Sample details: f8fc6fd300fe7a6690e776070dfca1fe --

Hashes
MD5: f8fc6fd300fe7a6690e776070dfca1fe
SHA1: ba55914e5a476ccd121fd959675d1c61528c3645
SHA256: d8ce62470b0cbb3282ac09ba21358b8daa76b6a2ca2d4221c42e9aad98f3acdf
SSDEEP: 1536:7EkG6Nosv/sxWud1ZoG6PSbutd8wu4C4lnWY6A011ph/6G2e1vsMUrmDfiaPVe3:7/BHgf6qbgd8CW1h/L2D5SiqVe3
Details
File Type: PE32+
Added: 2019-10-09 10:59:54
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsWindowsGUI | YRP/MinGW_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/network_tcp_socket | YRP/network_dns | YRP/screenshot | YRP/keylogger | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/Big_Numbers1 | YRP/Advapi_Hash_API | YRP/MD5_Constants | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library |
Strings
		!This program cannot be run in DOS mode.
P`.data
.rdata
`@.pdata
0@.xdata
0@.bss
.idata
ffffff.
AUATUWVSH
[^_]A\A]
AVAUATUWVS
[^_]A\A]A^A_
ATUWVSH
t%D9d$(u
[^_]A\
AWAVAUATUWVSH
D$x;(s
[^_]A\A]A^A_
AVATUWVSH
([^_]A\A^
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
[^_]A\A]A^A_
AVAUATUWVSH
[^_]A\A]A^
AUATUWVSH
8[^_]A\A]
AWAVAUATUWVSH
H[^_]A\A]A^A_
UWVSE1
AWAVAUATUWVSH
D:l$ v
8[^_]A\A]A^A_
AWAVAUATUWVSH
X[^_]A\A]A^A_
AWAVAUATUWVSH
[^_]A\A]A^A_
AVAUATUWVSH
[^_]A\A]A^
ATUWVSH
[^_]A\
AUATUWVSH
8[^_]A\A]
ATUWVSH
 [^_]A\
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
[^_]A\A]A^A_
ATUWVS
[^_]A\A]
ATUWVSH
[^_]A\
ATUWVSH
[^_]A\
AVAUATUWVSH
 [^_]A\A]A^
AVAUATUWVS
[^_]A\A]A^A_
ATUWVSH
`[^_]A\
ATUWVSH
D$(tEI
0[^_]A\
ATUWVSH
@[^_]A\
AUATUWVS
[^_]A\A]A^
[^_]A\
AWAVAUATUWVSH
[^_]A\A]A^A_
HcL$<A
HcL$<E1
HcL$<E1
[^_]A\
ATUWVSH
[^_]A\
ATUWVSH
[^_]A\
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
&QZ^&E
[^_]A\A]A^A_
ATUWVSH
 [^_]A\
ATUWVSH
[^_]A\
ATUWVSH
D$2x64
[^_]A\
AWAVAUATUWVSH
[^_]A\A]A^A_
AVAUATUWVS
[^_]A\A]A^A_
D$0t^H
AWAVAUATUWVSH
\$ht*H
\$ht*H
[^_]A\A]A^A_
D$8t21
D$@t21
D$Ht01
AWAVAUATUWVSH
9D$prB
[^_]A\A]A^A_
AWAVAUATUWVSH
L$;LcT$,
H[^_]A\A]A^A_
AWAVAUATUWVSH
D$h<Uu
[^_]A\A]A^A_
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
D$`;t$xH
D$X;l$|
[^_]A\A]A^A_
D$Xt'D
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
D$H;\$<}
[^_]A\A]A^A_
D$Ht!A
D$Ht!A
D$Ht!A
D$Ht!A
D$Ht!A
D$Ht!A
D$Ht!A
D$Ht!A
D$Ht+D
AWAVAUATUWVSH
[^_]A\A]A^A_
AVAUATUWVSH
 [^_]A\A]A^
D$Ht*E1
AUATUWVSH
H[^_]A\A]
AUATUWVSH
[^_]A\A]
AUATUWVSH
[^_]A\A]
AVAUATUWVS
[^_]A\A]A^A_
AUATUWVSH
[^_]A\A]
AWAVAUATUWVSH
D$htqE1
[^_]A\A]A^A_
AUATUWVSH
[^_]A\A]
AVAUATUWVSH
[^_]A\A]A^
AWAVAUATUWVSH
D$xtgH
[^_]A\A]A^A_
HcD$,H
AWAVAUATUWVSH
([^_]A\A]A^A_
AUATUWVSH
([^_]A\A]
AUATUWVSH
8[^_]A\A]
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
[^_]A\A]A^A_
AWAVAUATUWVSH
[^_]A\A]A^A_
[^_]A\
fffff.
ATUWVSH
 [^_]A\
ffffff.
ffffff.
