Sample details: 87d30354316232946a0d2949410d47f7 --

Hashes
MD5: 87d30354316232946a0d2949410d47f7
SHA1: d943ad2fce8de4e41a8fc0712feafc106b0802c1
SHA256: 67199707772645445cbbb1b718203e8527393ef3dcba5484b7b7c9fa2fdf6aea
SSDEEP: 6144:cwHysvXvdpvzWDRhA6u+5BM+7+yYY5BAEHo:HvXv/6rAwynA3Ho
Details
File Type: PE32
Yara Hits
YRP/Nullsoft_PiMP_Stub_SFX | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/escalate_priv | YRP/screenshot | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/CRC32_poly_Constant |
Source
http://188.209.52.29/sand/exe.exe
http://188.209.52.29/sand/exe.exe
Strings
          	            !This program cannot be run in DOS mode.
iRichu
`.rdata
@.data
.ndata
SQSSSPW
v#VhB+@
Instu`
softuW
NulluN	E
D$(Ph,
D$,SPS
D$$+D$
D$,+D$$P
u49-L7B
PPPPPP
_^[t	P
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrlenA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
ReadFile
lstrcpyA
lstrcatA
GetSystemDirectoryA
GetVersion
GetProcAddress
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
ShellExecuteA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error launching installer
... %d%%
SeShutdownPrivilege
~nsu.tmp
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
%u.%u%s%s
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
[Rename]
*?|<>/":
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInstn
;BlSL2,0
|`GJ4n]7
L;1)	`
P'{r0G
!e-v?w
\ZQ[42
SUL|5:&fB
pS*sep
]e+i/N
Yd tD(
ww|@.m
4fkUA_Zt
L9o=2o
'2*aSu
38E<eD
&~=;6s
W;_Q m
t3>A"I
cof1NB%b
/cbE)Ey
)o%1p7
/Q/%706
	KF7\W
Pqj9.Eg
	 =pS1
70!.tB
w;hE*b
r6=xf9
p0u<`g
edo(qXST
uOMO|f
sydMg;
4'u-|%2
CTR^u#
$R4VSXzC
cI6x>E
o1kT%e
glurxu
"=w5j[
GgTO&/
LUe]jv
ySXh-9
,=|{:g
0S1r!T
MRGnD.U
0QoS)A
~7PsL@
<jO#0{{
#47OZW
TB=&2.B
#bTS3^
}GE+n	
H*%KJ*&'vd
{@#p-qT
7Gs!B.
8L..xx
Z~]&1Y
=JlD*8
Qo{/3h
kdM7kw
L5m.-r
}hOG(b
]8+i}5'
`xyziE
>^ y3e
zt$sFM
wV ~gx
N A(W3*
Bvf{Re
O4yEVb_F
n.\]8^
qS&A[K
R_.d77
j9DN\b
gt	Y8}6
i,RX+!
7gFDQC
H HRRg
kYby:{
C* ZF9}
OLpV^*i
4f5xfy
98Z8C[O8
XX!^!h*
;>/BxV
5Lcf7*
-*J~>P
ynmVDr
"J$g<V
CLJt{dK
fxfjF:
8eW<WDe
>E~#	,'
'(V3B 
/y6n*C'n
}2NLV|92\_
h&|wd(
43e{h[[
nqNN<+
r'FI0{_
uRq3:.I
^C(rWB3
oAeJf]`
;"[/	r
Ou<'.u
"AfC8U
7L!t{L
p)3D+B
3K/cOX
* HU %
tfN<jWsn
X0Pd_T7
e[)&B\_
1w@/;ae
M[u][\
5aSV?o
$,eD^w
57:	wz
qC~:Y?
2]	f+s
0K8qV,
dM$Z_IYJ7v
Xj[c zI
Pyt$M4
11r6+~
/1PFMw}
Ie/,ozAz
o+ljmnY
S*D}vI
nI,lx 
`]sZaH
Ra)jJ	
>f]9rnvBN
nBF3RnEC
YMwp\8
i{zRLA
S#K6-Me
b550R^
]h.3j;
[%k*4G`0
Ii,ELFcAu~
(#/VCU>D"
"(&	ZR
CFB2bA
ed<wi-
W^"91H:
D{dRI)
	X0k$$
E/=M|9w
UZjDuL.
