Sample details: a2d0565ab19977174fb32eb5a437a0ca --

Hashes
MD5: a2d0565ab19977174fb32eb5a437a0ca
SHA1: 18ab4419a23792b6cbc579f7dada116fd2b9555c
SHA256: 291b294ae62be53f0d61989367f2a1a3c9cb8bc8efa1b413b54a467fde3345bb
SSDEEP: 384:1f2vD1KQ7TVnHIJJfkUx1QWmoRSYqpG5V6plHWa+IB+xs:h2BDVnHIJ1/moRqpG5srHWC++
Details
File Type: MS-DOS
Added: 2018-03-06 19:34:40
Yara Hits
YRP/NsPack_v37_North_Star | YRP/NsPack_v37_North_Star_h | YRP/NsPack_v37_North_Star_h_additional | YRP/NsPacK_V37_LiuXingPing_additional | YRP/NSPack_3x_Liu_Xing_Ping_additional | YRP/NsPacK_V37_LiuXingPing | YRP/NsPack_3x_Liu_Xing_Ping | YRP/NsPacKV37LiuXingPing | YRP/Upackv039finalDwing | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/IsBeyondImageSize | YRP/HasModified_DOS_Message | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/contentis_base64 | YRP/network_dropper | YRP/keylogger | YRP/win_registry | YRP/suspicious_packer_section | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://52.161.26.253/10218.malware
Strings
		MZKERNEL32.DLL
LoadLibraryA
GetProcAddress
GetProcAddress
KERNEL32.DLL
USER32.DLL
ADVAPI32.DLL
OLEAUT32.DLL
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.DLL
OLE32.DLL
KERNEL32.DLL
URLMON.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
GetKeyboardType
RegQueryValueExA
SysFreeString
TlsSetValue
GetTickCount
StartServiceA
CoInitialize
WinExec
URLDownloadToFileA
sNbUdD
@@9A	@J
U,.-.._
t|hMDw
>C9,pC
\<*0wa
no*^QdH
&J24jo
)/QoK4m
'[YM-u
Y*Pt+>
a~PBTp
!.17%F
Frp0iH
Am[;_r
91KQacX
Er|=V_r
5%BOxm
T-~otz
t*>PCT
E:)5CJ
0`b~Gs
uer{#i
H :-&V
CgG89r
iB->OyC&
meW?g =
yWpv^+(
UJ'qpI