Sample details: b74aae3a441fec6888c5c9efcd5e0251 --

Hashes
MD5: b74aae3a441fec6888c5c9efcd5e0251
SHA1: 9ccdc802ece59cfaa7eebf9358c8b1e414e29057
SHA256: 53c57eb2a5bc43040c607372d13317aaa0a81949606a01c35ca248138d73bece
SSDEEP: 3072:8YmOdy5k0vJPi0er9Ozmbs+zHVhEZVhNyaF+lP6RHV0ZskDFIe1tjxYImvBhE:lVU5l+1kDkRPbjZmw
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Antivirus | YRP/VM_Generic_Detection | YRP/Dropper_Strings | YRP/inject_thread | YRP/create_service | YRP/network_tcp_socket | YRP/escalate_priv | YRP/rat_rdp | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Big_Numbers1 | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API |
Source
http://219.147.91.86:8099/692.exe
Strings
		!This program cannot be run in DOS mode.
9kRichP
`.rdata
@.data
.idata
LJ360SD
@.reloc
u=h8UB
Q Rht-B
uGh 1B
~(9~$u
W(9W$u
tZ9H tU9H$tP
9_|t93
Fdf+Fh
D$(8D*
T$LPQR
|$HPWS
T$(PQR
T$DPVS
T$LRWS
L$LQVS
|$ WUSV
D$$SUV
T$,RWV
T$,RWV
T$,RWV
L$,QWV
T$,RWV
L$ RUPj
T+3x%A
;D$<s!
T$,PQhX
D$0QhL
{4_^]3
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
								
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
WSAIoctl
WS2_32.dll
bad buffer
bad Allocate
bad buffer
KERNEL32.dll
\Temp\360SB\
Version
\Temp\360SB\
\Temp\360SB\
\Temp\360SB\
WinSta0\Default
WinSta0\Default
'G','H','O','S','T',' ','U','p','d','a','t','e'
RegQueryValueA
ADVAPI32.dll
Applications\iexplore.e
xe\shell\open\command
RegOpenKeyExA
ADVAPI32.dll
WinSta0\Default
OpenEventLogA
ADVAPI32.dll
Application
Security
System
SYSTEM\CurrentContr
olSet\Services\%s
SeDebugPrivilege
advapi32.dll
OpenSCManagerA
OpenServiceA
QueryServiceStatus
ControlService
StartServiceA
DeleteService
CloseServiceHandle
shlwapi.dll
SHDeleteKeyA
kernel32.dll
CloseHandle
SYSTEM\CurrentControlSet\Services\
RegQueryValueExA
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExA
ADVAPI32.dll
RegOpenKeyExA
ADVAPI32.dll
%-24s %-15
%-24s %-
%-24s %-15s 0
x%x(%d) 
RegEnumKeyExA
ADVAPI32.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
RegQueryValueExA
ADVAPI32.dll
RegOpenKeyA
ADVAPI32.dll
HARDWARE\DESCRIPTION\System\CentralProcessor\0
GetPriorityClass
KERNEL32.dll
capGetDriverDescriptionA
AVICAP32.dll
SYSTEM\CurrentControlSet\Services\%s
GetModuleHandleA
KERNEL32.dll
GetNativeSystemInfo
kernel32.dll
lSet\Services\
EM\CurrentContro
%s%s%s%s
GetVersionExA
KERNEL32.dll
GlobalMemoryStatus
KERNEL32.dll
GetVersionExA
KERNEL32.dll
GetSystemDirectoryA
KERNEL32.dll
OpenSCManagerA
ADVAPI32.dll
CONNECT 
http://
HTTP/1.0 200
\termsrv_t.dll
127.0.0.1
SeDebugPrivilege
SeDebugPrivilege
SeDebugPrivilege
SeDebugPrivilege
Console
SeDebugPrivilege
SeDebugPrivilege
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
PortNumber
SeDebugPrivilege
Active
Disable
RegOpenKeyA
ADVAPI32.dll
00000%s
SAM\SAM\Domains\Account\Users\
RegOpenKeyA
ADVAPI32.dll
SAM\SAM\Domains\Account\Users\Names\
RegQueryValueExA
ADVAPI32.dll
RegOpenKeyA
ADVAPI32.dll
SAM\SAM\Domains\Account\Users\Names\%s
SeDebugPrivilege
sharedaccess
SeDebugPrivilege
fDenyTSConnections
SYSTEM\CurrentControlSet\Control\Terminal Server
WinExec
KERNEL32.dll
\termsrv_t.dll
GetModuleHandleA
KERNEL32.dll
\termsrv.dll
SeDebugPrivilege
SeDebugPrivilege
SeShutdownPrivilege
csrss.exe
drwtsn32.exe
SeShutdownPrivilege
\termsrv_t.dll
%SystemRoot%\system32\termsrv_t.dll
RegQueryValueExA
ADVAPI32.dll
2008R2
Windows %s SP%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
Find CPU infomation error
%dDay %dHour %dMin
RDP-Tcp
OpenSCManager Error!
