Sample details: 65674612fbfd490475d4245c1e3b4407 --

Hashes
MD5: 65674612fbfd490475d4245c1e3b4407
SHA1: 399cf912fea00e5729b2bc57fd54b3f5d57ab26d
SHA256: 5e6a1d47ce6a7693e4b5b47ef1748d16409b6b1fd8725b6ffc0b8199db2de72d
SSDEEP: 384:x/dxXkROvwuK76kNQexc+v2PVGsa1IJyGxsTKV9K2fId1F7vvxlLYe:x/v0wWzHc+v2Pssa1pGyTdF7Db
Details
File Type: MS-DOS
Added: 2019-11-08 22:13:52
Yara Hits
YRP/MPRESS_V200_V20X_MATCODE_Software_20090423 | YRP/yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h | YRP/mpress_2_xx_x86 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/IsBeyondImageSize | YRP/HasModified_DOS_Message | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/contentis_base64 | YRP/win_registry | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/suspicious_packer_section | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://211.220.181.146:443/ma/SQLIOMDSD.exe
Strings
		MZ27442
!Win32 .EXE.
.MPRESS1
.MPRESS2
	&{yG@
em[>gr
M%Wh9d
U>:aWp@
gFQf)2
7[A[dT
$j%rPo
u,0X8>
n-[oPY
Ort(za
CI#g?I
UEeYrq6
Gp!9b3Oa
LTcNf4v
&Ro4|1
_fp%-H
RAOham
7><,ot
Yb 2A\
J<}CA|
;K}@{*
V`yQZ!
23NG0L
"v2NAx
W/SOk,
	%%duAa
NE<GYK)
OeFvW-
GetModuleHandleA
GetProcAddress
KERNEL32.DLL
MSVCRT.dll
USER32.dll
wsprintfA
ADVAPI32.dll
RegCloseKey
SHELL32.dll
ShellExecuteA
WS2_32.dll
WININET.dll
InternetOpenA
t$t#t$l
D$t#D$h
D$t+D$\
.)D$H+
s`)L$4
D$t+D$\
9l$\w`
Md]Bome
Md]Bome
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>