Sample details: 782e5c2d319063405414d4e55d3dcfb3 --

Hashes
MD5: 782e5c2d319063405414d4e55d3dcfb3
SHA1: 5f5910df1a647511c60a4aa1429d68b296f71ae6
SHA256: e82ced9bcf61f3339688284bca9f3d918a1a031fbfc7b0c404a31777eba1116b
SSDEEP: 3072:TKnUNALmVZvvGBeQYejp3IAq2tn2TBfki43y97FozS4Oq1sqH73oGC:M4Lvkwejphqun2TB8i4i0zLOosqHkG
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v1xx_v2xx_additional | YRP/Microsoft_Visual_Cpp_60_DLL_additional | YRP/Microsoft_Visual_Cpp_v70_DLL | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Microsoft_Visual_Cpp_60_DLL_Debug | YRP/Armadillo_v1xx_v2xx | YRP/Microsoft_Visual_Cpp_v60_DLL | YRP/Microsoft_Visual_Cpp_60_DLL | YRP/Microsoft_Visual_Cpp_60 | YRP/Armadillov1xxv2xx | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/antisb_threatExpert | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/Str_Win32_Winsock2_Library | YRP/apt_equation_exploitlib_mutexes | YRP/Equation_Kaspersky_FannyWorm | FlorianRoth/EquationGroup_EquationDrug_Gen_2 | FlorianRoth/apt_equation_exploitlib_mutexes | FlorianRoth/Equation_Kaspersky_FannyWorm |
Parent Files
88106b8b1ef1a00644a90ca67ad57e1f
Source
http://94.130.104.170/Equation_KasperskyReport_and_Additionalsamples//AdditionalSamples/FannyWorm/FannyWorm_782E5C2D319063405414D4E55D3DCFB3
http://94.130.104.170/Equation_KasperskyReport_and_Additionalsamples/AdditionalSamples/FannyWorm/FannyWorm_782E5C2D319063405414D4E55D3DCFB3
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
VWjAY3
SUVWh(
,WSVjeh(
SVWj@3
PVVVVV
QSj(PSS
Ytxj@3
t?WSh 
uPSSSS
PSSSSSS
"VVVVP
PSSSSSSh 
PSSSSSSSj
QSSSSSSSPj
PSSSSSSSWj
u&SSSSh
VVVVVVVVh
It<Iu4P
WtEj$SV
jWX_^[
PSQRVWj
_^ZY[X3
8PSQRVWj
_^ZY[Xj
PSQRVWj
_^ZY[Xj
PSQRVWjd
_^ZY[Xj
8PSQRVWj
_^ZY[X3
8PSQRVWj
_^ZY[Xj
PSQRVWj
_^ZY[Xj
PSQRVWjd
_^ZY[Xj
PSQRVW
_^ZY[X3
PSQRVW
_^ZY[Xj
PSQRVW
_^ZY[X
jWX_^[
8PSQRVWj
_^ZY[X3
8PSQRVWj
_^ZY[Xj
PSQRVWj
_^ZY[Xj
PSQRVWjd
_^ZY[Xj
|ttpSWh
jWX_^]
D$(_^]
PsGetCurrentProcess
WS2_32.dll
dbghelp.dll
GetEnvironmentVariableA
SetFileAttributesA
CopyFileA
GetLastError
DeleteFileA
LockResource
SizeofResource
LoadResource
FindResourceA
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
CreateProcessA
SetFileTime
GetFileTime
CloseHandle
WriteFile
CreateFileA
CreateThread
GetProcAddress
LoadLibraryA
GetModuleFileNameA
FindClose
FindFirstFileA
GetVolumeInformationA
WaitForSingleObject
CreateMutexA
OpenMutexA
ReadFile
FindNextFileA
FreeLibrary
GetTempPathA
GetSystemDirectoryA
GetSystemTime
lstrlenA
lstrcpynA
GetComputerNameA
OpenProcess
GetVersionExA
GetCurrentProcessId
LocalFree
LocalAlloc
GetCurrentProcess
GetCurrentThread
CreateMutexW
SetLastError
lstrcpyA
GetVersion
lstrcatA
VirtualFree
ReleaseMutex
VirtualAlloc
OpenMutexW
GetModuleHandleA
LoadLibraryExA
IsBadReadPtr
CreateFileW
GetEnvironmentVariableW
LoadLibraryW
MapViewOfFile
CreateFileMappingA
GetFileSize
SetFilePointer
KERNEL32.dll
wsprintfA
DestroyWindow
CreateWindowExW
SetPropA
UnregisterClassA
UnregisterClassW
USER32.dll
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyExA
FreeSid
AllocateAndInitializeSid
LookupAccountSidW
GetUserNameW
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
OpenProcessToken
AccessCheck
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
DuplicateTokenEx
OpenThreadToken
GetSidIdentifierAuthority
IsValidSid
LookupAccountSidA
RegEnumKeyExA
LookupAccountNameA