TermService
OpenService Error!
QueryServiceStatus Error!
fDenyTSConnections
SYSTEM\CurrentControlSet\Control\Terminal Server
Win XP
ServiceDll
termsrv_t
\termsrv_t.dll
SeDebugPrivilege
SeDebugPrivilege
OpenProcessToken
ADVAPI32.dll
LookupAccountSidA
ADVAPI32.dll
GetVersionExA
KERNEL32.dll
OpenDesktopA
Winlogon
Mozilla/4.0 
(compatible)
InternetOpenUrlA
WININET.dll
WININET.dll
InternetOpenA
WININET.dll
InternetCloseHandle
WININET.dll
lstrlenA
KERNEL32.dll
SYSTEM\CurrentControlSet\Services\%s
lstrlenA
KERNEL32.dll
SYSTEM\CurrentControlSet\Services\%s
RegQueryValueExA
ADVAPI32.dll
RegOpenKeyA
ADVAPI32.dll
SYSTEM\CurrentControlSet\Services\
RegQueryValueEx(Type)
nsocket-di:%d
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
GetProcAddress
LoadLibraryA
InitializeCriticalSection
VirtualAlloc
ResetEvent
CreateEventA
CloseHandle
WaitForSingleObject
SetEvent
CancelIo
LocalAlloc
LocalReAlloc
lstrlenA
ReadFile
GetFileSize
CreateFileA
GetFileAttributesA
GetWindowsDirectoryA
LocalFree
LocalSize
WriteFile
SetFilePointer
CreateProcessA
lstrcpyA
GetCurrentProcess
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
lstrcatA
FreeLibrary
OpenProcess
GetLastError
TerminateThread
ResumeThread
SetThreadPriority
GetCurrentThread
SetPriorityClass
DeleteFileA
MoveFileExA
MoveFileA
GetTickCount
GetTempPathA
HeapAlloc
GetProcessHeap
VirtualProtect
IsBadReadPtr
HeapFree
QueryPerformanceCounter
QueryPerformanceFrequency
GetThreadPriority
GetSystemInfo
GetLocalTime
OpenEventA
CreateMutexA
CopyFileA
GetSystemDirectoryA
GetModuleFileNameA
CreateThread
MultiByteToWideChar
WideCharToMultiByte
lstrcpyW
GetVersionExA
GlobalMemoryStatusEx
lstrcmpiA
Process32Next
Process32First
CreateToolhelp32Snapshot
Module32Next
Module32First
GetDiskFreeSpaceExA
GetDriveTypeA
GetCurrentThreadId
SetLastError
KERNEL32.dll
wsprintfA
ExitWindowsEx
SendMessageA
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetUserObjectInformationA
GetThreadDesktop
PostMessageA
USER32.dll
RegCloseKey
CloseEventLog
ClearEventLogA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
DeleteService
OpenServiceA
RegDeleteValueA
RegDeleteKeyA
RegSetValueExA
RegEnumValueA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
CloseServiceHandle
StartServiceA
UnlockServiceDatabase
ChangeServiceConfig2A
LockServiceDatabase
CreateServiceA
RegOpenKeyExA
ControlService
QueryServiceStatus
AbortSystemShutdownA
GetUserNameA
GetTokenInformation
ADVAPI32.dll
SHGetSpecialFolderPathA
SHELL32.dll
??3@YAXPAX@Z
memcpy
memmove
__CxxFrameHandler
_CxxThrowException
strlen
strstr
memset
??2@YAPAXI@Z
memcmp
strcpy
malloc
strcat
strrchr
realloc
_except_handler3
strncat
strchr
strncmp
strncpy
strcmp
_errno
mbstowcs
wcslen
wcstombs
wcscpy
sprintf
_mbsstr
_mbscmp
_beginthreadex
_snprintf
calloc
MSVCRT.dll
??1type_info@@UAE@XZ
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
__dllonexit
_onexit
WS2_32.dll
GetIfTable
iphlpapi.dll
NetUserSetInfo
NetUserGetLocalGroups
NetApiBufferFree
NetUserGetInfo
NetUserEnum
NetLocalGroupAddMembers
NetUserAdd
NetUserDel
NETAPI32.dll
WTSLogoffSession
WTSDisconnectSession
WTSQuerySessionInformationA
WTSFreeMemory
WTSQuerySessionInformationW
WTSEnumerateSessionsA
WTSAPI32.dll
GetModuleHandleA
GetStartupInfoA
_mkdir
_stricmp
_strnicmp
_strcmpi
EnterCriticalSection
KERNEL32.dll
LeaveCriticalSection
KERNEL32.dll
InterlockedExchange
KERNEL32.dll
GetModuleFileNameA
KERNEL32.dll
GetShortPathNameA
KERNEL32.dll
GetEnvironmentVariableA
KERNEL32.dll
SeShutdownPrivilege
SeShutdownPrivilege
COMSPEC
 /c del 
 > nul
OpenSCManagerA
ADVAPI32.dll
SetFileAttributesA
KERNEL32.dll
GetSystemDirectoryA
KERNEL32.dll
%s.exe
%s\%x.sg
/vbwArS0sqe9sLCxsb388QSf
sa+np58=
4wIF/vL7858=
DirectX jrq
DirectX Remover yta for Windows(R).
