Sample details: ecc2f0f66e5fd9132c8878178bc7d40d --

Hashes
MD5: ecc2f0f66e5fd9132c8878178bc7d40d
SHA1: fef671c13039df24e1606d5fdc65c92fbc1578d9
SHA256: 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863
SSDEEP: 1536:KOR6aXe1f1a8NxixcvNCXGp3mNizMxkqYtmP42iN4FXgQykO6GWNtPfyzK:/X69a8sckk3x4xw8XgVQxfk
Details
File Type: PE32
Yara Hits
YRP/Visual_Cpp_2005_DLL_Microsoft | YRP/Visual_Cpp_2003_DLL_Microsoft | YRP/IsPE32 | YRP/IsDLL | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/anti_dbg | YRP/escalate_priv | YRP/win_mutex | YRP/win_registry | YRP/win_token |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
n(9F4u
L$$AHB
D$4)D$(
D$$)D$,
\$$;l$0r
D$<@;D$,
\$,)\$
QRPhxl
T$|Rh$m
T$ RSSSSSS
 SystemRat.dll
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
need dictionary
invalid literal/length code
invalid distance code
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid bit length repeat
oversubscribed dynamic bit lengths tree
incomplete dynamic bit lengths tree
oversubscribed literal/length tree
incomplete literal/length tree
oversubscribed distance tree
incomplete distance tree
empty distance tree with lengths
unknown compression method
invalid window size
incorrect header check
incorrect data check
RM-M : Find Failed %d
RM-M : Load failed %d
OLEAUT32.dll
RM-M : EntryPointFunc OK!
\Microsoft\Windows\UserProfiles
ixeorat.bin
RunningRat
dkeorkcl_eklsdl_123_23928347293
MR - Already Existed
MR : %04d-%02d-%02d-%02d-%02d-%02d
SoftWare\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%s" RunningRat
SysRat
\Microsoft
\dx.bat
taskkill /f /im %s
del %s
GetModuleFileNameA
CreateThread
LoadLibraryA
GetProcAddress
GetCurrentProcess
GetLastError
CloseHandle
GetShortPathNameA
CreateDirectoryA
CreateMutexA
GetLocalTime
GetModuleHandleA
lstrcatA
GetTempPathA
WinExec
KERNEL32.dll
wsprintfA
USER32.dll
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RegCloseKey
ADVAPI32.dll
SHGetSpecialFolderPathA
SHELL32.dll
strrchr
vsprintf
fprintf
fclose
malloc
??2@YAPAXI@Z
strstr
MSVCR90.dll
_encode_pointer
_malloc_crt
_encoded_null
_decode_pointer
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
_crt_debugger_hook
__clean_type_info_names_internal
_unlock
__dllonexit
_onexit
_except_handler4_common
InterlockedExchange
InterlockedCompareExchange
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
_stricmp
memset
memcpy
ParentDll.dll
RunningRat
putratSASW
punaelCASW
tpokcostes
tcennoc
emanybtsohteg
tekcos
tceles
emankcosteg
emantsohteg
tekcosesolc
D:\result.log
TQHJ@"tc
e^kk*n
Vziyr@j
V)~+4BI+
;fls|	
C1'kHZ;z
kEK!Yk*QX
XM,0&@
qHS/Ep
X`R)D]
hp^!G *
,4E7@xt
06_:@U
C`GCz 
%uT:.]
K@G1QF
]ptk'_-
rt\,][G
0>%v'T
W|!'tP
7VX}d,
`:6#o:
O7t},?
?Hg!<Be
[oDIK|
}T2u>9
$5XszB
8)lM)7
[E~%!^o
vXr<_M
PoU+OA
K8vi%E
=fIx96
O-<x^z
[<B!+d
0oi2edS
a/k,KjZc
Hl 1bz
B5l/,("
P%BHz_
@L]ZZI
"#t1%W
uRH5}Gm
o`v^\O
^2g7!(L
tjAe\Qt
>{fw-+
;%!;UU
c]R`2R
LSS]?x
m4';*I
M[x\`u
y^xlt8
 L~rXo
<1=M|o
l),6 e
H#|Ow#|Wv
-V/#-DC
Q1r]?O
x{'w,m
lH/;E|7
>qF(~d~
qg3U'Z$
f)y+/P
s<^&xK8}3UTm+W
>ItuVy
VS]vaC-
vnq5?;
?K-+_C
-'zVZ?mXq
,S`WT$	
[6;p1nY
P/1ZT'
XIZ6Vl
%IZzczT$
Ah(Qg	
=&.ZjHh)
m"]WCM
IL]<	&
dj;D6"
Ls)MO2
FvP.y=Fl/
\DJkOq~
k?uE|)
jJ5{,]
.`;#JQJ
e[hd5$
h/0RHY5
	w'\'\'
5<i)Tn
gv'mZ 
i9fk2V{2Fw
#XaLuy
eM7SjW
TU4".[uL9
e}:%dt
83nTe8P
0f!0/G
cdF~nF6C
vMmm=e
#5}Lj^
gj)qN2
wZGZv-~
:6+7'G
hHzv6RQ
r3tGy5
DI){PR
>Y]rv^Z
&2~k}|Gd|
x}|Sd|J
/7YcDV
xD<%~i
)gf3/1{
>Ewbz0V&
O;v X.
?Mqt/:
3m^e^o>d>
{R~N^!
;zG~O>,
M}!WQL
`>kneI
JAv]`-
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
  <dependency>
    <dependentAssembly>
      <assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
    </dependentAssembly>
  </dependency>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
151<1C1
2 4$4(4,4044484<4@4D4H4L4P4T4
;;;b;p;
070<1P1
9)999@9V9^9d9m9v9
94:@:Q:g:
0,0W0^0h0
1(1/1a1z1
2'2G2L2`2}2
3L3\3j3s3z3
4+4@4E4K4f4k4w4
525S5d5o5w5
7 7&7,72787?7F7M7T7[7b7i7q7y7
8#8.848H8]8h8
;B;O;[;c;k;w;
 1,101