Sample details: 6cba5adecbce7977518548e6c69e690e --

Hashes
MD5: 6cba5adecbce7977518548e6c69e690e
SHA1: 6d33d56052ddc723961953a17cfe9e14db10ab53
SHA256: 257f0002eee2d536caefe7a128ffbfe56894575c2e332bcf3783aefa416f7285
SSDEEP: 6144:SafsiuvAQ+tTm6cyERSiytj71cWE4jKS6v:vCvAQ+q6ctRt636WfjO
Details
File Type: PE32
Yara Hits
YRP/MingWin32_GCC_3x | YRP/MingWin32_v_h_additional | YRP/MinGW_GCC_3x_additional | YRP/MinGW_GCC_3x | YRP/MingWin32_GCC_3x_additional | YRP/MingWin32_v_h | YRP/MingWin32_v | YRP/MinGWGCC3x | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasModified_DOS_Message | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Browsers | YRP/Dropper_Strings | YRP/network_tcp_listen | YRP/network_tcp_socket | YRP/network_dns | YRP/network_dga | YRP/screenshot | YRP/keylogger | YRP/cred_local | YRP/cred_ff | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/MD5_Constants | YRP/RIPEMD160_Constants | YRP/SHA1_Constants | YRP/SHA512_Constants | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library |
Strings
		!This progrPE
.idata
vswbqva
,0<	wKj
XZWUVS
D$LPRS
D$dPRS
^t=Ju	
_][^_]
@t%kD$
^_[^_]
Y;u<s"
U$WjAS
U$WjES
U$WjBS
U$WjFS
UWVSVV
_u&Sh!
_uUSho
~,[^_]
F<9F8uCVh
t$$hh)
;|$ }4
l$(MxF
L$49L$
+D$49D$
$[[^_]
UWVSQQ
UWVSVV
Y9D$ ~:
X;\$ }&
|$X(tM
BX;D$d
l$Xj@j6
UWVSUU
^_[^_]
SPPj$j
ZY[^_]
L$<#L$8
D$4#D$H3D$(1
D$D#\$4!
L$H#L$D
D$<#D$8
D$<#D$43D$$1
D$@#D$81
L$8#L$4!
D$h1D$x
T$h1t$t
1L$P1\$L
T$T9L$H
D$`1D$X
t$`1\$`1D$`
\$X1T$\
T$L1D$L
D$`1D$X1T$T
\$\1D$\
D$X1t$`
t$X1L$\
T$D9L$X
L$\1T$X
L$L1D$L
L$\1L$T
t$`1T$`
L$\1|$`1D$\
D$`1\$\
T$L1D$L
D$`1D$X
1\$X1T$T
\$\1t$`
t$X1D$\
t$`1L$\
T$D9L$X
L$\1T$X
t$P1D$L
t$`1t$X
L$\1t$`
T$T1D$\1
1|$`1\$\
T$`1T$X
\$L1t$P
t$P1D$L
t$\1\$\
\$@1\$`1L$\
L$\1T$X
L$L1D$L
L$\1L$T
\$`1T$`
L$\1|$`1D$\
D$`1t$\
T$L1D$L
D$`1D$X
t$X1D$`1
T$T1\$`
\$X1L$\
t$Tj@j6
UWVSPP
^_[^_]
;t$ }c
;D$$uB
;D$,~Nf
Y[[^_]
C 9C(|9
_^[^_]
u*h\LA
UWVSQQ
_][^_]
\$(j`j
|$,.u 
|$,.u 
Y@t	SF
D$0f=k
+\$(+T$,
CT9CP|
UWVSU1
UWVSWW
9,$sgj
UWVSQQ
XZ[^_]
kD$hPP
D$lPRh
t$ VSh
<.t|<*
\$(u"hV
UWVSSS
_]^[^_]
T$ +D$
UWVSUU
Shh@	D
C`9Cxs
N`9Nxs:
UWVSSS
ZY[^_]
$[[^_]
$Z[^_]
GD[^_]
GH[^_]
UWVSPP
sg;D$ 
C,Y[[^
$;^<}5
$Y[^_]
sD;{<})
\$$;k<
D$$HPV
B 9C0uB1
C<9C4}3
<$9{4|
D$(9D$,
wD;G<}h
UWVSQQ
XZ[^_]
UWVSWW
[^[^_]
C$9C<t
wD;_<}7
UWVSPP
C$]X[^_]
FDX[^_]
UWVSSS
UWVSPP
$Z[^_]
F$[^_]
U9l$ ~7
D$ 9D$
L$ 9L$
D$ 9D$
R$9T$$
L$$;N$
|$(9|$,
T$(9T$,
D$d9l$x
T$p9D$x
D$$+D$
)L$()D$(
D$|;F$
D$$)T$$
Ip+l$0
D$4iD$0Tb
L$0)L$(
B`)L$ 
D$4iD$0Tb
9F\|J1
D$$;X$
;t$ sc
T$49T$
D$49D$
;|$0}I
D$@9D$
D$L9D$
L$L9L$
L$T9L$
D$(9T$
;~d}'U
;T$ }(1
D$0;Fd
;t$ }P
0;\$d}
0;\$`}
0;\$\}
L$<F;t$T
\$<9\$(
L$<9L$(
D$89D$
T$89T$
tBkD$$
T$`9T$X
;T$X}>
D$`9D$X
T$X9T$\
t$0;t$,
UWVSQQ
XZ[^_]
T$4+t$(
L$D9t$@v
T$4+t$(
L$D9D$@v
@;L$@|
\$`K9\$p
T$(9T$,
E;D$`t:
T$(9T$,
|$h9t1
D$09D$4
{Backspace}
{Clear}
