Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 9b9e083a9cf6a1db6251e189e5966a4d --

Hashes
MD5: 9b9e083a9cf6a1db6251e189e5966a4d
SHA1: 943372d44cb9b162b9c98d9b5a7241642c44bb80
SHA256: 96ca097b0daff949826f3611116c7efc41343ad15cc76b96db1eeac3c01a3608
SSDEEP: 1536:sgEuWlEyVc/3h2PDAu3h9a1NCVDd6BVssS5Nq5:t9Wlg/R2PDAu92ssS5Nq5
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/DebuggerCheck__QueryInfo | YRP/inject_thread | YRP/network_udp_sock | YRP/network_tcp_listen | YRP/network_smtp_raw | YRP/network_irc | YRP/network_http | YRP/network_tcp_socket | YRP/network_dns | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/MD5_Constants | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Source
http://94.130.104.170/illusion_bot//BOTBINARY.EXE
http://94.130.104.170/illusion_bot/BOTBINARY.EXE
Strings
		!This program cannot be run in DOS mode.
`.data
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
E PVVh
<0|-<9
WSSSSh
9SSSSW
mUVWSSSS
VPVVVV
YufjA_W
t)<At%
YYt6SS
YYu09=
<a|	<z
SVWjIY3
Y@Y@PS
u5j@PU
SSSWhD
	uPVht
MoveFileA
GetProcAddress
LoadLibraryA
GetModuleHandleA
KERNEL32.dll
Rkcybere.rkr %f
FBSGJNER\Zvpebfbsg\Jvaqbjf AG\PheeragIrefvba\Jvaybtba
Rkcybere.rkr
XrearySnhygPurpx
FBSGJNER\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Eha
cmd.exe
Bindport: Couldnot bind main socket
Bindport: Couldnot create main socket
bindport_port
bindport_state
C:\WINDOWS\system32\drivers\ntndis.sys
ntndis
NS[GDYNY
E_EOBX
w|beod|xwXRX_NF
wOYB]NYX
21853768232324616
X@J_NYXt
X@J_NYXt
\NIJOFBE
\NIJOFBE
DCC Send finished: %s [%d kB]
DCC Send %s incompleted %s: %s [%d kB]
 [DELETED]
DCC Send rejected or protocol mismatch. Header: %s
120 %s %d %s
DCC Send error: file size is null
DCC Send error: couldnot open %s
DCC Send error: couldnot connect to %s:%d
DCC Send error: couldnot create socket
DCC Sending ...
DCC Shell connection finished with %s...
DCC Shell connection established with %s...
DCC Shell wrong password ...
Wrong password. Goodbye!
DCC Shell connection rejected ...
Enter password
DCC Shell rejected or protocol mismatch. Header: %s
100 %s
DCC Shell: couldnot connect()
DCC Shell: socket() failed
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1
http://
%s [%s] [~%d kB] : %d
Downloading ...
Downloading and executing ...
!This program cannot be run in DOS mode.
h.rdata
H.data
B.reloc
9ADu6;
jjYj}_
RSDSwx
D:\D_DATA\i\evil\Driver\i386\Drv.pdb
RtlCompareMemory
MmUserProbeAddress
MmIsAddressValid
wcsncmp
ZwClose
ObfDereferenceObject
ObReferenceObjectByHandle
ObOpenObjectByName
RtlInitUnicodeString
IofCompleteRequest
KeServiceDescriptorTable
IoDeleteSymbolicLink
NtBuildNumber
IoCreateSymbolicLink
IoCreateDevice
ntoskrnl.exe
_except_handler3
KfLowerIrql
KfRaiseIrql
HAL.dll
3.333I3x3
4 494[4
7"7.747G7O7U7]7e7k7s7{7
8!8)8.8:8I8U8h8
9"9'9/969;9C9J9W9\9a9q9
\\.\agaqvf
226 Transfer complete.
425 Cannot open data connection.
150 Opening BINARY mode data connection for %s (%d Bytes).
%s.%s.%s.%s
550 No such file or directory.
150 Opening ASCII mode data connection for %s
550 Cannot STORE.
%s 1 user group %d %s %s %s
drw-rw-rw- 1 user group 0 Feb 5 20:19 %c
150 Opening ASCII mode data connection for /bin/ls.
-rw-rw-rw-
257 "%s" is current directory.
502 Command not implemented.
550 Rename failed.
250 RNTO command successful.
200 RNFR command successful.
226 ABOR command successful.
250 RMD command successful.
250 DELE command successful.
257 "%s" directory created.
