Sample details: 8ea2703acbd07d4313cf57a225783ae6 --

Hashes
MD5: 8ea2703acbd07d4313cf57a225783ae6
SHA1: 32bfd12a06e346269b8f1ed8e918d286b83b241b
SHA256: 8154692fba6bc058c86b958ee474271cec0dfe682642eed8bde7480b44a16bf1
SSDEEP: 192:r7Xl8Wbg+dIat/XJ0nbl+gAMaDL+1GwimDNCU:vaxGIatvqblni2G6pC
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Studio_NET | YRP/Microsoft_Visual_C_v70_Basic_NET_additional | YRP/Microsoft_Visual_C_Basic_NET | YRP/Microsoft_Visual_Studio_NET_additional | YRP/Microsoft_Visual_C_v70_Basic_NET | YRP/NET_executable_ | YRP/NET_executable | YRP/NETexecutableMicrosoft | YRP/IsPE32 | YRP/IsNET_EXE | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/Antivirus | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://snapcrackleshot.com/wp-content/uploads/verdana.exe
http://snapcrackleshot.com/wp-content/uploads/verdana.exe
Strings
		!This program cannot be run in DOS mode.
`.rsrc
@.reloc
v2.0.50727
#Strings
RIPEMD160
Microsoft.Win32
<Module>
SIGN_MAGIC
GetUID
RUN_METHOD
CODE_BASE
REG_PATH
GetURL
System.IO
StartUP
REG_LOADER
REG_RUNNER
GENERATOR
REG_ROOT
DeleteHKCU
WriteHKCU
UID_KEY
GATE_KEY
AUTO_KEY
LOADER_KEY
Quaqua
mscorlib
Thread
command
DeleteSubKeyTree
get_Message
GetEnvironmentVariable
IDisposable
DownloadFile
Console
set_WindowStyle
ProcessWindowStyle
set_FileName
get_MachineName
get_UserName
DateTime
WriteLine
response
Dispose
GetGate
Update
Create
Delete
GuidAttribute
DebuggableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyCompanyAttribute
RuntimeCompatibilityAttribute
set_UseShellExecute
SetValue
wmiMustBeTrue
Quaqua.exe
System.Threading
Encoding
ToBase64String
UploadString
GetHashString
GetRandomString
ToString
GetRHash
ComputeHash
GetFolderPath
get_Length
length
rawTask
Install
Program
get_Item
System
HashAlgorithm
GetHashSumm
Random
GetVersion
System.Reflection
WebHeaderCollection
ManagementObjectCollection
Exception
ProcessStartInfo
get_Year
HttpRequestHeader
PlainLoader
PowerLoader
SpecialFolder
GetIdentifier
ShellRunner
ToUpper
Dropper
CurrentUser
TaskParser
ManagementObjectEnumerator
GetEnumerator
.cctor
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
GetInstances
DebuggingModes
FileAttributes
SetAttributes
ReadAllBytes
GetBytes
GetCommandLineArgs
BotActions
StringSplitOptions
get_Chars
get_Headers
WmiClass
ManagementClass
Process
Constants
set_Arguments
Exists
Concat
Format
ManagementBaseObject
System.Net
ticket
get_Default
GetUserAgent
WebClient
System.Management
Environment
get_Current
Convert
MoveNext
System.Text
AppendAllText
get_Now
set_CreateNoWindow
get_Day
CreateSubKey
DeleteSubKey
RegistryKey
System.Security.Cryptography
DoQuery
Registry
op_Equality
op_Inequality
IsNullOrEmpty
WmiProperty
WrapNonExceptionThrows
Fed-QuaQua
	LESS Inc.
Copyright 
  2016 less 
$d95390b8-3c56-4da5-bd58-2b334bf28817
2.1.1.1
RSDS`=R
E:\VXProjects\Queequeg2\Queequeg\obj\Release\Quaqua.pdb
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>