Sample details: 7501eed13d381e4816dd46906fbf2b9a --

Hashes
MD5: 7501eed13d381e4816dd46906fbf2b9a
SHA1: 98396b101bbeb7a6fc615838415ab37aaba3e595
SHA256: c324f83648180979c9f45599a9383e29d6bbbb8671fe5c086e8bfe6811c9bae8
SSDEEP: 3072:teqA3WZkushrKFg7BuqCGFMD2qHUj5IcfFxoRUNZTxs83VrpO:tJA0DYl1upDxHUj5IcQUfxLrk
Details
File Type: MS-DOS
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasModified_DOS_Message | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/ThreadControl__Context | YRP/inject_thread | YRP/network_http | YRP/network_dns | YRP/network_dga | YRP/escalate_priv | YRP/screenshot | YRP/keylogger | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32_poly_Constant | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Source
http://89.38.132.142/~quarkexpress/zbot/bot.exe
Strings
		`.data
.reloc
http://www.google.com/webhp
!UWm6u6J
IMB%E'R,G.R
gdiplus.dll
GdiplusStartup
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipSaveImageToStream
ole32.dll
CreateStreamOnHGlobal
gdi32.dll
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
GetDeviceCaps
SelectObject
BitBlt
DeleteObject
DeleteDC
PR_GetNameForIdentity
PR_SetError
PR_GetError
HTTP/1.1
Content-Length
http://
NSS layer
https://
Referer
Content-Type
Authorization
HTTP/1.
Transfer-Encoding
chunked
Connection
Proxy-Connection
identity
Accept-Encoding
If-Modified-Since
GetProcAddress
LoadLibraryA
NtCreateThread
NtCreateUserProcess
NtQueryInformationProcess
RtlUserThreadStart
LdrLoadDll
LdrGetDllHandle
0x90C9F46A
PR_OpenTCPSocket
PR_Close
PR_Read
PR_Write
RFB 003.003
|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq
IsWow64Process
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
del "%s"
if exist "%s" goto d
@echo off
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Connection: close
urlmon.dll
ObtainUserAgentString
cabinet.dll
FCICreate
FCIAddFile
FCIFlushCabinet
FCIDestroy
bcdfghklmnpqrstvwxz
aeiouy
script
Basic 
9;?*<%
%'/#')	'=%"6,6<
]_[X{j~tWpesRho`t
W{vycwyDiu}m|jTx
<!+8<+;-;+
,:4/**
{kckhxz
dsdv~z`?{gy
drcill/ewk
{~ma|os%a}c
51--9k
|F@DB[A
BONODJC
;2>#9"?5,3%
;/&#;+
lk~hBzs
bxc~tmrdVon~
^YLZpMH^WQ~GBR
G@UCiRLPYNL\
LK^HbPPY^VU
KLYOe_]JBE[L
BVyTE@P@DrOKL
HD\vLLsLFG
a|S~b~|mipj
TSG@@n
A~qcbQ@E
Xuk}YJM
5456811!
yjm6xutuvxqqa8
?vcuvdp>
`_[gpb
' 5#8690
8&8?"8#-%3
\ZEC^P_V
%*89%!n!":9'-;
.15)>,
|zec~p
*,?24.
@DBFD9
;?)=?3+
>#):>)9/9#
KFDEINZFOOQ
xS]NR}`i
<8.::22;5#
tUBVzdJEL
EX\	AA
PKq&\^
0! +2,;by
8o^}zwnta4yw|u)2(
K$ejci>'#r
()<*#"
tWTYD^Gms]R[
Szon{|}Xut{`|g
c\XS_FA
pMGTPGWAwg@K]A^CUFmg^XQ[LI
ZYZWJPIG
_RWVWD_G\
vMOVRST
tHC@PGD
{MHC]EJ@US
|CGL@Y^
t@GRJP]QJN
>?&0%$
>>?).:&''e
#[PQV&
+,-kbonh1aizKM16?)