AVAUATUWVSH
`[^_]A\A]A^
`[^_]A\A]A^
UAVAUATWVSH
[^_A\A]A^]
ATUWVSH
@[^_]A\
H3T$0H
@[^_]A\
([^_]H
9MZt	1
fffff.
B' t	H
fffff.
fffff.
AVAUATUWVSH
 [^_]A\A]A^
 [^_]A\A]A^
fffff.
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
8ccccc/Bcccccccccccccccccccccccccccccccccccccc
%8DmgM
#7@Qhq\1@NWgyxeH\_bpdgc%.2d/%.2d/%d %.2d:%.2d:%.2d
_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C%.4d-%.2d-%.2d %.2d:%.2d:%.2d
socks=
<.`%%=
@echo off
ping 192.0.2.2 -n 1 -w %d >nul 2>&1
DEL /s "%s" >nul 2>&1
call :deleteSelf&exit /b
:deleteSelf
start /b "" cmd /c del "%%~f0"&exit /b
http://%s%s
%.2d/%.2d/%d %.2d:%.2d:%.2d
%c%.8x%s
%s @ %s
%6\%6.dfd
iphlpapi.dll
psapi.dll
kernel32.dll
Ed5jf5dRSdSqYsqCVid
Ed5jf5dRSdSuSsqCVid
Ed590WYd66XlCnd_4idLCldD
PiW6dS
m465dR4Rn...
MvL MdR5
MvL rdYd42dS
j65CVi46IdS
_4R UC45 (G)
_4R UC45 (h)
PiW6d UC45
PiW64Rn...
mC65 DPH
q4ld UC45
adid5d qPc
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
!&.37<
"%/28;=#$019:>?
PTLLjPq %6:%S -qq9/G.y
R-W65: %6:%S
200 OK
mWYCi a46w
%s (%s)
U4R-55sTsdR
winhttp.dll
U4R-55sEd590WfZ_W0u0i
U4R-55sEd5Xj90WfZPWR84n_W0PQ00dR5u6d0
%s\%s.bat
ComSpec
%s /c "%s"
MT_qUDrj\F4Y0W6W85\U4RSWg6\PQ00dR5zd064WR\rQR\
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56
NetWire
SOFTWARE\
HostId
SOFTWARE\NetWire
%Rand%
Install Date
-m "%s"
MT_qUDrj\F4Y0W6W85\DY542d Md5Qs\XR65CiidS PWlsWRdR56\%6
M5QV9C5I
GET %s HTTP/1.1
Host: %s 
User-Agent: Mozilla/4.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Connection: close
200 OK
%s%.2d-%.2d-%.4d
[Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
[cCYw6sCYd]
[jR5d0]
[D00Wg md85]
[D00Wg us]
[D00Wg r4nI5]
[D00Wg aWgR]
[-Wld]
[9Cnd us]
[9Cnd aWgR]
[c0dCw]
[adid5d]
[XR6d05]
[904R5 MY0ddR]
[MY0Wii mWYw]
[PCs6 mWYw]
[P50i+%Y]
rdn465d0rCgXRsQ5ad24Yd6
user32.dll
Ed5rCgXRsQ5aC5C
%.2d-%.2d-%.4d
MdYQ0Nh.Sii
m6CEd5mWnWRMd664WRaC5C
m6C_0ddrd5Q0RcQ88d0
m6CjRQld0C5dmWnWRMd664WR6
MT_qUDrj\FWk4iiC\%6\
PQ00dR5zd064WR
MT_qUDrj\FWk4iiC\%6\%6\FC4R
XR65Cii a40dY5W0Z
lWkQ54i6.Sii
lWkniQd.Sii
lWk67i45dN.Sii
Mozilla Firefox
APPDATA
%6\FWk4iiC\_40d8Wf\s0W84id6.4R4
%6\FWk4iiC\_40d8Wf\%6
Mozilla Thunderbird
%6\qIQRSd0V40S\s0W84id6.4R4
%6\qIQRSd0V40S\%6
SeaMonkey
%6\FWk4iiC\MdCFWRwdZ\s0W84id6.4R4
%6\FWk4iiC\MdCFWRwdZ\%6
%6\64nRWR6.67i45d
%6\iWn4R6.e6WR
NSS_Init
9HGGpEd5XR5d0RCiHdZMiW5
9HGGpDQ5IdR54YC5d
9mpcC6doOadYWSd
MjPXqjFpx80ddX5dl
9HGGMarpadY0Zs5
9HGGp_0ddMiW5
LMMpMIQ5SWgR
67i45dNpWsdR
67i45dNpYiW6d
67i45dNps0dsC0dp2h
67i45dNp65ds
67i45dNpYWiQlRp5df5
6didY5 *  80Wl lWkpiWn4R6
hostname