550 "%s": Failed to create.
350 Restarting at %d. Send STORE or RETRIEVE.
215 UNIX Type: L8
250 Directory changed to "%s"
200 PORT command failed.
200 PORT command successful
425 Passive mode not supported.
200 Type set to %c.
500 Unknown type - %c.
530 Please login with USER and PASS.
221 Goodbye!
530 Login incorrect.
230 User %s logged in.
530 Already logged.
220 Server Ready.
FTPd started
FTPd: couldnot listen() for main socket
FTPd: couldnot bind main server socket
FTPd: couldnot create socket
ftpd_port
ftpd_state
forum/config.php
cgi-bin/index2.pl
cgi-bin/index.pl
index2.pl
index.pl
game.php
list.php
old.php
right.php
left.php
footer.php
bottom.php
top.php
header.php
script.php
qwerty.php
index2.php
db.php
config.php
test.php
phpBB2/
forum/
index.cgi
cgi-bin/index.cgi
index.php3
index.html
index.htm
index.phtml
index.dhtml
index.php
/~/~/~/~/~/
Mozilla/5.0 (Slurp/cat; vaginamook@inktomi.com; http://www.supercocklol.com/slurp.html)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ODI3 Navigator)
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031021
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030718
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; H010818; AT&T CSM6.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; DigExt)
Mozilla/5.0 (Slurp/si; slurp@inktomi.com; http://www.inktomi.com/slurp.html)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avast Browser [avastye.com]; .NET CLR 1.1.4322)
Googlebot/2.1 (+http://www.googlebawt.com/bot.html)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.cock/support/crawler.asp)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.3.1.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Microsoft-WebDAV-MiniRedir/5.1.2600
Mozilla/4.75 [en]
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts-MyWay; (R1 1.3); .NET CLR 1.1.4322)
Mozilla/4.0 compatible ZyBorg/1.0 (wn.zyborg@looksmart.net; http://www.lolyousuck.com)
Mozilla/4.0 (compatible; MSIE 6.0; Windows  NT 5.1; Q312461)
Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.6
HTTP Flooder: couldnot create socket
GET http://%s/%s HTTP/1.1
Host: %s
Accept: */*
User-Agent: %s
Refer: http://%s/%s
HTTP Flooder: resolve failed
abcdefghijklmnopqrstuvwabcdefghi
Icmp Flooder error: resolve failed
Icmp Flooder error: setsockopt() failed
Icmp Flooder error: couldnot create socket
Guvf shapgvba vf abg fhccbegrq ol Jva9k
P:\0kQRNQ.OZC
FBSGJNER\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Ayf\AnzrFcnpr
FBSGJNER\Zvpebfbsg\Jvaqbjf AG\PheeragIrefvba\Pbafbyr\AnzrFcnpr
RegDeleteKeyA
CopyFileA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
VirtualAlloc
FileTimeToLocalFileTime
FileTimeToSystemTime
GetCurrentProcess
wsprintfA
ControlService
OpenSCManagerA
StartServiceA
CloseServiceHandle
CreateServiceA
DeleteService
OpenServiceA
DeviceIoControl
RegCreateKeyA
HttpOpenRequestA
HttpSendRequestA
InternetConnectA
InternetReadFile
InternetCloseHandle
InternetOpenA
RegEnumValueW
ZwResumeThread
ZwCreateThread
ZwOpenSection
ZwQuerySystemInformation
ZwQueryInformationProcess
ZwQueryInformationThread
FindNextFileW
RegQueryValueExW
SuspendThread
Thread32Next
Thread32First
OpenThread
ResumeThread
ReadProcessMemory
GlobalFree
GlobalAlloc
UnmapViewOfFile
MapViewOfFile
DuplicateHandle
WSAGetLastError
GetDiskFreeSpaceA
GetDriveTypeA
GetComputerNameA
CreateDirectoryA
GlobalMemoryStatus
GetVersionExA
GetVersion
GetCurrentProcessId
WriteProcessMemory
OpenProcess
VirtualProtectEx
VirtualQueryEx
VirtualFreeEx
VirtualAllocEx
CreateRemoteThread
RemoveDirectoryA
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
GetCurrentDirectoryA
__WSAFDIsSet
ioctlsocket
select
GetUserNameA
GetFileSize
TerminateProcess
WaitForInputIdle
WaitForSingleObject
CreatePipe
CreateProcessA
accept
listen
GetWindowsDirectoryA
GetDateFormatA
GetTimeFormatA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetDeviceCaps
CreateDCA
CreateCompatibleDC
CreateDIBSection
SelectObject
BitBlt
GetDIBColorTable
DeleteObject
DeleteDC
TerminateThread
DeleteFileA
ReadFile
WriteFile
CreateFileA
CreateThread
RegSetValueExA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
GetModuleHandleA
GetModuleFileNameA
GetTickCount
gethostname
inet_addr
inet_ntoa
gethostbyname
WinExec
GetProcessHeap
HeapFree
HeapAlloc
CreateMutexA
MessageBoxA
GetLastError
CloseHandle
ExitProcess
ExitThread
WSACleanup
WSAStartup
connect
closesocket
setsockopt
socket
sendto
wininet.dll
ntdll.dll
gdi32.dll
advapi32.dll
user32.dll
kernel32.dll
ws2_32.dll
%s%s %s
Win???