FPQKQ)
dQyHJ_
	Gi.#'E
:e'1"yQ	
[68"s6{
?\Xidw
55BoU7
#AP`tr%-
oc%+v]
0>LZy|
{:Lp4o
)L^4:S
u>,RQ2
:?dRIukJ9
o}*0mU
}g%_Oc
]>lP$?.
hZKw"l
%+@"C,f
Sh=K^L
x&A,Nw&
,Z)_WZ
'w	$[P
8E5-*_
Hxy6`m
a|hg{c
Tw	]JwMK
.as5Y:
;	5qg!
ClEOk);
0WPzgRt
i8!r? 
[q(SaM
k|bRM]
9 c's6wn
5y/2q,
: C0fa
=M6^ v,
A0JZ&J*N}
&:>4xF
Ly51&Z9G
f9DH9^OB
Ltk9/=P
ug/pso
 mmYvq!
Q-q+S5w
H '=\`
C)Z3-R
M	L[_k
s4k3=.U
d}ob %
c;YUA=
z}%J#g
nH)"w.
5ll.t:
SSplVC/
dG$%I%
AUyPR/[	Kehl
BR|00nA
)L%dhp
'QCX>#
njvvX\>b
%y#aP%
wPeEtd
*6NI()
[gkB*d
ci-?ry
;H$?q0
:`s(e#[
Qp(*Pa+l
@YwZ'N
PCXW87
pwn-y]
B]T&)E
6 xR5	
d<Fgpt
<f;jyf
*ip,4+k
\E=[u$
X:!9mN
B0uH/6
(7B iPfz
g<mntj
uHm%+eI
GF,W1h
XsS$#p
d:V. \>I
_NrH]6Q\
n:k3[y
#E.)	U"
rysD{g
O&wJY[
zR^'m3
>1/{#*)
A.Xq^d{0
p/l>=V
$sp[}$#$t
u*C/.3
*U">ADB$>
5tPny&
dFIFr|
!(%w:V
JG>OaC
0bJ"C`&"n
yNY&`Z
*,K7gv<
z=~.7l\
 [)xvT
wMLQSOk
Ua3#l$j
Ne<llg
vHe`jZ-,q
</!h(fOS
vz^8iU
Lyb2==
?2>vNs
vi)iM`
E5 9|<\
$6AP@6
MOuuO	Z(r@
Jni?su	7|
it_so-]
lltw'C
r]izhO;i
+pCY{6
%y6LGeh:
=:m/32%
xX2AWT
fl)V/=
5is)Yq-"
Yj(xw_
e3&$D9_
U^5[\fL
C`dqlR-4j
VnO@{j
#Z/VTD4?
u-QA#|1
d(cqQ #
4?PkXlL
m0X^>*
meB[PY
JfE\4/vK
Yd78mn
DmEM#>
..wz|G
gQuz%d
\#Mm[!7
t-^LU|g
 ^zXEp
U~j_AAB
|3<-?-
dk&|QK
"%~\{\>
F#tEAzAX
@+Y9^}
>`K/sd
T:!Zcn
VKW$gm-
GV_[4s(d
:hq>Df
2zAMv^
@6Mdh[
(y:wpy
x4]HNd\
QIw.G.
zs:4lW
`:fa5;
JZph+\ytQ
_eDG*"T6
:3%v>G
*~kHy54
"ex=uk
3?]!Yk
_gM{5v
bMa`\D
qY[KUZ
2L>]-D\W
K88r0U
Q}Szh:
T.Kf#T
fH#s]-
v|V.RO
6^>X'F)
O0T>Qt
'kP/l[
|KOa`$W0
+#u,&D!@6
ooO]#s/
 ,[guF
TJJ8|#
?G/dNY_j
mGFWAz
qKTgTx
Uh<1K	
P]I}<5
{ <;7RqT
\Td\.{c
cb6e&S
M4a#"^
=Z&d2 
Jp""XY
xd`q9b
};*$ym!
QH~M+~
`~bG4V
3zzJhd
lx)Lin
B'I)Eu
*~kHy54
/6I[dk
S$?ne=n$
S=&Ip[
kAC kR
Bs,X\U%
|i hhp
r<Hu4P
`-;*\\
7q'82){
|tOp<OH
a4rJ{l
LBAOdy
,`*0t~
3zycDN<<rq
;e,#G#-V
C(1Z/P
DRyYFGB
G 5}8P
OTh,O6
BE{G $
^^;t%o
C[=4F5
ym|ELRE
M[F} mF
]+pJ[s
hOS,A0
6$I{gY
d%5*"K
NullsoftInst
OH}&E2l
)<>8)NO<
~Gc@DTn
Y|[*aEh
|y6$Wgs
3zycDN<<rq
;e,#G#-V
C(1Z/P
DRyYFGB