi^Zp) iGa_QvR53 =t_aG# ^aG*{ "VG/{ w`ahGa ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko http://api.ipify.org 0.0.0.0 GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64) GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32) LoadLibraryA LoadLibraryExA GetProcAddress zzzzzzzzzzzzzzzzexplorer.exe SystemRoot \System32\svchost.exe GetNativeSystemInfo kernel32.dll InternetCrackUrlA InternetOpenA InternetCloseHandle InternetConnectA InternetReadFile InternetQueryOptionA InternetSetOptionA HttpOpenRequestA HttpSendRequestA HttpQueryInfoA WININET.dll GetAdaptersAddresses IPHLPAPI.DLL EnumProcesses GetProcessImageFileNameA PSAPI.DLL RtlDecompressBuffer ntdll.dll HeapAlloc HeapFree GetProcessHeap GetVersion lstrcpyA lstrcatA lstrlenA GetWindowsDirectoryA GetVolumeInformationA GetProcAddress VirtualAlloc VirtualFree VirtualAllocEx VirtualFreeEx OpenProcess TerminateProcess CreateThread GetProcessId GetLastError WriteProcessMemory GetThreadContext SetThreadContext ResumeThread WriteFile CloseHandle GetSystemInfo lstrcmpiA LoadLibraryA GetModuleHandleA CreateProcessA GetEnvironmentVariableA GetTempPathA GetTempFileNameA CreateFileA GetComputerNameA KERNEL32.dll wsprintfA USER32.dll OpenProcessToken GetTokenInformation LookupAccountSidA CryptAcquireContextA CryptReleaseContext CryptDeriveKey CryptDestroyKey CryptDecrypt CryptCreateHash CryptHashData CryptDestroyHash ADVAPI32.dll 0@P`p 13.82i yY&u`~ kBRe'Ch7 \G"QQ4I V4sCe" [%SMgy bQ2PUU .]]J+q <.k Wr G@>}053EH" UYu3ssJ\|@ $?-;Sk `o+3'\) %]L<1h{ EContent-Type: application/x-www-form-urlencoded

Strings

		!This program cannot be run in DOS mode.
.ddata
`.rdata
@.data
vi^Zp)
iGa_QvR53
=t_aG#
^aG**{
*"VG/*{
w`ahGa
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
http://api.ipify.org
0.0.0.0
GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)
GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)
LoadLibraryA
LoadLibraryExA
GetProcAddress
zzzzzzzzzzzzzzzzexplorer.exe
SystemRoot
\System32\svchost.exe
GetNativeSystemInfo
kernel32.dll
InternetCrackUrlA
InternetOpenA
InternetCloseHandle
InternetConnectA
InternetReadFile
InternetQueryOptionA
InternetSetOptionA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
GetAdaptersAddresses
IPHLPAPI.DLL
EnumProcesses
GetProcessImageFileNameA
PSAPI.DLL
RtlDecompressBuffer
ntdll.dll
HeapAlloc
HeapFree
GetProcessHeap
GetVersion
lstrcpyA
lstrcatA
lstrlenA
GetWindowsDirectoryA
GetVolumeInformationA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualAllocEx
VirtualFreeEx
OpenProcess
TerminateProcess
CreateThread
GetProcessId
GetLastError
WriteProcessMemory
GetThreadContext
SetThreadContext
ResumeThread
WriteFile
CloseHandle
GetSystemInfo
lstrcmpiA
LoadLibraryA
GetModuleHandleA
CreateProcessA
GetEnvironmentVariableA
GetTempPathA
GetTempFileNameA
CreateFileA
GetComputerNameA
KERNEL32.dll
wsprintfA
USER32.dll
OpenProcessToken
GetTokenInformation
LookupAccountSidA
CryptAcquireContextA
CryptReleaseContext
CryptDeriveKey
CryptDestroyKey
CryptDecrypt
CryptCreateHash
CryptHashData
CryptDestroyHash
ADVAPI32.dll
 0@P`p
13.82i
yY&u`~
kBRe'Ch7
\G"QQ4I
V4sCe"
[%SMgy
bQ2P*UU
.]]J+q
<.k Wr
G@>}053EH"
UYu3ssJ|@
$?-;Sk
`o+3'\)
%]L<1h{
EContent-Type: application/x-www-form-urlencoded