Win2003
%dd-%dh-%dm
%s%s%s - %d Mb total, %d Mb free, 
SeDebugPrivilege
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
DISPLAY
SMTP sender finished
--nf--
Content-Transfer-Encoding: base64
Content-Type: application; name=%s
This is <%s> file from <%s>. See attach (%d bytes).
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=cp-1251
Content-Type: multipart/mixed; boundary=nf
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)
Subject: %s
RCPT TO:%s
MAIL FROM:%s
HELO localhost
SMTP sender: Couldnot connect to %s
SMTP sender: Couldnot open file %s
Socks4 started
SOCKS4: Couldnot bind main socket on port %d
SOCKS4: Couldnot create main socket
socks4_port
socks4_state
Socks5 started
SOCKS5: Couldnot bind main socket on port %d
SOCKS5: Couldnot create main socket
socks5_port
socks5_state
:*:Enabled:Control
FLFGRZ\PbagebyFrg001\Freivprf\FunerqNpprff\Cnenzrgref\SverjnyyCbyvpl\FgnaqneqCebsvyr\NhgubevmrqNccyvpngvbaf\Yvfg
SYN Flooder error: resolve failed
SYN Flooder error: setsockopt() failed
SYN Flooder error: socket() failed
UDP Flooder error: resolve failed
UDP Flooder error: setsockopt() failed
UDP Flooder error: couldnot create socket
%s[%d]
a%s[%d]
USER %s 0 * :%s
NICK %s
PASS %s
JOIN %s
PRIVMSG %s :%s
 PRIVMSG 
 KICK 
 NICK 
PONG %s
MODE %s +ooo %s
MODE %s -ooo %s
Content-Type: application/x-www-form-urlencoded
msg_out=%s
%s?act=online&s4=%d&s5=%d&nickname=%s
irc_pass
irc_rpass
irc_chan
irc_rchan
irc_port
irc_rport
irc_server
irc_rserver
web_path
web_rpath
web_port
web_rport
web_server
web_rserver
control
IRC reserve config changed
IRC config changed
Unknown command - %s
Usage: !webadmin <host> <port> <path>
Web reserve config changed
webradmin
WEB config changed
webadmin
ircradmin
Usage: !ircadmin <host> <port> <channel> <password>
ircadmin
Usage: !igmpexploit <sourceIP> <destIP>
IGMP: returned: %d
igmpexploit
%s[Config] %sAUTOLOAD: %s%s %sAUTOOP: %s%s %sMD5CRYPT: %s%s %sINJECT: %s%s %sMUTEX: %s%s %sINSTALL_DRIVER: %s%s %sSAVE_REG: %s%s %sSP2FWBYPASS: %s%s
config
Bindport stopped
Bindport not started
bindportstop
Bindport started
Bindport: Bad port - %s
Bindport already started
bindport
IRC client:%s, WEB client:%s
client
Usage: !email <server> <port> <from> <to> <attach>
SMTP sender started
Invalid SMTP port
SMTP: already started
UDP Flood terminated, sended: %d kbytes
UDP Flood is not started
udpfloodstop
UDP Flooder started
UDP Flood already started
Usage: udpflood <host> [port]
udpflood
SYN Flooding terminated
SYN Flood is not started
synfloodstop
Usage: synflood <host> <port>
SYN Flood started
SYN Flood already started
synflood
Process with PID %d killed
Unable to kill process with PID %d
Bad process ID
Usage: kill <PID>
Found. NAME: "%s" PID: %d
Couldnot get process ID for "%s"
Usage: !getpid <process_name>
getpid
"%s": processes killed
Unable to kill all "%s" processes
Usage: killall <process_name>
killall
HTTP Flooder terminated
HTTP Flooder is not started
httpfloodstop
HTTP Flooder started