),::up1">!$1'
X\H\[Y]
y~k}Wyxnb-$ieuulnv0|wvqrq;ux
z{vnHFN^@EY
/)IN[MgIH^R
GBXDR/4`,$,+9
/55&,+3p<76121&t{p73?
ma}j!2
qvcu_qpfz5<l}zoi}ao9gp`}s^[ME@^tMKUBCTPF
NVPOfUUWP
WS_?(gtEC
[u=\ys}ss~|4Mvr~g9
kHKL^[
hL@OEOIC
R\\PKUIK>:
$44-*$
':*>#7'p
3# <4<+
*+ #,;
>20913
hU_LH_OYo
XSEYF[M^uaAZH^MGU
b^UHth|jCNuu`zx~pP|x
Agqcb7Dt}~
J]]NBJQK@AUWPR
^VZYSQQ
v6!!2>6-7<=)+,.{f27 8%)$+rnh
vfexzqpdvqs3c7nop+ckqo,u}bhbhemmS
^FOC:!'P
p]_DRXA
[%=9;; 8S
#MFZYU%
{u4pn~km:99n<?gnvl$a
ao*ntd}{PSW
D$JPVh
D$ %Z@
D$$a[@
tv!\$0j
SSSh82@
=TSEWt
t%WWWW
t6f97t1j
D$0PWWj!W
9t$0t5
9\$|u&
8SWjHj
St6hh3@
L$<PQV
H4;H0u
u|Pj<Z
t%h<4@
D$6@uFj
EhPh`c
ELPSVS
Eo8]ot_j
W8D$ t
QQSVWh
Qj<ZRj
~ !r-j
 @;F(r
D$<9D$0
D$PPVV
PWWj%W
tajDZRW
D$LPWW
GAHt8Ht HHt
f;GHsJ
A8MvuJ
N;c'5	
\u)SPW
-)Ms_S
t	A;L$
t	A;L$
u	j\Xf
WtRj V
PSSSQS
w@jDZRj
F,;F8u
@,9H,u
@09H0u
@49H4u
K@;KHv
H4;H8s
L$|9|$
s(;L$<t"
9D$0vh=
L$4+L$
t"9=@2B
N(hx8@
VPhQXA
SSSh<4@
PSSj$S
<Sj<ZR3
t@<	t<<&u-
vzhL9@
>DAVEWu1h
tQf9:tL
tBSVWj
t4SSSS
f;t$rt
,;D$$u
D$DPWWj
D$PPh~f
0t$Iuj
D$pPVSj
f98tz;
tvf9;tq
t$ 9t$
D$ ;D$
EDjwXf
f9;t|9}
t)hxK@
E#+E/^ZY
TlsGetValue
WaitForSingleObject
SetEvent
GetCurrentThread
TlsSetValue
TerminateProcess
SetThreadPriority
ResetEvent
MoveFileExW
GetTickCount
GetFileAttributesW
GetModuleFileNameW
lstrcmpiW
GetUserDefaultUILanguage
CreateRemoteThread
OpenProcess
VirtualFreeEx
Process32FirstW
Process32NextW
CreateToolhelp32Snapshot
CloseHandle
GetThreadContext
SetThreadContext
InitializeCriticalSection
LeaveCriticalSection
VirtualAlloc
EnterCriticalSection
GetProcessId
GetFileAttributesExW
FreeLibrary
GetProcAddress
LoadLibraryA
GetLastError
SetLastError
CreateEventW
GetModuleHandleW
GetPrivateProfileStringW
WriteFile
CreateFileW
FlushFileBuffers
GetPrivateProfileIntW
ExitProcess
GetCommandLineW
SetErrorMode
GetComputerNameW
VirtualFree
GetVersionExW
WaitForMultipleObjects
OpenEventW
DuplicateHandle
GetCurrentProcessId
LocalFree
WriteProcessMemory
GetCurrentThreadId
ReleaseMutex
GetLocalTime
GetSystemTime
CreateThread
GlobalLock
GlobalUnlock
lstrcmpiA
CreateMutexW
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
TlsAlloc
TlsFree
GetNativeSystemInfo
CreateDirectoryW
LoadLibraryW
WTSGetActiveConsoleSessionId
SetFileAttributesW
GetEnvironmentVariableW
FileTimeToDosDateTime
GetTempFileNameW
HeapReAlloc
FindFirstFileW
SetEndOfFile
CreateProcessW
HeapAlloc
SystemTimeToFileTime
SetFilePointerEx
HeapFree
GetProcessHeap
IsBadReadPtr
SetFileTime
VirtualQueryEx
Thread32First
WideCharToMultiByte
ReadProcessMemory
HeapDestroy
HeapCreate
Thread32Next
ReadFile
