Sample details: 8c1b45b63d2305c5eb65be9b595eb3b3 --

Hashes
MD5: 8c1b45b63d2305c5eb65be9b595eb3b3
SHA1: b9df15a8000c2e2d3aa65248281f4d21d068f55a
SHA256: fa2c11b39e051a13361c1746ff15282f2ff57714643e7dab67fd5a8226d6495f
SSDEEP: 3072:Xfh8jQbFMt8GCR7hdd+h9ye4PKk6/N5qqeutCKImaveW:XZ8jGFMCGCh1+zZ4PKkeN5qqFV
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/Browsers | YRP/VM_Generic_Detection | YRP/VMWare_Detection | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/Check_OutputDebugStringA_iat | YRP/anti_dbg | YRP/escalate_priv | YRP/screenshot | YRP/keylogger | YRP/sniff_audio | YRP/rat_webcam | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/BASE64_table | YRP/Typical_Malware_String_Transforms | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/gh0st | FlorianRoth/Typical_Malware_String_Transforms | FlorianRoth/GhostDragon_Gh0stRAT |
Parent Files
03a83be69dcf6ca017e819a5b65b9587
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
V@j QR
GD]_[Y
T$\SRh8
\$<PQW
L$DRQPj
l$dPQW
tXSVWU
tJ<\u8
D$lRPj
D$(RPj
L$4QRRRRRU
<AtG<BtC
D$$RPU
D$(Vj@
|$<.tK
D$<PVh
D$\PWVh 
Iu	_^[
QRPPPPPPVP
|$`j/W
T$dQRP
T$ QRj
t-</t)F
|$ WVU
\$ UVW
L$$_^]f
L$$_^]f
T$ RQPV
\SUVWhX
D$8RPQ
|$-[t.
tqSUVj2W
L$L91t
D$:f;E
L$,91t
T$0QRP
''''''''''''''
'''''''''
''''''''
 !"#$%&
D$TSUVW
FDUSRP
FDQSRP
~0;~,}
VDPQRUSP
NPRPUSj
SUVWhh
SUVWhh
SUVWhh
D$@RPh
T$4_^][
L$@jdQV
D$ GPh
L$@_^][d
L$ Qh|
|$$MZu'
D$,RPQ
L$@jdQV
QPPVh`
D$ IV32
D$$MP42
D$(cvid
Phvidc
~(9~$u
W(9W$u
tZ9H tU9H$tP
Fdf+Fh
D$(8D*
T$LPQR
|$HPWS
T$(PQR
T$DPVS
T$LRWS
L$LQVS
|$ WUSV
D$$SUV
T$,RWV
T$,RWV
T$,RWV
L$,QWV
T$,RWV
L$ RUPj
T+3x%A
;D$<s!
T$,PQhpqA
D$0QhdrA
{4_^]3
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
								
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
CreateEventA
CloseHandle
TerminateThread
WaitForSingleObject
SetEvent
ResumeThread
CreateThread
InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
ResetEvent
lstrcpyA
InterlockedExchange
CancelIo
GetProcAddress
LoadLibraryA
GetFileAttributesA
FreeLibrary
MultiByteToWideChar
WideCharToMultiByte
lstrcmpA
GetPrivateProfileStringA
GetVersionExA
DeleteFileA
GetLastError
CreateDirectoryA
lstrlenA
CreateProcessA
lstrcatA
GetDriveTypeA
GetDiskFreeSpaceExA
GetVolumeInformationA
GetLogicalDriveStringsA
FindClose
LocalFree
FindNextFileA
FindFirstFileA
LocalAlloc
RemoveDirectoryA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
WriteFile
MoveFileA
ExitProcess
GetCurrentProcess
GetVersion
DeviceIoControl
OpenProcess
GetSystemDirectoryA
GetLocalTime
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
GetTickCount
LocalSize
OutputDebugStringA
GetStartupInfoA
DisconnectNamedPipe
TerminateProcess
PeekNamedPipe
WaitForMultipleObjects
GetSystemInfo
CopyFileA
OpenEventA
SetErrorMode
Process32Next
LocalReAlloc
Process32First
CreateToolhelp32Snapshot
lstrcmpiA
GetCurrentThreadId
KERNEL32.DLL
DispatchMessageA
TranslateMessage
GetMessageA
wsprintfA
CharNextA
MessageBoxA
ExitWindowsEx
ShowWindow
FindWindowA
MoveWindow
GetWindowRect
GetForegroundWindow
SendMessageA
SwapMouseButton
GetWindowTextA
GetAsyncKeyState
GetKeyState
LoadCursorA
DestroyCursor
BlockInput
SystemParametersInfoA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDesktopWindow
ReleaseDC
GetCursorInfo
GetCursorPos
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
OpenDesktopA
PostMessageA
CreateWindowExA
CloseWindow
IsWindow
