Sample details: d6725d6f8c84afcb2e7eabe4683e0512 --

Hashes
MD5: d6725d6f8c84afcb2e7eabe4683e0512
SHA1: 3506ce5c88ee880b404618d7759271ded72453fe
SHA256: e3e057465bb3a5ca29b4d3d4b0aafbad57506ee231e511fc1d6c2866dc4b0ec2
SSDEEP: 192:XDxQ0GZ0x3Kftt7aKFlxFjqU5ljTjGczpYp:TxHGmBK6gbqinjYp
Details
File Type: MS-DOS
Added: 2018-03-07 02:50:59
Yara Hits
YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasModified_DOS_Message | YRP/domain | YRP/contentis_base64 | YRP/suspicious_packer_section | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://94.130.104.170/payload.dll
Strings
		!Win32 .DLL.
.MPRESS1
.MPRESS2
v2.19+#Q 
aeg@4$
OGBBq\@R
808L@0
~9h`M*0bL
WIW$PA
,stu5u
 SSSQ3
uC*	0B
Psj<_Z
UH	$PSSD
_gN,.21
ntdll@.
QuerAy<[W
PathUn
quoteSpa
CmpNI$#
RPCRT4
heckSumM
appe1!
USERENV
Temp-p@
Count0aU
Errorit	0A
ER#eg5\ExW8
#yl<U#Q
HTTP/1.0
Host:H0
Type: V!
ww-form-
urlenc2
|Length]
IsWow64~
tware\cl
alserv0er
02B4-09C
A-4bb6-B
78D-A8F5
9079A8D5
M`micrIo4
&H!tmp
S2g2 V
%s %s HTTP/1.0
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %u
_beginthreadex
msvcrt.dll
IsWow64Process
kernel32
%1d.%1d.
GetModuleHandleA
GetProcAddress
KERNEL32.DLL
ntdll.dll
WS2_32.dll
SHLWAPI.dll
StrStrA
WININET.dll
InternetCrackUrlA
RPCRT4.dll
UuidCreateSequential
imagehlp.dll
CheckSumMappedFile
USERENV.dll
CreateEnvironmentBlock
ADVAPI32.dll
RegCloseKey
ole32.dll
CoInitialize
t7Kt'Kt