{Return}
{Shift}
{Ctrl}
{Pause}
{CapsLock}
{PageUp}
{PageDown}
{Home}
{Left}
{Right}
{Down}
{Select}
{Print}
{Execute}
{Snapshot}
{Insert}
{Delete}
{Help}
{WinLeft}
{WinRight}
{AppKey}
{Sleep}
{Separator}
{LShift}
{RShift}
{LCtrl}
{RCtrl}
{LMenu}
{RMenu}
yel~}kxovgCIXEYEL^v}CDNE]Yvi_XXOD^|OXYCEDvx_D*
Qkkbal
OABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
T%lu 0 %lu 0
C%04o %s 
D%04o 0 
%ld %*d %ld %*d
%o %s %n
-pgpfp
-batch
-unsafe
scp%s%s%s%s -t %s
scp%s%s%s%s -f %s
putfile %s %s
87.98.185.184
pscp|%s|%s:%s
Last error: %d
connect %host %port\n
User aborted at host key verification
too much data sent
1.2.18
1.2.19
1.2.20
1.2.21
1.2.22
Cisco-1.25
OSU_1.4alpha3
OSU_1.5alpha4
* VShell
2.1.0*
2.2.0*
2.3.0*
2.0.0*
2.0.10*
OpenSSH_2.[5-9]*
OpenSSH_3.[0-2]*
OpenSSH_2.[0-2]*
DigiSSH_2.0
OpenSSH_2.[0-4]*
OpenSSH_2.5.[0-3]*
Sun_SSH_1.0
Sun_SSH_1.0.1
WeOnlyDo-*
SSH-2.0-%s
All channels closed
<unknown reason code>
Administratively prohibited
Connect failed
Unknown channel type
Resource shortage
Received channel request for nonexistent channel %d
exit-status
exit-signal
 "%.*s"
 ("%.*s")
forwarded-tcpip
auth-agent@openssh.com
window-change
at user request
signal
ssh-userauth
ssh-connection
publickey
password
keyboard-interactive
SSH password
%.90s@%.90s's password: 
New SSH password
direct-tcpip
0.0.0.0
session
Unable to authenticate
subsystem
timeout
too much data received
timeout shortened
data limit lowered
compression setting changed
cipher settings changed
IGNORE message
Repeat key exchange
SIGINT (Interrupt)
SIGTERM (Terminate)
SIGKILL (Kill)
SIGQUIT (Quit)
SIGHUP (Hangup)
More signals
SIGABRT
SIGALRM
SIGFPE
SIGILL
SIGPIPE
SIGSEGV
SIGUSR1
SIGUSR2
arcfour256
Arcfour-256
arcfour128
Arcfour-128
Qkkbal
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha1
group14
diffie-hellman-group1-sha1
group1
ssh-dss
0123456789abcdef
ssh-dss
ssh-dss %d 
%s%02x
DSA deterministic k generator
hmac-md5
HMAC-MD5
ssh-rsa
RSA deterministic blinding
0123456789abcdef
%s%02x
ssh-rsa
ssh-rsa %d 
SHA-256
AQLwH'
XGJhmac-sha1-96
bug-compatible HMAC-SHA1-96
hmac-sha1
bug-compatible HMAC-SHA1
HMAC-SHA1-96
HMAC-SHA1
zlib (RFC1950)
expected ']' to close character class
'' occurred at end of string (expected another character)
character range was not terminated (']' just after '-')
INTERNAL ERROR: unrecognised wildcard error number
Cannot get standard input/output handles
SerialLine
WS2_32.DLL
WSOCK32.DLL
WSAAsyncSelect
WSAEventSelect
select
WSAGetLastError
WSAEnumNetworkEvents
WSAStartup
WSACleanup
closesocket
gethostbyname
getservbyname
inet_addr
inet_ntoa
connect
setsockopt
socket
listen
ioctlsocket
accept
WSAIoctl
Network is down
Host does not exist
Host not found
gethostbyname: unknown error
localhost
unix sockets not supported on this platform
Pageant