USER32.dll
SelectObject
CreateDIBSection
CreateCompatibleDC
DeleteObject
DeleteDC
BitBlt
GetDIBits
CreateCompatibleBitmap
GDI32.dll
OpenProcessToken
IsValidSid
LookupAccountNameA
LsaOpenPolicy
LsaFreeMemory
RegCloseKey
RegQueryValueA
RegOpenKeyExA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
OpenServiceA
RegSetValueExA
RegQueryValueExA
RegOpenKeyA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegCreateKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
StartServiceA
QueryServiceConfigA
EnumServicesStatusA
LookupAccountSidA
GetTokenInformation
ADVAPI32.dll
SHGetSpecialFolderPathA
SHGetFileInfoA
SHELL32.dll
HLWAPI.dll
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
memmove
_CxxThrowException
_except_handler3
malloc
strrchr
strncpy
strncmp
strchr
_errno
wcscpy
_snprintf
strncat
_beginthreadex
calloc
MSVCRT.dll
??1type_info@@UAE@XZ
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
waveOutClose
waveOutUnprepareHeader
waveOutReset
waveInClose
waveInUnprepareHeader
waveInReset
waveInStop
waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
mciSendStringA
WINMM.dll
WSAIoctl
WS2_32.dll
GetUserProfileDirectoryA
GetProfilesDirectoryA
USERENV.dll
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?_Xran@std@@YAXXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
MSVCP60.dll
NetLocalGroupAddMembers
NetUserAdd
NETAPI32.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
capGetDriverDescriptionA
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICOpen
ICClose
ICCompressorFree
ICSeqCompressFrameEnd
AVICAP32.dll
MSVFW32.dll
WTSFreeMemory
WTSQuerySessionInformationA
WTSAPI32.dll
GetModuleFileNameExA
PSAPI.DLL
GetModuleHandleA
_strrev
_stricmp
_strnicmp
_strcmpi
Server.dat
JustTempFun
\Microsoft\Network\Connections\pbk\rasphone.pbk
kernel32.dll
lstrcatA
lstrlenA
ExpandEnvironmentStringsA
\Microsoft\Network\Connections\pbk\rasphone.pbk
Administrator
exe.rerolpxe
kernel32.dll
Microsoft\Network\Connections\pbk\rasphone.pbk
%USERPROFILE%\Application Data
\Application Data
L$%su%sCr%s0
_RasDefa
edentials#
%slPa%ss#0
RasDia
rams!%
Device
WinSta0\Default
%s\shell\open\command
%s\*.*
KERNEL32.dll
%s%s%s
%s%s*.*
SYSTEM\CurrentControlSet\Services\%s
ADVAPI32.dll
OpenSCManagerA
Fuck You By QQ:123**321
Http/1.1 403 Forbidden
<H1>403 Forbidden</H1>
HTTP/1.0 200 OK
Gh0st Update
Applications\iexplore.exe\shell\open\command
System
Security
Application
ConnectGroup
SeShutdownPrivilege
PortNumber
TSEnabled
SOFTWARE\Policies\Micro
soft\Windows\Installer
SOFTWARE\Microsoft\Window
s\CurrentVersion\netcache
SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon
.DEFAULT\Keyboar
d Layout\Toggle
erminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\T
erminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Con
trol\Terminal Server\RDPTcp
revreS lanimreT\lortnoC\teSlortnoCtnerruC\METSYS
SYSTEM\CurrentControlSe
t\Services\TermService
SYSTEM\CurrentControl
Set\Services\TermDD
\\.\PHYSICALDRIVE0
ProgMan
Shell_TrayWnd
set cdaudio door open
set cdaudio door closed wait
SeDebugPrivilege
CONNECT 
http://
Scroll
Num Lock
Delete
Insert
Snapshot
Execute
Select
DownArrow
RightArrow
UpArrow
LeftArrow
PageDown
PageUp
[CapsLock]
Backspace
:]%d-%d-%d  %d:%d:%d
>retnE<
REG_BINARY
%-24s %-15s 
REG_MULTI_SZ
%-24s %-15s 0x%x(%d) 
REG_DWORD
%-24s %-15s %s 
REG_EXPAND_SZ
REG_SZ
ChangeServiceConfig error!
