Sample details: f3a74481387e213a5a0c9ca4278e660e --

Hashes
MD5: f3a74481387e213a5a0c9ca4278e660e
SHA1: 75037ae350abdf86815c2caa0da21b58e677d3a6
SHA256: 9e4c1f244e62ffbf4eb2c73aa48954bff0b05e1dd3699154fc3b610d48b83132
SSDEEP: 1536:kgTNfWTTWwVqgbCsII9AX+Pap13eDlMr4+jkrDl9HNS:nITTWufCwAxp13eDlMr4KkrD7HNS
Details
File Type: PE32
Yara Hits
YRP/Armadillo_v171 | YRP/Microsoft_Visual_Cpp_v60 | YRP/Microsoft_Visual_Cpp_v50v60_MFC_additional | YRP/Microsoft_Visual_Cpp_50 | YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/Armadillo_v171_additional | YRP/Armadillo_v4x | YRP/Microsoft_Visual_Cpp | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/disable_dep | YRP/network_tcp_listen | YRP/network_tcp_socket | YRP/keylogger | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/VC6_Random | YRP/Str_Win32_Winsock2_Library | FlorianRoth/Backdoor_Nitol_Jun17 |
Parent Files
004f95a2e8845d638230148bed00555e
Strings
		MZ85550
!This program cannot be run in DOS mode.
=Rich}q
`.rdata
@.data
PPPPPPPP
QQSVWd
t.;t$$t(
_9=T7A
VC20XC00U
sO;>|C;~
HHtpHHtl
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
^}%95(
Y;509A
VWuBhl
"WWShx
+ttHHtd
HHtYHHtF
GAIsProcessorFeaturePresent
KERNEL32
`h````
ppxxxx
(null)
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
1#QNAN
1#SNAN
KERNEL32.DLL
ADVAPI32.dll
USER32.dll
WS2_32.dll
CreateProcessA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcpyA
ResumeThread
GetShortPathNameA
GetModuleFileNameA
lstrlenA
CopyFileA
FlushFileBuffers
GetLastError
ExitProcess
CreateThread
WaitForSingleObject
CloseHandle
GetTempPathA
lstrcatA
GetTickCount
ExitThread
LoadLibraryA
GetProcAddress
GetEnvironmentVariableA
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
GetOEMCP
GetACP
GetCPInfo
SetFilePointer
HeapReAlloc
SetStdHandle
VirtualAlloc
HeapAlloc
IsBadCodePtr
IsBadWritePtr
IsBadReadPtr
WriteFile
VirtualFree
HeapCreate
HeapDestroy
RtlUnwind
RaiseException
TerminateProcess
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
HeapFree
SetUnhandledExceptionFilter
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetVersionExA
CreateServiceA
OpenServiceA
StartServiceA
RegOpenKeyA
RegSetValueExA
CloseServiceHandle
RegCloseKey
RegOpenKeyExA
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
SetServiceStatus
OpenSCManagerA
wsprintfA
WSASocketA
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
Connection: Keep-Alive
location=
jdfwkey
location=
GET %s%s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
Connection: Keep-Alive
self.location=
location=
GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
Host: %s
Connection: Keep-Alive
%s%s%s%s%s%s%s%s%s%s%s
WSAStartup Error!
Socket Setup Error!
setsockopt IP_HDRINCL error!
setsockopt SO_SNDTIMEO error!
HTTP/1.1
Host: 
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; Trident/4.0;)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
192.168.1.1
%d.%d.%d.%d
%d.%d.%d.%d
cbi-i`mw`vvvqqm*fgl
2*0,4-427459
JkioDdninm`"sfc!Zdprjbd
Ud`Rzpugncrjb
m#Cmn&Qfqthba&
VgcQ}qqfiiatb!Ijin$Cid%Rgqtl`a/
win%ca%cb%cd.exe
GetSystemDefaultUILanguage
KERNEL32.dll
%dMbps
Win %s
KA141212
KA141015
No Data
.?AVtype_info@@
acDVBome
acDVBome
acDVBome
!This program cannot be run in DOS mode.
pRich;
`.data
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
USER32.dll
SHELL32.dll
ntdll.dll
taskman.pdb
uoVWjP
PSSSSSSh 
taHHt,HH
_c_exit
_XcptFilter
_cexit
__initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
msvcrt.dll
_controlfp
_except_handler3
RegSetValueExW
RegCloseKey
RegQueryValueExW
RegCreateKeyExW
OpenProcessToken
ADVAPI32.dll
LocalFree
LocalLock
LocalAlloc
LocalUnlock
ExitThread
lstrlenW
SetCurrentDirectoryW
lstrcpyW
CloseHandle
GetCurrentProcess
CreateThread
ExitProcess
GetCurrentProcessId
lstrcmpiW
GetWindowsDirectoryW
GetCurrentDirectoryW
SetPriorityClass
GetModuleHandleW
GetModuleHandleA
KERNEL32.dll
SendMessageW
GetDlgItem
SetWindowPos
ShowWindow
SetDlgItemTextW
SetForegroundWindow
SendDlgItemMessageW
MessageBeep
GetWindowLongW
GetLastActivePopup
IsWindow
MessageBoxW
LoadStringW
wsprintfW
CharNextW
ShowCursor
GetSystemMetrics
SetCursor
LoadCursorW
GetWindowRect
ArrangeIconicWindows
SetFocus
PostMessageW
TileChildWindows
GetKeyState
CascadeChildWindows
GetDesktopWindow
GetDlgItemTextW
PostQuitMessage
EnableWindow
GetWindowThreadProcessId
GetWindow
IsWindowVisible
DestroyWindow
DispatchMessageW
TranslateMessage
GetCursorPos
IsDialogMessageW
GetMessageW
RegisterHotKey
CreateDialogParamW
USER32.dll
SwitchToThisWindow
InternalGetWindowText
EndTask
RegisterTasklist
RealShellExecuteW
CheckEscapesW
SheRemoveQuotesW
DoEnvironmentSubstW
RegenerateUserEnvironment
SHELL32.dll
RtlFreeSid
RtlEqualSid
RtlAllocateAndInitializeSid
NtQueryInformationToken
NtSetInformationProcess
NtQueryInformationProcess
ntdll.dll
0/f&T:_
T/f&Tcknx
l	gsQT
PADDINGXXPADDINGPADDINGXXPADDING