PageantRequest%08x
Network is down
WSAEventSelect(): unknown error
SHELL32.DLL
SHGetFolderPathA
\PUTTY.RND
HOMEDRIVE
HOMEPATH
-telnet
-rlogin
-agent
-pagent
-pageant
-noagent
-nopagent
-nopageant
gd-jpeg: warning: jpeg_start_decompress reports suspended data source
DEBUG;%s;%s
Software\Microsoft\Windows\CurrentVersion\Run
PROGRAMFILES
SYSTEMDRIVE
ALLUSERSPROFILE
USERPROFILE
APPDATA
%s\win
%s\msn.exe
RegK not written
%s-%s-%X
-batch
apo@%s
msnAPOv52552009
%d/%m/%Y %H:%M:%S> 
/ecoute/spool/%s-%lu
%s\iosystem.dll
%s%s\*
%s%s\%s
%s\%d_%lu_%s
%s\%d_*
/%s/%s
DIRTHUMB;%s
%s\%lu
%s%s\*
<d n="%s">
<f n="%s" s="%lu" d="%d-%d-%d"/>
%s\list
<?xml version="1.0" encoding="ISO-8859-15" ?>
<files>
</files>
/list/
%s%s%s
SPD;%u;%s
WND;%s;%s
87.98.185.184
%c|%s|%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s\msn_%lu.exe
T%d.%d;%s;%s
CMPT;%s;%s;%s;%s;%s
%s\apoScreen%lu.dll
/cap/%s%lu.jpg
/list/%s/
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
MSN;%s;%s;%s
HOLD;%s
%d|%s|%lu|%d-%d-%d
;%d|%s|%lu|%d-%d-%d
INFO;%u;%u;%u;%d;%d;%d;%d;%d;%d;%d;%s
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
DigitalProductId
KEY;%s;%s
%s%2.2X
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
visited:
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
Mozilla\Firefox
Userenv
GetUserProfileDirectoryA
APPDATA
\profiles.ini
name=default
%s\%s\%s\
SOFTWARE\Mozilla\Mozilla Firefox
CurrentVersion
mozcrt19.dll
nspr4.dll
plds4.dll
plc4.dll
nssutil3.dll
mozsqlite3.dll
sqlite3.dll
sqlite3_open
sqlite3_exec
sqlite3_close
softokn3.dll
nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_CheckUserPassword
PR_Free
PL_Base64Decode
signons.txt
signons2.txt
signons3.txt
signons.sqlite
SELECT hostname, encryptedUsername, encryptedPassword, encType FROM moz_logins
%s%s\%s.exe
%s%s\*
bad pack level
to-stdout
stdout
no-name
suffix
no-time
can't recover suffix
internal error in shorten_name
%s: incorrect suffix '%s'
%s: %s: cannot %scompress onto itself
%s: %s and %s are the same file
%s: %s already exists;
 do you wish to overwrite (y or n)? 
	not overwritten
%s: %s: %s
%s: unexpected end of file
out of memory
argc<=0
Bogus message code %d
Ss=%d Se=%d Ah=%d Al=%d
0x%02x
0x%02x 0x%02x
Copyright (C) 1998, Thomas G. Lane
6b  27-Mar-1998
%d,0x%04x 0x%04x,%d
0x%02x: 0x%02x
%3d %3d %3d %3d %3d %3d %3d %3d
%d.%02d,%dx%d%d
0x%02x,%u
%d x %d
%4u %4u %4u %4u %4u %4u %4u %4u
%d %d*%d*%d
0x%02x,%d
0x%02x,%u,%u,%d
%d: %dhx%dv q=%d
%d %d %d
  Ss=%d, Se=%d, Ah=%d, Al=%d
%u 0x%02x
%d.%02d
0x%02x %d
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
JPEGMEM
BKbhTb~XBK!;
BKbhTb~XBK!;
mingwm10.dll
__mingwthr_remove_key_dtor
__mingwthr_key_dtor
Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p
  Unknown pseudo relocation bit size %d.
  Unknown pseudo relocation protocol version %d.