LockServiceDatabase 
      
QueryServiceStatus error!
OpenService error!
pOpenSCManagerA Error
\cmd.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
modb.3322.org
                                            
Mozilla/4.0 (compatible)
HARDWARE\DESCRIPTION\System\CentralProcessor\0
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\conime.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conime.exe
CopyFileA
C:\Documents and Settings\All Users\
\conime.exe
C:\progra~1\Common Files\svcchost.exe
MoveFileA
GetModuleFileNameA
PSAPI.DLL
explorer.exe
Winlogon
CVideoCap
#32770
capCreateCaptureWindowA
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
T+RBome
kFfeUeV
l-/-8i
	n$&;_
PK,,+(
0+;I4C,M
,D9\[^
f5s3G'JGN
XAoNb^
%`lfzrL
`|\xSy
[l,oAc
*,]r3T
FgoZ1P
K#AD!ye?\
0/bt:0T
WYj9X5
2^/3==
c3,MIl
w	~pWju:
JlJy]d
zG,6Z[
6.>sV`]
0PG`K	o
7O0~rR
HrCg@b	g 
c6eAm4l
l	gCgP
c0R;N:g
c0R(W 
c0R;N:g
vO\U^:
UcIcO\U^1Y%
eHr,gZ
eHr,gZ
UcIcO\U^:
zS_MRck(W
OX[hQ@\
UcIcO\U^
g/f&T	g
viRYOzz
QeQCgP
cKm0R`O
S_MRck(W
cKm0R`O
/T(uHQMR
b:gMRsQ
V:N(W`OSb
,g0W;N:g
N*Ncknx
/f&Tcknx
V:N(W`OSb
~(u7b 
N*N(W 
N*N(W 
0R;N:g
[INV{eu
l~b0R 
OX[;N:g
`O/f&T(WsQ
8lEN Rd
V:N*gsQ
V:N*gsQ
RhV-N	
O(u`OS_MR
v(u7b&
v(u7b:
,g0W(u7b
vW[&{'Y
Q/f&Tcknx
ck(W(W 
v(u7b(W
OX[V{eu
V:N(W`OSb
V:N(W`OSb
N*N	gHe
N*N	gHe
fSbpS:g
b:gHr,g
`OS_MR
 `OS_MR
ck(WKQ
`OS_MRKQ
`OS_MRKQ
ck(WKQ
b:gMOn
V:N(W`OSb
V:N(W`OSb
OX[(u7b
QhQO\!j
hQO\>f:y
HrCg@b	g 
ssskkkkkksss
kk{kkkkkk{{{
kkssss{{{{{{
sssssssss{{{
kkkcccZZZRRRRRRRRRRRRRRRZZkRB
kkkskksss{ss{{{{{{{ss{ss{ss
ssscccZZkJJ
BJZBBB
RR{{{{
RRssss
JJkkkk{{{
BBkZZZcccsss
ccsss{{{
BBcRRRRRRZZZZZZ
11ssssss
BBcJJJJJJJJJJJJ
11{J9{
ZZsss{{{
!!{ss{{{