Sample details: f593d4eaba8dc72a22309a69475e9729 --

Hashes
MD5: f593d4eaba8dc72a22309a69475e9729
SHA1: 109aa7052bbf3c4a399875cf4e091790208b6ac7
SHA256: 15f55c1fcb62950727289654e5d82af0da2deaae43db8ca08b64e4086b503f4f
SSDEEP: 768:wmnVnvkMCL9mxalwBSJ/Q25qenZvRivgNkiACXZqSbe9M0hKsC5pxK9HS+ADG+U8:XBABX5qenZwpiA4CM00fK9y+ADG+
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Basic_v50 | YRP/VMProtect_1704_phpbb3 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/contentis_base64 | YRP/Dropper_Strings | YRP/ThreadControl__Context | YRP/inject_thread | YRP/network_http | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Advapi_Hash_API | YRP/CRC32_poly_Constant | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/Str_Win32_Http_API |
Source
http://94.130.104.170/4//decrypted.ex_
http://94.130.104.170/4/decrypted.ex_
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.reloc
!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
PVVVVVV
PSSSSSS
SSWh6-
A;L$,|
tJUPWV
D$$9\$,
SSUh6-
L$$QWUP
9D$ ug
D$(;D$,
D$$_^][
software\microsoft\windows\currentversion\run
%s\%s.exe
USERPROFILE
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Accept-Language: en-us
Content-Type: application/octet-stream
Content-Length: %d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
.reloc
\system32\svchost.exe
SystemRoot
Accept: */*
https://%s
GetProcAddress
LoadLibraryExA
lyuchta.org
ShellPrime
software\microsoft\windows\currentversion
AppManagement
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmopqrstuvwxyz0123456789_
:repeat
del %s
if exist %s goto :repeat
del %%0
http://%s
Microsoft Enhanced Cryptographic Provider v1.0
PGltZyBzcmM9ImRhdGE6aW1hZ2UvanBlZztiYXNlNjQs
kernel32.dll
IsWow64Process
UndefinedOS
WinServer2012
WinServer2008R2
WinServer2008
WinHomeServer
WinServer2003R2
WinServer2003
WinXP64
zxtsrqpnmlkgfdcb
aeiouy
bcdfghjklmnpqrstvwxz
smtp.compuserve.com
mail.airmail.net
smtp.directcon.net
smtp.sbcglobal.yahoo.com
smtp.mail.yahoo.com
smtp.live.com
GetProcessImageFileNameA
GetModuleFileNameExA
EnumProcessModules
PSAPI.DLL
GetAllUsersProfileDirectoryA
USERENV.dll
GetAdaptersInfo
IPHLPAPI.DLL
InternetCloseHandle
HttpSendRequestA
InternetReadFile
InternetSetOptionA
HttpAddRequestHeadersA
HttpOpenRequestA
InternetConnectA
InternetOpenA
InternetCrackUrlA
InternetQueryOptionA
WININET.dll
WS2_32.dll
wnsprintfA
SHLWAPI.dll
CreateThread
CopyFileA
lstrcpyA
lstrcmpiA
GetEnvironmentVariableA
lstrlenA
HeapFree
HeapAlloc
GetProcessHeap
GetLastError
OpenProcess
Process32Next
GetCurrentProcessId
CloseHandle
Process32First
CreateToolhelp32Snapshot
CreateProcessA