RegEnumValueA
RegDeleteValueA
ADVAPI32.dll
strcat
memset
strstr
strncpy
memcpy
strlen
malloc
strcpy
strncat
memcmp
_snprintf
realloc
_abnormal_termination
wcscmp
wcslen
??3@YAXPAX@Z
??2@YAPAXI@Z
sscanf
_mbschr
_local_unwind2
strcmp
wcsncat
wcscpy
strncmp
MSVCRT.dll
_initterm
_adjust_fdiv
_stricmp
_wcsicmp
dll_installer.dll
\system32
windir
BINARY
lsass#
c:\windows\system32\kernel32.dll
\shelldoc.dll
Software\Microsoft\MSNetMng
d:\fanny.bmp
x:\fanny.bmp
Q:\__?__.lnk
Policy
Version
Status
Global\RPCMutex
DMWI%%
HTTP/1.0
lNSDEoYNJYN
lNSDEyR]^PY
lNSDEsJYNUXY
SRZU[inp
SRRY_HUSRO
o]JYXpY[]_EoYHHUR[O
xYZ]IPH
SRRY_HUSRoYHHUR[O
xyz}iph
KHO]LU
khoyRIQYN]HYoYOOUSRO}
khomIYNEoYOOUSRuRZSNQ]HUSR}
khozNYYqYQSNE
0x%02hx%02hx%02hx%02hx%02hx%02hx
S-%lu-
PsDereferencePrimaryToken
PsReferencePrimaryToken
RtlSidHashInitialize
RtlEqualSid
ntdll.dll
LdrGetProcedureAddress
DbgPrintEx
DbgPrint
ntkrnlpa.exe
ntoskrnl.exe
RtlUnwind
KeGetCurrentIrql
HAL.dll
RtlImageDirectoryEntryToData
KeRaiseIrqlToSynchLevel
KeRaiseIrqlToDpcLevel
cnFormVoidFBC
cnFormSyncExFBC
NtShutdownSystem
KeAddSystemServiceTable
_except_handler3
KeServiceDescriptorTable
v.2055
RedrawWindow
MenuItemFromPoint
win32k.sys
MmUnmapLockedPages
MmUnlockPages
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmBuildMdlForNonPagedPool
IoFreeMdl
IoAllocateMdl
msvcrt
NtQueryObject
NtQuerySystemInformation
!This program cannot be run in DOS mode.
`.rdata
@.data
L$(PQV
L$(PQW
SUVWj8
L$,WPj
~(9~$u
DSpQPj
D$4_^][
C4u	^]
S,_^]3
L$\t8;
;T$0sP;t$4sJ
D$40Z@
D$0pZ@
L\Lf9t\L
 inflate 1.2.3 Copyright 1995-2005 Mark Adler 
Qkkbal
[-&LMb#{'
w+OQvr
)\ZEo^m/
H*0"ZOW
l!;b	F
mj>zjZ
IiGM>nw
ewh/?y
OZw3(?
V_:X1:
LockResource
SizeofResource
LoadResource
FindResourceA
GetLastError
SetFileTime
GetFileTime
CloseHandle
WriteFile
CreateFileA
CreateProcessA
GetEnvironmentVariableA
ReadFile
GetFileSize
CreateFileW
KERNEL32.dll
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegSetValueExW
RegCreateKeyExW
ADVAPI32.dll
malloc
fwrite
fclose
tmpfile
MSVCRT.dll
_XcptFilter
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
BINARY
c:\windows\system32\kernel32.dll
 _start@16 0
rundll32 
\AGENTCPD.DLL
\MSAgent
windir
Policy
Version
Status
Software\Microsoft\MSNetMng
incorrect length check
incorrect data check
invalid distance too far back
invalid distance code
invalid literal/length code
invalid distances set
invalid literal/lengths set
invalid bit length repeat
too many length or distance symbols
invalid code lengths set
invalid stored block lengths
invalid block type
header crc mismatch
unknown header flags set
incorrect header check
invalid window size
unknown compression method
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
need dictionary
#QR7;+
H^O8m:
qqPqpZ
;`zq1SU
3_OWMd+
0J:[fe
8Frie<
k'A!F-
q2>$>s
_]r,Qu
Onq10T4
3E[Zxl&
P1}P0+
":k=(,X
GIp4J &
>p"-vtW
q(of:i
$|raQaQ
?L"f2.
v:~:~:b:
~v:?KTE
6QP	m%
VW^j-T?e(
C+*(TA
b8m0G;{
gH%2_z;
>A?p z0~J
?kK6qU
HNj:~:
u@,!		
ep~rxA
2?;e/w^
j/^N^F
J]]V]M]_
2LUNUKm
Y]J]B]^
IGDDL.
{UB\mv
;'WG'rg
a1~[pbi
9t8kln
]W@mla
6*BJk[
k]X7O&
yLT%:iV
(X!tuH
(ArC\T
_]r,Qu
P1}P0+
;vo>,)
":k=(,X
82!buD
%cR5:L
d2HTS5
\~n9n,
GOOMOO
R(J(Z(D
"1]w7b
lBD`a<
=IJn!,
hnj),u
$k&m-=\-=jG
b3vGS\
WwW-1w
zmx-{Et
YTYT]T[
&zm(-%
SzKMQc4jF
&Hs 7({
s%X'qX
LaPiPf0}L
l#RT3UST
535y+^
8Z@$s%u
m1XU4>
!This program cannot be run in DOS mode.
