Sample details: 6d76db02b11ef59a92c392e22051750e --

Hashes
MD5: 6d76db02b11ef59a92c392e22051750e
SHA1: c2278ba85801eca4ac3be8a3805bd286532e1048
SHA256: 007f8f2dabe1b10e20a35af7acfce8b941d28635ab17df59540a5ed6f50467a4
SSDEEP: 384:TS/hyWy8Fb93feeVe7oM09PyjbAd/XIQWT1jjFsPhC1fDSbcvY:Teyq3GjA98bsGBCPhC1f
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/anti_dbg | YRP/BASE64_table | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://wuenschejetzterfuellen.com/Plugins/http.dll
http://wuenschejetzterfuellen.com/Plugins/http.dll
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
t+Ft(Vj@
AA<=u	
VWjhj@
Ht)Hu_
P4+V4t
<\u_G;
<a|*<f
},"plugin_
User-Agent
Max-Forwards
Mozilla/4.0 (IE 11.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Mozilla/4.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/2.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; Ant.com Toolbar 1.6; MSIECrawler)
Mozilla/2.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Iceweasel/35.0a2
Mozilla/3.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-4)
Mozilla/3.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
User-Agent: 
Max-Forwards: 
connect
socket
closesocket
gethostbyname
WSAStartup
inet_addr
inet_pton
Transfer-Encoding: 
Content-Length: 
chunked
 HTTP/1.1
Host: 
Cookie: 
Connection: 
keep-alive
aegislabs
agnitum
ahnlab
alibaba
antiy-avl
avast!
arcabit
antivir
avware
bitdefender
bytehero
quick heal
zonealarm
clamav
comodo
crowdstrike
endgame
emsisoft
fortinet
f-prot
the hacker
virobot
ikarus
invincea
nprotect
f4cky0ukasperskyyouwillnevergetfr3shsampleofthisbl4cken3rgy
jiangmin
k7antivirus
kingsoft
ad-aware
malwarebytes
mcafee
panda platinum
qihoo 360
rising
sentinelone
sophos
superantispyware
symantec
tencent
totaldefense
kaspersky
trendmicro
trustlook
zillya
webroot
whitearmor
/Panel/callback.php
185.177.59.179
n1ghtly
@USAVAWH
D8!t4H
hA_A^[]
NtFreeVirtualMemory
RtlExpandEnvironmentStrings_U
NtProtectVirtualMemory
RtlEnterCriticalSection
NtWriteFile
LdrUnloadDll
NtQuerySystemInformation
LdrGetProcedureAddress
NtQueryInformationProcess
NtUnmapViewOfSection
NtWaitForSingleObject
NtQueryVolumeInformationFile
NtCreateFile
NtClose
NtDelayExecution
RtlLeaveCriticalSection
LdrLoadDll
NtOpenFile
RtlInitializeCriticalSection
RtlDosPathNameToNtPathName_U
ntdll.dll
GlobalSize
IsBadReadPtr
GlobalAlloc
IsDBCSLeadByte
VirtualAlloc
GlobalFree
GlobalReAlloc
KERNEL32.dll
MessageBoxA
wsprintfW
wsprintfA
USER32.dll
IsDebuggerPresent
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
memcpy
memset
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0f
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
3 393C3
0(101:1N1X1b1
<(=I=u=
1X2\2`2
3\5`5d5h5l5p5t5x506
> >'>1>8>B>i>x>
2&3i3x3
4*444Z4i4u4
6I6X6f6s6#7m7
9!9&9b9
9N:S:Y:
<6=;=A=
3/3P3U325O5
:,:3:F:~:
;);9;I;R;
<'<,<9<G<N<[<d<l<r<x<
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1