VirtualAlloc
ResumeThread
SetThreadContext
GetThreadContext
WriteProcessMemory
TerminateProcess
VirtualAllocEx
VirtualFree
lstrcatA
CreateRemoteThread
WaitForSingleObject
ReadFile
GetFileSize
CreateFileA
CreateMutexA
GetModuleFileNameA
GetLocalTime
QueryPerformanceCounter
ExitProcess
WriteFile
GetTempFileNameA
GetTickCount
TerminateThread
GetExitCodeProcess
SetUnhandledExceptionFilter
GetCurrentProcess
GetProcAddress
GetModuleHandleA
SetEvent
GetSystemInfo
GetVersionExA
CreateEventA
SystemTimeToFileTime
lstrcpynA
WideCharToMultiByte
GetVolumeInformationA
GetSystemDirectoryA
KERNEL32.dll
wsprintfA
GetSystemMetrics
USER32.dll
RegCloseKey
RegSetValueExA
RegOpenKeyExA
RegDeleteValueA
RegQueryValueExA
CryptReleaseContext
CryptImportKey
CryptDestroyKey
CryptExportKey
CryptGenKey
CryptAcquireContextA
CryptEncrypt
CryptDecrypt
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
EqualSid
CreateWellKnownSid
GetTokenInformation
OpenProcessToken
ADVAPI32.dll
CoCreateInstance
CoUninitialize
CoInitialize
CoTaskMemFree
StringFromCLSID
ole32.dll
9R\:_FwT^C78
C9#eVR
gfxLFc:7W11T14Z:
=(9m[o
 ^W6({8
B?r3ST
/<TLu]h-
&'$R,"
}UtV{yF
XgkJ"C
}xrYd^(|
GV>OsQ
17cu>~
n\m8)=
g^xLFc:7
Ip"miP
:S*pTY
n\m8)=
TMi?;Z32T02W6;cEMx]h
g^xLFc:7W11T14Z:@iLU
=(9m[o
]UpE@^64U01U37^?FpT^
n\m8)=
TMi?;Z32T02W6;cEMx]h
g^xLFc:7W11T14Z:@iLU
=(9m[o
]UpE@^64U01U37^?FpT^
n\m8)=
TMi?;Z32T02W6;cEMx]h
g^xLFc:7W11T14Z:@iLU
=(9m[o
]UpE@^64U01U37^?FpT^
n\m8)=
TMi?;Z32T02W6;cEMx]h
g^xLFc:7W11T14Z:@iLU
=(9m[o
]UpE@^64U01U37^?FpT^
n\m8)=
TMi?;Z32T02W6;cEMx]h
g^xLFc:7W11T14Z:@iLU
=(9m[o
]UpE@^64U01U37^?FpT^
n\m8)=
TMi?;Z32T02W6;cEMx]h
=(9m[o
/PN8A6
4]n?Q3=XJP4N
]tb$[X
>D7i.z
MK(Wnt^reT^
Wyy2M]
=$"t^_
Q5m=$_2
^7'kG:
N,!jKC
4!%}mt
H-)ya`
M13e]%b
S)xG1y8WU
\2VLNBP
nobfudycomal
accounting.ee;0daymusic.biz;4dmobil.at;4dbabamozi.hu;accords-bilateraux.ch;4e-energiezentrale.de;4effect.pl;4einstitute.jp;4elementos.es;4elements.cz;4elements.de;4elements.hu;4-elements.se;4emails.de;8wellesley.ca;8zaamarchitecten.nl;8zstabor.taborak.cz;4energia.ee;4entertainmentgroup.tv;4erotik.de;accounting.ee;0daymusic.biz;4dmobil.at;4dbabamozi.hu;accords-bilateraux.ch;4e-energiezentrale.de;4egolifestyle.de;4elementos.cl;4elements.cz;4elements.hu;
C1M1m1v1
2#242:2M2
6'6;6Z6c6w6
8$8,8>8t8
>!>Q>Z>
?U?b?q?z?
2.2A2Z2_2d2k2
5#5<5Z5d5p5
6-686O6k6x6}6
7	747G7
919H9R9]9f9
; ;K;[;
<%<+<E<K<X<m<t<y<
=.=i=~=
>(>3>B>O>a>o>w>
?7?M?d?q?~?
4F4a4z4
4<5F5M5h5
7-7J7a7~7
;<;F;M;q;
<.<8<?<D<J<{<&=6=@=X=x=
>#>E>e>
0*060F0i0s0x0
5`5h5}5
5>6G6\6
;G;O;a;p;
=#=Q=p=
=D>J>\>l>|>
? ?'?8?A?P?i?
7+7>7_7v7|7
KERNEL32.DLL
VirtualAlloc
VirtualFree