Microsoft(R) DirectX mid for Windows(R).
13580ebcdc67eeb0625dff486a78031f
OpenSCManagerA
ADVAPI32.dll
RegOpenKeyA
ADVAPI32.dll
%c%c%c%c%c%c.sys
SYSTEM\CurrentControlSet\Services\
Description
SYSTEM\CurrentControlSet\Services\
HrCg@b	g(
HrCg@b	g(
HrCg@b	g(
;%;,;4;9;?;F;
<J=V=w=
=$>0>b>
7/7'8,8
;c;i;s=
6	767P7w7
8'9O9p9
93:9:A:F:u:{:
3M4R4X4_4
7%7]7d7
8G8N8_8g8u8
:*:7:B:O:Z:g:r:
;!;1;B;G;Q;b;};
<"=8=>=S=j=~=
>">L>S>e>|>
0#0'0+0/030
1*1K1d1j1w1
2$2,232\2o2~2
3 3Q3d3i3n3{3
3$4O4b4
=1=8=z=
8&8.83898@8k8
;e=j=p=w=
Z0&1a1
222F2s2
7r8w8}8
9$92999A9H9R9\9
:%;`;m;
2M2k2r2
3)3;3L3v3
4$4.484B4L4U4Z4a4g4v4|4
5"5,555;5B5M5S5]5l5v5
6.6A6H6`6g6l6q6
707B7f7
9!9>9c9t9
:/:i:}:
121<1Z1d1
8!858y8
9O9c9~9
99:G:V:~:
:t;T<q<
>8?o?y?
:0D0Y0k0x0
1L1S1z1
2)282W2
4)4.444|4F6U6
10151;1B1G1[1`1f1m1r1~1
4 404I4
<+>0>:>
>X?]?g?
?0D0N0
0>1C1M1
2a2f2p2
3f3k3u3
3e4j4t4
4<5A5K5
5(6-676
64797C7
0<0O0|0
1'2>2|2
8/8E8U8`8g8w8
:(:5:n:&;8;=;C;J;Z;d;p;
<2<A<'=
:=;T;^;q;
>,>K>n>
0	1(1`1
2/3\3o3t3z3
3+4H4[4k4u4
4)5Q5V5c5j5
656Q6h6r6|6
:8:E:N:W:_:d:q:z:
;.;3;9;@;z;
<)=C=J=a=
=#>/>G>
0"000:0?0O0a0k0
6"6(6m6
9(9-9L9Q9W9^9f9k9q9x9
;p;u;{;
>4>c>j>
>4?:?A?I?N?T?[?c?h?n?u?
1]1b1h1o1
2"2)2R2_2
3$363|6
;-;B;o;
? ?&?-?2?9?B?I?P?]?o?
010D0m0 1+1h1s1
2@2J2P2Y2_2f2k2r2{2
3#3-363=3E3L3S3Y3b3j3r3y3
152h2l2p2t2x2|2
456:8@8e8q8
)3K3_3"8D8X8`<
E0J067
=@?D?H?L?P?T?X?\?`?d?
6*6S6m6
< <&<,<2<8<><D<J<P<V<\<b<h<n<t<z<
="=(=.=4=:=@=F=L=R=X=^=d=j=p=v=|=
>$>*>0>6><>B>H>N>T>Z>`>f>l>r>x>~>
?B?H?N?T?Z?`?f?l?r?x?~?
<0B0H0N0T0Z0
131:1A1H1N1V1\1c1j1u1|1
2.2>2^2d2j2p2v2|2
3 3&3,32383>3D3J3P3V3\3b3h3n3t3z3
=6=U=_=
0,0L0P0X0\0d0h0x0
0L1P1`1h1l1p1t1
4$444H4P4
5 5(5X5l5x5
6,606D6X6t6
707D7P7X7
848<8X8t8|8
9(909`9t9
:4:@:\:
1 1$1@5
9 9$9(9,90949
5.0(1)\Server\svchost\Release\Server.pdb