Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: d75c486b0131c6fbfe861aa58e5a297a --

Hashes
MD5: d75c486b0131c6fbfe861aa58e5a297a
SHA1: b64f12af3d952fa53090e04a419ea51363811581
SHA256: eb2334d4bd702b655c4997a44671f6ba0045cb1ca44969183725ceed8e8ee581
SSDEEP: 768:OSzTMXjo3hipqlUacVsG0ErcAZWmr/BjmiC9suJ8rbXnbcuyD7Uz:N0Xjo3EpqTcVhb/hm9su4jnouy8z
Details
File Type: PE32
Yara Hits
YRP/UPXv20MarkusLaszloReiser | YRP/UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser | YRP/UPX20030XMarkusOberhumerLaszloMolnarJohnReiser | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/url | YRP/contentis_base64 | YRP/network_tcp_socket | YRP/network_dns | YRP/escalate_priv | YRP/cred_local | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/MD5_Constants | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/UPX | YRP/suspicious_packer_section | YRP/pony | FlorianRoth/DragonFly_APT_Sep17_3 | BAMFDetect/pony |
Strings
		!This program cannot be run in DOS mode.
PSQRWV
^_ZY[X
VWPSQR
ZY[X_^
GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s
SVWhSh@
t>h?h@
UPhwG@
t)h2p@
@tkhZp@
t"hLp@
http://mainserver.com/gate.php
http://batsyla1.lisx.ru/xxx.exe
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
Software\WinRAR
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
shell32.dll
SHGetFolderPathA
My Documents
AppData
Local AppData
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
S-1-5-18
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
r`l`oui`
lhbidmmd
dlhodl
rbnnuds
`reg`reg
eh`lnoe
l`yvdmm
ktruho
bihbjdo
e`ohdmmd
hmnwdxnt3
gtbjngg
qshobd
ktohns
s`hocnv
003322
gtbjxnt0
ohoudoen
qd`otu
bitsbi
ctccmdr
sncdsu
333333
edruhox
mnwhof
fgikjl
lxmnwd
k`rqds
032230
bnb`bnm`
idmqld
ohbnmd
fthu`s
chmmf`udr
mnnjhof
rbnncx
knrdqi
fdodrhr
dll`otdm
b`rrhd
whbunsx
q`rrv1se
gnnc`s
hmnwdfne
o`ui`o
cm`cm`
ehfhu`m
qd`bidr
gnnuc`mm0
00000000
uitoeds
f`udv`x
hmnwdxnt 
gnnuc`mm
uhffds
bnswduud
jhmmds
bsd`uhwd
032547698
fnnfmd
{ybwcol
ru`susdj
`rimdx
biddrd
rtorihod
bishru
111111
rnbbds
pvdsux0
gshdoe
rtllds
0325476
ldsmho
03254769
knse`o
edyuds
vhoods
rq`sjx
vhoenvr
032`cb
`ouinox
ficeuo
inuenf
c`rdc`mm
q`rrvnse0
es`fno
ustruon0
houdsodu
ltruehd
mduldho
johfiu
knse`o32
`cb032
sde032
qs`hrd
gsddenl
kdrtr0
mnoeno
bnlqtuds
lhbsnrngu
ltggho
lnuids
l`ruds
000000
p`{vry
r`ltdm
b`o`e`
rm`xds
s`bidm
nodmnwd
pvdsux
qs`xds
hmnwdxnt0
vi`udwds
q`rrvnse
cmdrrhof
ronnqx
0p3v2d5s
bnnjhd
bidmrd`
qnjdlno
i`i`i`
``````
i`sebnsd
ri`env
vdmbnld
ltru`of
745230
c`hmdx
cm`icm`i
l`ushy
kdrrhb`
rudmm`
cdok`lho
udruhof
rdbsdu
ushohux
shbi`se
ri`mnl
lnojdx
hmnwdxnt
uinl`r
cmhoj093
k`rlhod
qtsqmd
`ofdmr
cmdrrde
0325476981
id`wdo
itouds
qdqqds
knio207
ctruds
`oesdv
fhofds
6666666
inbjdx
idmmn0
`ofdm0
rtqdsl`o
e`ohdm
032032
gnsdwds
onuihof
e`jnu`
jhuudo
c`o`o`
gmnvds
u`xmns
mnwdmx
i`oo`i
qshobdrr
bnlq`p
kdoohgds
lxrq`bd0
rlnjdx
l`uuidv
i`smdx
snuhlh
gtbjxnt
rnbbds0
032547
rhofmd
knrit`
032pvd
ru`sv`sr
rhmwds
`truho
lhbi`dm
`l`oe`
bi`smhd
c`oehu
l`ffhd
l`wdshbj
nomhod
rqhshu
fdnsfd
gshdoer
e`mm`r
`ehe`r
0p3v2d
ns`ofd
udruudru
`rrinmd
chudld
777777
vhmmh`l
lhbjdx
`regfi
vhrenl
c`ul`o
Client Hash
STATUS-IMPORT-OK
%d.exe
%d.bat
      "%s"   
ShellExecuteA
	   :ktk   
     del    	 %1  
	if  		 exist 	   %1  	  goto 	
 del 	  %0 
shell32.dll
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
GetUserNameA
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
OleInitialize
ShellExecuteA
StrStrIA
StrRChrIA
StrToIntA
ObtainUserAgentString
wsprintfA
LoadUserProfileA
UnloadUserProfile
InternetCrackUrlA
InternetCreateUrlA
inet_addr
gethostbyname
socket
connect
closesocket
select
setsockopt
WSAStartup
`.data
+IX>Fq
28wy1n
QIkW$D
4T*)mt
\,h'(k
Ke!ihiY
h=JcZ$I
3iing?=X
1d*(	2z{
w"lU_7o
jnA|{_
FFSh,v
t$t#t$l
D$t#D$h
D$t+D$\
.)D$H)
s`)L$4
D$t+D$\
9l$\w_
XPTPSW
KERNEL32.DLL
advapi32.dll
ole32.dll
shell32.dll
shlwapi.dll
urlmon.dll
user32.dll
userenv.dll
wininet.dll
wsock32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
RegCloseKey
CoCreateGuid
ShellExecuteA
StrStrIA
ObtainUserAgentString
wsprintfA
LoadUserProfileA
InternetCrackUrlA