POSIXLY_CORRECT
%s: unrecognised option `-%s'
%s: option `%s' is ambiguous
option `%s%s' doesn't accept an argument
%s: invalid option -- %c
%s: unrecognised option `%s'
option `%s%s' requires an argument
%s: option requires an argument -- %c
PRINTF_EXPONENT_DIGITS
(null)
Infinity
_chmod
_close
_fstat
_isatty
_mkdir
_strdup
_strrev
_unlink
_utime
_write
__getmainargs
__lc_codepage
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_cexit
_errno
_filbuf
_flsbuf
_isctype
_onexit
_pctype
_setjmp
_setmode
_stricmp
_vsnprintf
_winmajor
atexit
calloc
fclose
fflush
fprintf
fwrite
getenv
localeconv
localtime
longjmp
malloc
mbstowcs
memcmp
memcpy
memmove
memset
perror
printf
realloc
remove
setlocale
signal
sprintf
sscanf
strcat
strchr
strcmp
strcpy
strcspn
strftime
strlen
strncmp
strncpy
strrchr
strspn
strstr
strtol
strtoul
vfprintf
wcslen
wcstombs
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
GetUserNameA
InitializeSecurityDescriptor
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorSacl
CryptUnprotectData
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
WSAStartup
closesocket
connect
inet_addr
socket
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
GetDeviceCaps
GetObjectA
SelectObject
CloseHandle
CopyFileA
CreateDirectoryA
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
CreateThread
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetComputerNameA
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDriveTypeA
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileTime
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOverlappedResult
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetStdHandle
GetSystemInfo
GetSystemTime
GetSystemTimeAdjustment
GetTempPathA
GetThreadTimes
GetTickCount
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GlobalMemoryStatus
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LocalFree
MapViewOfFile
MultiByteToWideChar
QueryPerformanceCounter
ReadFile
SetConsoleMode
SetEvent
SetFileAttributesA
SetFilePointer
SetFileTime
SetLastError
SetUnhandledExceptionFilter
TlsGetValue
UnmapViewOfFile
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcpyA
lstrlenA
lstrlenW
ShellExecuteA
ShellExecuteExA
FindWindowA
GetAsyncKeyState
GetCapture
GetClipboardOwner
GetCursorPos
GetForegroundWindow
GetMessageA
GetQueueStatus
GetWindowTextA
GetWindowTextLengthA
ReleaseDC
SendMessageA
wsprintfA
msvcrt.dll
msvcrt.dll
ADVAPI32.DLL
CRYPT32.DLL
WININET.DLL
WS2_32.dll
GDI32.dll
KERNEL32.dll
SHELL32.DLL
USER32.dll
wwwwj!$DD 
bQXX\{y7
`QYYYY
aTYZZZZZ
cUZZ[[[[[[
<?@GGGGGG8
fZ[[[[[[[[[\
9GGGHHHHH:
[[[[\\\\\\\\
HHHIIIIJ;
\\\\\\\\\\\\
IJJJJJJK;
\\\\\\
JKKKKKKLA
KLLLLLLLA
LLLLMMMMB
MMMMMMMME
EMMMNNNNNE2
NNNNOOOOOF2
OOOOORRRRF5
RRRRRVVVWQ6
VWWWWWWW|S
WW|||||||S
ULPPP`
WPRRRRR
02;;;;
RRRR____a
,<<<==
_____ggg
->>>??
gggghhhh
.@@@@A1
hhhhssss
/ABBCC3
sssttuuui
7DDDDE4
uuvvvvvwp
	EGGGHH5
vwwxxxx
HIIMMJ6
yyyyyz
JNNQQ]8
]^^^^e9
eeffff:
fjjklmc|
UWP[$	995B
f]]V_>
had^`ZLJOK?
iggcYRRNSSQ
jb^XXXY\_e
@P  PzX
IR5*a@@%
t*1X{>
/squ=WO
ssD5Xd
om7kiF
CdI(mgW
ihosO4+
[4W!z0d
xaN{ir
<}cEQp
/b]~in
BG[{v}
(`J45<
th#ZD[T
z}wJAg3
TeHq50
SI@f	1
^gml{i~
e3[+!]+
KSLj"q X
DhT]@U
e7N/z{
$`M4j@
	 Pc$`
;M`({)
0:07	 
p6rgF '
F3&e2i
#_^^0k
Nl&48A
PL.@f}
?W%0llip
b2P]%'
(@>s	F-
8ZvB8 
vzF_z6`8
?wkL y
wf,$O.
lhMDcqt?
`vafRQ
pRp9S1