HTTP Flooder: Bad port - %s
Usage: !httpflood <host> [port] [path_to_script]
HTTP Flooder already started
httpflood
Beep ok
BEEP: Too big time value - %d
BEEP: Bad time - %s
BEEP: Bad freq - %s
FTPd stopped
FTPd is not started
ftpdstop
FTPd: Bad port - %s
FTPd already started
Stopped %d tasks
stopall
Socks5 stopped
Socks5 is not started
socks5stop
Socks4 stopped
Socks4 is not started
socks4stop
SOCKS5: Bad port - %s
Socks5 already started
socks5
SOCKS4: Bad port - %s
Socks4 already started
socks4
%s[Process list]%s %s
processes
DCC Shell deactivated
DCC Shell is not started
dccshellstop
DCC Shell: Bad port - %s
DCC Shell already started with %s
Usage: !dccshell <ip> [port]
dccshell
DCC Send terminated
DCC Send is not started
dccsendstop
Cannot save screenshot in %s
Screenshot saved in %s
Usage: !screenshot <filename>
screenshot
Usage: !dccsend <host> <filename> [port]
DCCSend: Bad port - %s
DCC Send already started
dccsend
<%s %s %s> executed
Usage: !shell <command>
Nickname changed
Only IRC mode
reconnect
shutdown
ICMP Flooding terminated, sended: %d kbytes
ICMP Flood is not started
icmpfloodstop
nospoof
ICMP Flood started
ICMP Flood already started
Usage: !icmpflood <host> [nospoof]
icmpflood
Mode -o for %s
I need message on channel instead of private
Mode +o for %s
Usage: !irc <string>
Download is not started
Downloading terminated
getstop
Usage: !get <url> <local> [noexec]
noexec
Downloading already started for %s [%s]
%s(%d tasks)
%sNo active tasks
%s[%sBINDPORT%s %d%s] 
%s[%sEMAILING%s] 
%s[%sUDP FLOODING%s %s] 
%s[%sSYN FLOODING%s %s:%d] 
%s[%sHTTP FLOODING%s %s:%d] 
%s[%sFTPD%s %d] 
%s[%sSOCKS5%s %d] 
%s[%sSOCKS4%s %d] 
%s[%sDCCSHELL%s %s] 
%s[%sDCC SENDING%s %s] 
%s[%sDOWNLOADING%s %s] 
%s[%sICMP FLOODING%s %s] 
%s[Status] 
status
%s[Values Info] %sI_FREQ:%s %d %sI_THREADS:%s %d %sI_DATASIZE:%s %d %sHF_FREQ:%s %d %sHF_THREADS:%s %d %sS_FREQ:%s %d %sS_THREADS:%s %d %sU_FREQ:%s %d %sU_DATASIZE:%s %d %sU_THREADS:%s %d %sSPOOF_IP:%s %s %sTSRCPORT:%s %s %sUSRCPORT:%s %s
RANDOM
%d.%d.%d.%d
%s[System Info]%s IPs:%s %s %sOS:%s %s %sWINDIR:%s %s %sUSERNAME:%s %s %sUPTIME:%s %s %sTIME:%s %s %sDATE:%s %s %sCPU:%s %I32uMHz %sRAM:%s %d MB 
<win9x>
HH-mm-ss
dd-MMM-yyyy
%s[Drives Info]%s %s
Usage: !set <var> <value>
u_thread rewrited to %d
u_threads
u_datasize rewrited to %d
u_datasize
i_datasize rewrited to %d
i_datasize
u_freq rewrited to %d
u_freq
s_threads rewrited to %d
s_threads
s_freq rewrited to %d
s_freq
hf_freq rewrited to %d
hf_freq
hf_threads rewrited to %d
hf_threads
i_threads rewrited to %d
Too big value
i_threads
i_freq rewrited to %d
i_freq
usrcport rewrited to random
usrcport rewrited to %d
usrcport
tsrcport rewrited to random
spoof_ip rewrited to %d.%d.%d.%d
tsrcport rewrited to %d
tsrcport
spoof_ip rewrited to random
random
spoof_ip
Bad variable
Logout for%s %s
logout
Access%s GRANTED%s for%s %s
You are already loggined as admin - %s %s
Not a command.
Parted from %s %s
Joined to %s %s
RegisterServiceProcess