Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 7f0fdddf5905886532c8a652abed1b6c --

Hashes
MD5: 7f0fdddf5905886532c8a652abed1b6c
SHA1: 44ce68a4badff4b22054b499215f4c90a207f703
SHA256: 275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6
SSDEEP: 768:OLr7vvxoB+0PAFferFtbX0OFc78QJYnPJK1yXy:OjH5Jd0tFc78QJWAv
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/network_http | YRP/network_dns | YRP/win_registry | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32_poly_Constant | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API | FlorianRoth/DragonFly_APT_Sep17_3 |
Strings
		!This program cannot be run in DOS mode.
_nRichs
`.rdata
@.data
.reloc
UVWj@S
9{$v 9{,v
_^][YY
D$4PVW
D$$Pjt
D$$PSSW
QWVRPU
D$$Pjs
D$\Pju
D$xPjF
D$`Pjx
D$hPVW
D$\Pj[
D$0SSSS
L$@QPSSSS
YYPVUU
tNA<.u
D$(PjF
D$xPjG
D$hPjH
D$4PjQ
D$|Pj_
D$4Pja
D$$Pjb
D$Lj	P
<SVj<^
0SUVWj
L$0;D$
\$ UVW
t$(QPV
D$$jLP
s/;\$8t)S
D$(WP3
;T$(_^
Q4;Q8s
\$$YY;_
O@;OHv
N0;N v
F,;F8u
F4;F@r
D$$8L*
[_^]YY
Software\Microsoft\%s
Software\Microsoft
_Run@4
kernel32.dll
}jFj~p
v{c{"r
{`u`:r
axjx:t
{Z|Zjv
v`z`Zw
OaoaFy
DYS@DSCUCSt
iujwarYSjleox}-B_VJ}EDPZGdTBLWRRgjKWAOIAoKRTs
qRLDLHBoDILO}M[F
\hxz}{y<wseq7pg{f0)-|
><0&2$kpv
<+;h"$513|ae0HX
'YAEGG\D/
7<WX\QZU[4
Uxzaw}d<Jflx ;=j
JWTQ&fqqbnf}glmy{|~+6bgphuyt{">8Q
VFWV]DZM
KVUP'gppcog|fmlxz}
0?s{wt~||6$=9p(
oc{Qa|
zljmcbt\gs}}r|
ni|j@kopLp}
fatbHcgxDowzsq~w
zKYC]X
OMRFCA]
CA]XOIY[
7<866q$0~13:>y4(%$(c!..)'*99+=!
^xswyy>k
1arbp6{gjkg,naafhevvdrnWW
Hrtpvou:v{z{p~w2lx/b`fn* q)
hzc!mqo
@VGMHH
EIQ$MMU L\T\_OM)
*7=.*=-;-=
:,"9<<
<kD?-$G;!(K
Cqe~-40i
v!lu$\
egcpf~''4
tvrfUC@iNGFZV
%"7!1; y<56
)2!(/l%,#
-7916hjw2;8
1+,6'7-k.'$
1!)!"df{>74
5=,0"*
&/%9!,:&??
!;63$+
{W`NJWB
FewApvucg|[xboj}b
uEQTFVd^QSTXVK
uIEUQKOU
Rqobctw68EmqzX
Qr`Ys`dTlmso
zJ^[IYoL^SVAFc
wATSLEwJ_INJ
zYKsV\NVPr^ZT~R_H{
zJ^@CEI]CwVJAFSR
Dzlf_|bofqrThm`j
[_ICC^Z
v|ecj`wr
aFRUaBPfOY\@HFOLFVsYW^Z
mJ^Y|NZ@@^g@PWIGW\]I_xPX_YdZ^ZSH
)#:&#*b(:&
%x%x%x%x%x%x
%x%x%x%x%x%x%x
185.121.177.53
185.121.177.177
45.63.25.55
111.67.16.202
142.4.204.111
142.4.205.47
31.3.135.232
62.113.203.55
37.228.151.133
144.76.133.38
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
HTTP/1.1
Connection: close
urlmon.dll
ObtainUserAgentString
Ws2_32.dll
getaddrinfo
freeaddrinfo
WS2_32.dll
DnsFree
DnsQuery_A
DNSAPI.dll
InternetCrackUrlA
InternetOpenA
InternetCloseHandle
InternetConnectA
InternetReadFile
InternetQueryOptionA
InternetQueryOptionW
InternetSetOptionA
InternetSetOptionW
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
DeleteUrlCacheEntryA
WININET.dll
CloseHandle
GetCurrentProcessId
CreateThread
CreateFileW
FlushFileBuffers
WriteFile
WaitForSingleObject
FreeLibrary
GetProcAddress
LocalAlloc
LocalFree
LoadLibraryA
ReadFile
HeapAlloc
HeapReAlloc
HeapFree
GetProcessHeap
MultiByteToWideChar
GetTickCount
VirtualAlloc
VirtualFree
DeleteFileW
GetFileSizeEx
SetFileAttributesW
KERNEL32.dll
RegCloseKey
RegEnumKeyA
RegEnumValueA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyExW
RegQueryValueExW
CryptAcquireContextW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
ADVAPI32.dll
wvnsprintfA
wvnsprintfW
SHLWAPI.dll
SHGetFolderPathW
SHELL32.dll
payload.dll
_Start@4
{BASECONFIG}
>">*>B>U>m>
>&>.>A>H>
2)2<2O2b2u2
3-3C3V3i3|3
4<4d4'6C6x6
8@8H8P8X8`8h8p8x8
;);4;I;P;W;d;
=+=Q=Y=d=k=
>H>c>t>
555;5X5^5k5q5k8
:9:M:j:q:z:
;=;G;N;[;a;|;
2!262S2^2
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5