Sample details: e489248bf961352d6af07e6a3132ff45 --

Hashes
MD5: e489248bf961352d6af07e6a3132ff45
SHA1: abdb9566d08c5af8132dd093dabdc9b2124fc063
SHA256: 3e1665aa7d0e5097773b0c05671dcda6d39f1350a1d50d2d7a89c932ba99f9dd
SSDEEP: 768:rndHUbzO0oeap1nuzOWe7VXinWO+xxh6+6nnuRrCv:7uO+oUzOWiinurJRWv
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasDebugData | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/without_images | YRP/with_urls | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/network_smtp_raw | YRP/network_irc | YRP/network_dropper | YRP/network_dns | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/CRC32_poly_Constant | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API |
Source
http://185.189.58.222/sp.exe
http://185.189.58.222/sp.exe
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
uCj?h$
u@j?h,
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
test123
webmaster
postmaster
contact
123456
1234567
12345678
123123
test123
test1234
admin1
Password1
password
1q2w3e
1q2w3e4r
q1w2e3r4
postmaster
administrator
test123
testuser
ftpuser
ftpadmin
support
backup
guest1
guest123
testing
upload
tester
testuser1
123456
1234567
12345678
123456789
1234567890
123123
admin1
admin123
admin1234
administrator
ftpadmin
ftpuser
guest1
guest123
Password1
passw0rd
password
password1
q1w2e3r4
q1w2e3r4t5
qwerty
qwerty123
temp123
test123
test1234
testing
upload
abc123
123qwe
1q2w3e
1q2w3e4r
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0
EHLO localhost
HELO localhost
AUTH LOGIN
MAIL FROM: hello@zmail.ru
RCPT TO: getmail@zmail.ru
Subject: hello
From: hello@zmail.ru
To: getmail@zmail.ru
smtp://%s|%s:%d|%s|%s
smtp://%s@%s|%s:%d|%s|%s
smtp://%s@%s|%s:%d|%s|%s
ftp://%s:%s@%s
ftp://%s:%s@%s
ftp://%s:%s@%s
ok.php
%u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
aol.com
Document #
Your Document #
Invoice #
Payment Invoice #
Order #
Your Order #
Payment #
Ticket #
Your Ticket #
Adolfo
Adolph
Adrian
Adrian
Adriana
Adrienne
Agustin
Aileen
Beulah
Beverley
Beverly
Bianca
Billie
Billie
Blaine
Blanca
Blanche
Bobbie
Bonita
Bonnie
Booker
Bradford
Bradley
Bradly
Deanna
Deanne
Debbie
Debora
Deborah
Deidre
Deirdre
Delbert
Ginger
Giovanni
Gladys
Glenda
Glenna
Gloria
Goldie
Gonzalo
Gordon
Humberto
Hunter
Ignacio
Imelda
Imogene
Tanisha
Tanner
Taylor
Taylor
Terence
Teresa
Bailey
Rivera
Cooper
Richardson
Howard
Torres
Peterson
Ramirez
Gonzalez
Nelson
Carter
Mitchell
Roberts
Turner
Phillips
Campbell
Parker
Edwards
Collins
Stewart
Sanchez
Morris
Rogers
Morgan
Murphy
Jackson
Harris
Martin
Thompson
Garcia
Martinez
Robinson
Rodriguez
Walker
Hernandez
Wright
Johnson
Williams
Miller
Wilson
Taylor
Anderson
Thomas
Watson
Brooks
Sanders
Bennett
Barnes
Henderson
Coleman
Jenkins
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
http://icanhazip.com/
[0.0.0.0]
%s.com
AUTH LOGIN
<%s%s@%s>
MAIL FROM: 
RCPT TO: <
Received: from %s ([%d.%d.%d.%d]) by %s with MailEnable ESMTP; %s
Received: (qmail %s invoked by uid %s); %s
From: 
Subject: 
Date: 
Message-ID: <
qmail@
Mime-Version: 1.0
%s_%s_%s
Content-Type: multipart/mixed; boundary= "
Content-Type: text/plain; charset=US-ASCII
Dear Customer,
to read your document please open the attachment and reply as soon as possible.
Kind regards,
 Customer Support
Content-Type: application/octet-stream
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename= "
DOC%d%d
185.189.58.222
%s %s "" "x" :%s
%s %s %s
%s %s :%s
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
http://api.wipmania.com/
fclose
fscanf
fprintf
_wfopen
strcat
strcpy
memset
strlen
strstr
sprintf
_snwprintf
malloc
strchr
strtok
fwprintf
_snprintf
strncpy
memmove
strncmp
strcmp
wcslen
wcscmp
MSVCRT.dll
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
inet_pton
getnameinfo
WS2_32.dll
URLDownloadToFileW
urlmon.dll
InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile
InternetOpenUrlW
InternetOpenW
WININET.dll
DnsFree
DnsQuery_A
DNSAPI.dll
PathFileExistsW
PathFindFileNameA
SHLWAPI.dll
lstrlenA
ExitThread
GetTickCount
DeleteFileW
ExpandEnvironmentStringsW
CloseHandle
WriteFile
CreateFileW
ExitProcess
GetTimeZoneInformation
FileTimeToSystemTime
FileTimeToLocalFileTime
GetLocalTime
CreateProcessW
GetLocaleInfoA
TerminateThread
WaitForSingleObject
CreateThread
lstrcpyA
SetFileAttributesW
CopyFileW
CreateDirectoryW
GetModuleFileNameW
GetLastError
CreateMutexA
ReadFile
SetFilePointer
GetFileSize
GetSystemTime
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
wsprintfA
CharUpperA
USER32.dll
RegCloseKey
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ADVAPI32.dll
RSDSkA
C:\Users\x\Desktop\Home\Code\Trik v6.0 - WORK\Release\Trik.pdb
PRIVMSG
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
63696d6w6
7$757M7
;3;I;~;
0*1Q1l1
323l3q3
626l6q6
6$7d7!8
>@>H>f>{>
5 5)5<5E5X5j5}5
626;6N6W6j6t6z6
858@8^8|8
:+:6:T:h:n:v:
<<<C<J<Q<X<_<f<m<t<{<
3&3+3C3P3
3@4k4{4
415F5P5Z5|5
6"6/6b6
6	7$7)7/777Y7^7d7u7
<	=$=Z=
=!><>r>
3)4^4y4
5:5U5|5
7"7A7U7
:+;F;Z;n;
?a?m?r?
1<1`1}1
2"3,3|3
5:6?6L6Q6
8!80868R8w8
9$9J9i9
<#=.=7=A=K=[=f=o=y=
?;?H?w?
4.6E6]6
7u8>9\9g9
:@:R:Z:`:y:
:4;@;a;l;v;
< <9<E<f<{<
=#=.=V=c=p=
2 3?3N3X3t3
3"4A4P4Z4
5"62686>6D6J6P6V6\6b6h6n6t6z6
7"7(70767=7D7O7V7\7g7l7v7
888>8D8`8f8l8r8x8
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4