GetTimeZoneInformation
MultiByteToWideChar
GetTempPathW
GetFileSizeEx
OpenMutexW
VirtualProtectEx
VirtualAllocEx
FindClose
RemoveDirectoryW
FindNextFileW
VirtualProtect
GetFileTime
FileTimeToLocalFileTime
GetVolumeNameForVolumeMountPointW
DeleteFileW
GetFileInformationByHandle
ExpandEnvironmentStringsW
KERNEL32.dll
IsRectEmpty
DefWindowProcW
SendMessageW
PrintWindow
EqualRect
PostThreadMessageW
ReleaseDC
GetDCEx
IntersectRect
GetUpdateRect
BeginPaint
DrawEdge
GetWindowInfo
PostMessageW
FillRect
GetWindowDC
GetMessageW
GetUpdateRgn
EndPaint
GetCursorPos
GetIconInfo
DrawIcon
ExitWindowsEx
RegisterClassA
DefFrameProcW
GetMessagePos
CallWindowProcW
CallWindowProcA
RegisterClassW
ReleaseCapture
DefMDIChildProcA
DefDlgProcA
SwitchDesktop
DefMDIChildProcW
DefWindowProcA
PeekMessageA
PeekMessageW
GetClipboardData
SetCursorPos
RegisterClassExW
TranslateMessage
GetCapture
OpenInputDesktop
DefFrameProcA
DefDlgProcW
SetCapture
RegisterClassExA
GetMessageA
GetWindowThreadProcessId
MapWindowPoints
IsWindow
SendMessageTimeoutW
SetWindowPos
GetAncestor
GetWindowLongW
GetClassLongW
GetParent
GetWindowRect
ToUnicode
GetKeyboardState
CharLowerBuffA
GetSystemMetrics
MapVirtualKeyW
GetShellWindow
EndMenu
GetUserObjectInformationW
HiliteMenuItem
GetMenuItemCount
GetMenuState
GetClassNameW
SystemParametersInfoW
TrackPopupMenuEx
GetMenuItemRect
GetMenu
MenuItemFromPoint
OpenDesktopW
GetSubMenu
SetKeyboardState
GetMenuItemID
GetThreadDesktop
RegisterWindowMessageW
OpenWindowStationW
SetThreadDesktop
CloseDesktop
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
CreateDesktopW
CharToOemW
DispatchMessageW
GetWindow
SetWindowLongW
CharUpperW
CharLowerA
WindowFromPoint
MsgWaitForMultipleObjects
LoadImageW
GetTopWindow
CharLowerW
USER32.dll
GetLengthSid
IsWellKnownSid
ConvertSidToStringSidW
EqualSid
CryptGetHashParam
OpenProcessToken
GetSidSubAuthority
CryptAcquireContextW
OpenThreadToken
GetSidSubAuthorityCount
GetTokenInformation
RegCreateKeyExW
CryptReleaseContext
RegQueryValueExW
CreateProcessAsUserW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetNamedSecurityInfoW
LookupPrivilegeValueW
CryptCreateHash
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegOpenKeyExW
GetSecurityDescriptorSacl
SetSecurityDescriptorSacl
CryptDestroyHash
AdjustTokenPrivileges
RegCloseKey
RegSetValueExW
CryptHashData
RegEnumKeyExW
InitiateSystemShutdownExW
ADVAPI32.dll
PathRemoveFileSpecW
PathRenameExtensionW
PathRemoveBackslashW
StrCmpNIW
UrlUnescapeA
wvnsprintfW
PathIsDirectoryW
PathFindFileNameW
PathAddBackslashW
