Sample details: c8ea0ccf60ef3dd59a039411bf374ba6 --

Hashes
MD5: c8ea0ccf60ef3dd59a039411bf374ba6
SHA1: 7fc55d453028d16e2f633db19f57cdf709915c7d
SHA256: 00a128838e27965db7736f884b11cccb39ee6d889774018e1b20660817ee63e3
SSDEEP: 384:WS/xmyyoRnzvs2xFRaYyihUz/qg4a04uCHopegBd0xZ:WumszELYN+7xhrgXY
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/anti_dbg | YRP/win_files_operation | YRP/BASE64_table | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://wuenschejetzterfuellen.com/Plugins/pipe32.dll
http://wuenschejetzterfuellen.com/Plugins/pipe32.dll
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
t+Ft(Vj@
AA<=u	
VWjhj@
Ht)Hu_
<\u_G;
<a|*<f
},"plugin_
User-Agent
Max-Forwards
Mozilla/4.0 (IE 11.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Mozilla/4.0 (IE 11.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/2.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; Ant.com Toolbar 1.6; MSIECrawler)
Mozilla/2.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 Iceweasel/35.0a2
Mozilla/3.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.1) Gecko/20061205 Iceweasel/2.0.0.1 (Debian-2.0.0.1+dfsg-4)
Mozilla/3.0 (X11; U; Linux i686; pt-PT; rv:1.9.2.3) Gecko/20100402 Iceweasel/3.6.3 (like Firefox/3.6.3) GTB7.0
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.6 (KHTML, like Gecko) Chrome/20.0.1090.0 Safari/536.6
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
User-Agent: 
Max-Forwards: 
connect
socket
closesocket
gethostbyname
WSAStartup
inet_addr
inet_pton
Transfer-Encoding: 
Content-Length: 
chunked
 HTTP/1.1
Host: 
Cookie: 
Connection: 
keep-alive
aegislabs
agnitum
ahnlab
alibaba
antiy-avl
avast!
arcabit
antivir
avware
bitdefender
bytehero
quick heal
zonealarm
clamav
comodo
crowdstrike
endgame
emsisoft
fortinet
f-prot
the hacker
virobot
ikarus
invincea
nprotect
f4cky0ukasperskyyouwillnevergetfr3shsampleofthisbl4cken3rgy
jiangmin
k7antivirus
kingsoft
ad-aware
malwarebytes
mcafee
panda platinum
qihoo 360
rising
sentinelone
sophos
superantispyware
symantec
tencent
totaldefense
kaspersky
trendmicro
trustlook
zillya
webroot
whitearmor
plugin_execute
plugin_update
plugin_miner
plugin_brute
plugin_stealer
plugin_getinfo
plugin_injects
plugin_social_spreader
plugin_ddos
plugin_spam
plugin_ads
plugin_userkit
plugin_backconnect
plugin_network_spreader
/Panel/callback.php
185.177.59.179
RtlExpandEnvironmentStrings_U
RtlEnterCriticalSection
NtWriteFile
NtQuerySystemInformation
NtFsControlFile
NtQueryInformationProcess
NtWaitForSingleObject
NtQueryVolumeInformationFile
NtCreateFile
RtlNtStatusToDosError
NtClose
NtDelayExecution
NtFlushBuffersFile
RtlLeaveCriticalSection
NtCreateNamedPipeFile
LdrLoadDll
NtOpenFile
RtlInitializeCriticalSection
NtReadFile
RtlDosPathNameToNtPathName_U
ntdll.dll
GlobalSize
GlobalAlloc
IsDBCSLeadByte
GlobalFree
GlobalReAlloc
KERNEL32.dll
wsprintfW
wsprintfA
USER32.dll
IsDebuggerPresent
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
memset
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
3 393C3
1 1*1>1H1R1
2,252\2J3
5%545Q5c5j5
1 1'1.151<1C1J1
2)353<3F3M3W3^3h3o3y3
4*474A4W4y4
828P8^8
0y0j1|1
2$2.2G2w2
4S5[5a5y576E6O6]6t6
<+<2<E<}<
=(=8=H=Q=
>&>+>8>F>M>Z>c>l>r>
0@0D0H0L0P0X0\0`0d0h0l0
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1