Sample details: c9f61c363ce0d803f42d0841a50e64be --

Hashes
MD5: c9f61c363ce0d803f42d0841a50e64be
SHA1: 1eb77e69a4f08a94d1549d717a2e425983776468
SHA256: 048bce5703b22b3671a46a64f16e095590a9740667a18570ded527d747da8242
SSDEEP: 1536:C7qAQufPE0XLh78MufCMxZ+sr+LEk2riR:GHfPEuLVlufCmMsr+LEkn
Details
File Type: PE32
Yara Hits
YRP/Borland_Delphi_40_additional | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Borland_Delphi_30_additional | YRP/Borland_Delphi_30_ | YRP/Borland_Delphi_Setup_Module | YRP/Borland_Delphi_40 | YRP/Borland_Delphi_v40_v50 | YRP/Borland_Delphi_v30 | YRP/Borland_Delphi_DLL | YRP/Borland | YRP/IsPE32 | YRP/IsConsole | YRP/HasOverlay | YRP/borland_delphi | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/keylogger | YRP/win_registry | YRP/win_files_operation | YRP/Delphi_CompareCall | YRP/Delphi_Copy |
Source
http://52.161.26.253/10523.malware
Strings
		This program must be run under Win32
.idata
.rdata
P.reloc
P.rsrc
StringX
TObject
YZ]_^[
YZ]_^[
_^[YY]
YZ]_^[
C<"u1S
Q<"u8S
~KxI[)
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
ZTUWVSPRTj
kernel32.dll
GetLongPathNameA
Software\Borland\Locales
Software\Borland\Delphi\Locales
_^[YY]
	Exception L@
EHeapException
EOutOfMemory
EInOutError0M@
	EExternal
EExternalException
	EIntError
EDivByZero
ERangeError
EIntOverflow
EMathError
EInvalidOp
EZeroDivideTP@
	EOverflow
EUnderflow
EInvalidPointer`Q@
EInvalidCast
EConvertError
EAccessViolation
EPrivilege
EStackOverflow
	EControlC
EVariantError
EAssertionFailed
EAbstractError
EIntfCastError
ESafecallException
SysUtils
SysUtils
<*t"<0r=<9w9i
INFNAN
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
_^[YY]
_^[YY]
$YZ_^[
QQQQQQSVW3
QQQQQSVW
_^[YY]
	TErrorRec
TExceptRec
m/d/yy
mmmm d, yyyy
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
PrinterInstallerLauncher
Printer Installer Client Launcher
<NONE>
<NONE>
 /qn /norestart NOCONFIG=1 REINSTALLMODE=vmous ADDLOCAL=ALL REINSTALL=ALL REBOOT=REALLYSUPPRESS ALLUSERS=1 /i "
<NONE>
QQQQQQQ3
msiexec.exe
PrinterInstallerClient.msi
<NONE>
Runtime error     at 00000000
0123456789ABCDEF
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
WideCharToMultiByte
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
kernel32.dll
WriteFile
WaitForSingleObject
VirtualQuery
SetLastError
GetVersionExA
GetThreadLocale
GetSystemDirectoryA
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetDiskFreeSpaceA
GetCPInfo
GetACP
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
EnumCalendarInfoA
CreateProcessA
CloseHandle
user32.dll
MessageBoxA
LoadStringA
GetSystemMetrics
CharNextA
CharToOemA
kernel32.dll
advapi32.dll
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerA
ControlService
CloseServiceHandle
0,080<0@0D0H0L0P0T0b0j0r0z0
1"1*121:1B1n1v1~1
7"8?8J8U8]8g8q8{8
9%90969C9I9c9j9t9~9
:#:B:Z:b:
;';E;o<|<
>7><>B>
?1?W?c?k?
0%0-030<0C0H0N0a0j0
1*1:1Z1r1
2.242<2
2%3,3<3F3L3T3Z3`3g3q3
4A4_4k4s4
5G5`5y5
0"060@0S0
0)101R1
173_3f3~3
626G6Q6V6u6z6
7#7I7V7
0	1#1q1
3*3j3q3
5"5/565:5@5D5J5Q5U5o5x5
666`6n6s6
7.7;7G7T7f7n7v7~7
8&8.868>8F8N8V8^8s8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;;;G;T;f;l;x;
<0<P<X<\<`<d<h<l<p<t<x<
= =$=(=,=<=\=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>L>l>t>x>|>
? ?(?,?0?4?8?<?@?D?H?X?x?
0(0004080<0@0D0H0L0P0`0
141<1@1D1H1L1P1T1X1\1p1
2,2L2T2X2\2`2d2h2l2p2t2
3 3$3(383X3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<4P4p4x4|4
5!505=5E5h5
;!;%;);-;1;5;9;=;A;E;I;M;Q;U;Y;%<,<
>*?Y?t?x?|?
7&7K7}7
8"848^8r8
:&:?:N:g:
<)=D=M=
> ?7?Y?g?n?
/0M0x0
4F4M4W4]4d4n4s4y4~4
5!5*535<5d5m5v5|5
5 6:6X6q6
9%9,9>9C9S9]9
9,:B:k:y:
;=;K;j;
<A<c<r<
=(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?,?0?8?<?D?H?P?T?\?`?h?l?t?x?
0 0(0,04080@0D0L0P0X0\0d0h0p0t0|0
1&111;1F1P1[1e1o1u1
2 2*242>2H2R2d2{2
3&3.363>3F3N3V3c3o3|3
4m4q4u4y4}4
5K5@6'7H7
888F8w8
9@9U9Z9t9<:W:
< <$<(<,<0<4<8<<<@<H<S<[<
,00040
1 1$1(1<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2$2,242<2D2L2T2\2d2l2t2|2
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484
{<:y&q?	
PrinterInstallerClientUpdater
WinSvc
System
SysInit
KWindows
UTypes
3Messages
SysConst
unitPPPLauncherServiceControl
SysUtils
NunitMain
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="PrinterInstallerClientUpdater" type="win32"></assemblyIdentity>
  <description>Printer Installer Support File</description>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker"></requestedExecutionLevel>
      </requestedPrivileges>
     </security>
  </trustInfo>
  <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
    <application>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
    </application>
  </compatibility>
</assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD0
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
160202000000Z
181115235959Z0
847701
Saint George1
912 W 1600 S1
PrinterLogic1
PrinterLogic1
PrinterLogic0
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
;7Vhtz
-SrI|m{
T};Bg<
AddTrust AB1&0$
AddTrust External TTP Network1"0 
AddTrust External CA Root0
000530104838Z
200530104838Z0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
HCgNr*
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
http://www.printerlogic.com 0
20161221220121Z
Greater Manchester1
Salford1
COMODO CA Limited1,0*
#COMODO SHA-256 Time Stamping Signer
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
151231000000Z
190709184036Z0
Greater Manchester1
Salford1
COMODO CA Limited1,0*
#COMODO SHA-256 Time Stamping Signer0
fO\r6{
'1Oqtn
lZGfD{
1http://crl.usertrust.com/UTN-USERFirst-Object.crl05
http://ocsp.usertrust.com0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object
161221220121Z0+