SHDeleteValueW
PathSkipRootW
SHDeleteKeyW
PathCombineW
PathAddExtensionW
PathUnquoteSpacesW
PathMatchSpecW
StrCmpNIA
wvnsprintfA
PathQuoteSpacesW
StrStrIA
StrStrIW
PathIsURLW
SHLWAPI.dll
SHGetFolderPathW
CommandLineToArgvW
ShellExecuteW
SHELL32.dll
GetUserNameExW
Secur32.dll
CoCreateInstance
CoUninitialize
CLSIDFromString
StringFromGUID2
CoInitializeEx
ole32.dll
RestoreDC
SaveDC
CreateCompatibleDC
SetRectRgn
SelectObject
DeleteObject
GdiFlush
DeleteDC
SetViewportOrgEx
CreateCompatibleBitmap
GetDeviceCaps
GetDIBits
CreateDIBSection
GDI32.dll
WSASend
freeaddrinfo
getaddrinfo
WSAAddressToStringW
WSAIoctl
WSAEventSelect
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CryptUnprotectData
CRYPT32.dll
InternetCloseHandle
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFileExA
InternetReadFile
HttpSendRequestW
GetUrlCacheEntryInfoW
InternetSetStatusCallbackW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestA
InternetConnectA
InternetCrackUrlA
HttpOpenRequestA
InternetOpenA
InternetQueryOptionW
InternetSetOptionA
InternetQueryOptionA
WININET.dll
OLEAUT32.dll
NetUserGetInfo
NetApiBufferFree
NetUserEnum
NETAPI32.dll
,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;4;<;D;L;T;\;d;l;t;|;
<$<,<4<<<D<L<T<\<d<l<t<|<
=$=,=4=<=D=L=T=\=d=l=t=|=
>8>D>P>\>h>t>
=*>6>@>P>[>v>
?1?S?g?m?
03090x0
151;1S1]1t1z1
1,2<2N2c2r2
4'424>4
50D0]0
4'4>4g4
6$6@6z6
7 7H7^7g7
8	8=8Y8y8
9R9Y9o9v9
>1>@>I>O>
0O1V1q1x1
1)262Z2i2o2z2
2$303;3R3Z3`3f3l3:4G7d758<8P8]8d8}8
<&=m=t=
=*>1>Q>p>
7=7B7O7e7q7
7%8Y8e8
:!;2;8;
< <'<-<2<9<?<D<K<
272D3Z3a3n3
4-4:4n4
7 7b7q7
7&828J8V8
9 939N9_9
:6:>:C:k:
;H;x;};
=2=A=P=d=w=
>">?>L>d>j>r>{>
?0?e?k?q?}?
1"1'1.14191@1F1N1V1^1x1}1
2 2%2+2:2M2R2X2
4+4Y4f4s4y4
657P7~7
8"9-9S9_9k9w9
;<<B<S<Y<
<*=0=X=_=i=
=O>U>k>z>
0H1R1V1]1c1g1l1q1v1{1
2 2%2*2/24292>2C2H2M2R2W2\2a2f2k2p2u2z2
3 3%3*3/34393>3C3H3M3R3W3\3a3f3k3s3
3-444N4V4v4
4&555K5T5x5
<,<2<L<Z<s<y<
="=(=>=Q=Z=`=s=y=
4B8R8X8b8
1$151;1
2 2>2T2[2|2
3F4N4g4
5%595D5X5]5c5p5w5
6L6R6Y6l6
777K7o7
8%8Q9X9
93:=:X:
4+5K5g5p5
6E6[8v8
=">@>g>
?a?q?~?
0;0f0|0
202F2^2
4)4r4z4	5
575G5W5m5
616Q6j6p6v6|6
767D7Z7|7
8,8Q8_8u8
9&949J9o9}9
;3<F<W<
1/1Q1q1
152a2}2
5(575A5l5
:!;?;{;
;&<,<7<=<Z<`<r<x<
</>L>S>\>j>q>y>
>=?U?q?
.0Q0`0
323=3[3b3t3
3	484O4z4
5-5V5l5
5N6[6}6
7Z8j8{8
;+;F;f;y;
<==d=n=
0*010k0
1'2U2x2
3;3R3a3s3
4)4V4\4m4x4X5^5r5x5
9-9l9w9}9
:':/:5:;:A:
> ?:?I?b?
 010:0r0{0#1t1
1E2O2^2m2z2
8%9K9l9w9
?3?<?Z?h?
101=1J1
545F5P5]5i5t5
707V7]7
5K7Z7l8
=:=V=F>
<U=h=	?4?
>(?/?9?
80B0y0
1c1)2[2
040D0T0d0t0
1$141D1T1d1t1
2$242D2T2d2t2
3$343D3T3d3t3
PSzebn