J#-'V--
J#-LU)-
J#-LU'-
J#-Rich
`.rdata
@.data
.reloc
t"9=pb
t*9=Ta
USUUUWP
trVjeSP
D$HhXa
SSSh<`
t&Wj3_
SVWj<3
VWj<Y3
DeleteFileA
FindClose
MoveFileA
FindNextFileA
CopyFileA
FindFirstFileA
GetTempPathA
ExitThread
GetVolumeInformationA
CloseHandle
GetLastError
CreateMutexA
GetTickCount
GetEnvironmentVariableA
GetCommandLineA
GetSystemTime
WaitForSingleObject
CreateThread
WaitForMultipleObjects
ResetEvent
SetUnhandledExceptionFilter
SetErrorMode
KERNEL32.dll
RegNotifyChangeKeyValue
RegDeleteKeyA
RegCreateKeyExA
RegSetValueExA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
ADVAPI32.dll
memcpy
memset
malloc
strcat
strncpy
strcpy
strstr
strrchr
strlen
fclose
fwrite
strncat
fflush
_except_handler3
fprintf
memcmp
_getdiskfree
tolower
MSVCRT.dll
_initterm
_adjust_fdiv
GetComputerNameA
SetFileAttributesA
FreeLibrary
GetProcAddress
LoadLibraryA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetSystemInfo
GetVersionExA
CreateEventA
SetFilePointer
ReadFile
WriteFile
VirtualFree
VirtualAlloc
CreateFileA
GetUserNameA
agentcpd.dll
_start@16
\\.\a:
FILENAME
\restore\
Software\Microsoft\MSNetMng
Global\DirectMarketing
Policy
Version
Status
Explorer.exe
32.exe
\System32
SYSTEMROOT
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
System\CurrentControlSet\Services\USBSTOR\Enum
ProductId
RegisteredOrganization
RegisteredOwner
Software\Microsoft\Windows NT\CurrentVersion
file size = %d bytes
fseek(SEEK_SET) failed
System\CurrentControlSet\Services\PartMgr\Enum
WS     TMP
000B0U0
0%161~1
1!2/2G2
2 3(3U3
4%5F5J5N5R5V5Z5^5b5f5j5n5r5v5z5~5
798b8z8
9-93999A9G9Q9
9':3:>:U:[:b:m:w:
;);0;6;<;H;N;\;b;j;q;|;
='=2=:=d=
0(1/1J1Z1j1
2+2G2^2h2
3$3?3D3J3d3m3u3
5$5,5=5J5P5Z5g5t5y5
6&7H7Q7
7G8M8R8]8p8u8|8
9!9*919K9R9b9x9
:>:^:m:t:{:
<>=K=X=i=
>J>W>j>
>#?(?S?Z?_?p?}?
3#373L3a3f3p3y3
3#4>4`4
4!5K5i5
5N6c6p6
7'707P7s7
8 8&8:8B8T8Z8c8
919w9|9
;0;6;=;D;g;|;
40I0V0r0
535Z5|5
<7<@<G<z<1=
>$>/><>D>R>W>\>a>l>y>
>:?b?h?n?
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PADupdate.exe
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
#0-0Y0_0h0Y1_1i1
6 6-636<6Z6
6N7c7j7~7n8
:%:;:J:^:
:';B;J;P;c;i;z;
0/1c1i1
2 2-2I2Y2b2p2
5:5F5P5
:):V:f:{:
=!>5>F>
>.?b?m?s?
3$3+353<3I3P3Z3a3k3r3|3
4)5<5o5
6(6<6f6
6/7A7s7x7
768>8G8g8t8
879E9}9
9!:1:a:f:
> ?n?~?
0+0_0d0
1J1d1t1
9+:W:p:
5%5W5\5
8F8O8q8
:$:-:H:Q:n:
0\0m0s0
1"1^1o1u1
1 2'2@2L2^2
364d4i4
5H5[5n5
6!6,6M6_6f6
758<8F8{8
9.9>9e9
; <<<g<
>S>a>j>u>
0.0G0`0
1&1<1E1Q1
2 2,282D2P2\2h2t2
5A6Q687=7
=:=e=j=
2;3@3q3
4!5_5m586
6 7%7,7I7
;	<#<G<Q<
=.=3=y=
51;1H1V1]1}1
3N4[4h4
455?5\5
5"6/6<6
>"?/?<?
5<5I5O5
5+686E6
:):c:p:}:
1 1%1n1P2x2
6+6I6N6T6[6b6l6
6-7?7[7`7
8!8(8Q8m8
9#989=9
;/;I;h;
3b3h3z3
5#5*515Z5s5
$2(242<2@2L2T2X2d2l2p2|2
3$3,303T3X3d3h3t3|3
4$4,404<4D4H4T4\4`4l4p4|4
5 5,54585D5L5P5\5d5h5t5
6(64686@6D6L6P6\6`6l6p6|6