encryptedUsername
encryptedPassword
IW65RCld
%6\Tsd0C\Tsd0C\gCRS.SC5
%6\Tsd0C\Tsd0C\s0W84id\gCRS.SC5
%6\.sQ0sid\CYYWQR56.fli
<s0W5WYWi>
<RCld>
<sC66gW0S>
9T9N u6d0
9T9N Md02d0
9T9N 9C66gW0S
XFD9 u6d0
XFD9 Md02d0
XFD9 9C66gW0S
-qq9 u6d0
-qq9 Md02d0
-qq9 9C66gW0S
MFq9 u6d0
MFq9 Md02d0
MFq9 9C66gW0S
jDM u6d0
jDM Md02d0 urm
jDM 9C66gW0S
%c%c%S
%c%c%s
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Y0Zs5Nh.Sii
P0Zs5uRs0W5dY5aC5C
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
%s\*.*
4RSdf.SC5
vaultcli.dll
VaultEnumerateItems
VaultEnumerateVaults
VaultFree
VaultOpenVault
VaultCloseVault
VaultGetItem
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
0x%02hhX
LOCALAPPDATA
%6\EWWnid\PI0Wld\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%6\PI0Wl4Ql\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%6\PWlWSW\a0CnWR\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%6\vCRSdf\vCRSdfc0Wg6d0\u6d0 aC5C\ad8CQi5\mWn4R aC5C
%s\BraveSoftware\Brave-Browser\User Data\Default\Login Data
%s\360Chrome\Chrome\User Data\Default\Login Data
%6\Tsd0C MW85gC0d\Tsd0C M5CVid\mWn4R aC5C
l62Y0Gyy.Sii
l62YsGyy.Sii
l62Y0Ghy.Sii
l62YsGhy.Sii
Cs43l63g4R3YW0d354ldkWRd3iG3G3y.Sii
Cs43l63g4R3YW0d384id3iG3G3y.Sii
Cs43l63g4R3YW0d384id3ih3G3y.Sii
Cs43l63g4R3YW0d3iWYCi4kC54WR3iG3h3y.Sii
Cs43l63g4R3YW0d36ZRYI3iG3h3y.Sii
Cs43l63g4R3YW0d3s0WYd665I0dCS63iG3G3G.Sii
Cs43l63g4R3YW0d384id3iG3h3y.Sii
Cs43l63g4R3Y0530QR54ld3iG3G3y.Sii
Cs43l63g4R3Y0536504Rn3iG3G3y.Sii
Cs43l63g4R3Y053IdCs3iG3G3y.Sii
Cs43l63g4R3Y05365S4W3iG3G3y.Sii
Cs43l63g4R3Y053YWR2d053iG3G3y.Sii
Cs43l63g4R3Y053iWYCid3iG3G3y.Sii
Cs43l63g4R3Y053lC5I3iG3G3y.Sii
Cs43l63g4R3Y053lQi54VZ5d3iG3G3y.Sii
Cs43l63g4R3Y05354ld3iG3G3y.Sii
Cs43l63g4R3Y05384id6Z65dl3iG3G3y.Sii
Cs43l63g4R3Y053dR240WRldR53iG3G3y.Sii
Cs43l63g4R3Y053Q54i45Z3iG3G3y.Sii
Cs43l63g4R3YW0d36504Rn3iG3G3y.Sii
Cs43l63g4R3YW0d3RCldSs4sd3iG3G3y.Sii
Cs43l63g4R3YW0d3ICRSid3iG3G3y.Sii
Cs43l63g4R3YW0d3IdCs3iG3G3y.Sii
Cs43l63g4R3YW0d3i4V0C0ZiWCSd03iG3G3y.Sii
Cs43l63g4R3YW0d36ZRYI3iG3G3y.Sii
Cs43l63g4R3YW0d3s0WYd665I0dCS63iG3G3y.Sii
Cs43l63g4R3YW0d3s0WYd66dR240WRldR53iG3G3y.Sii
Cs43l63g4R3YW0d3SC5d54ld3iG3G3y.Sii
Cs43l63g4R3YW0d36Z64R8W3iG3G3y.Sii
Cs43l63g4R3YW0d3YWR6Wid3iG3G3y.Sii
Cs43l63g4R3YW0d3SdVQn3iG3G3y.Sii
Cs43l63g4R3YW0d3s0W84id3iG3G3y.Sii
Cs43l63g4R3YW0d3ldlW0Z3iG3G3y.Sii
Cs43l63g4R3YW0d3Q54i3iG3G3y.Sii
Cs43l63g4R3YW0d305i6QssW053iG3G3y.Sii
Cs43l63g4R3YW0d34R5d0iWYwdS3iG3G3y.Sii
QY05VC6d.Sii
2Y0QR54ldGOy.Sii
l62YsGOy.Sii
lWkY05Gt.Sii
67i45dN.Sii
R6s0O.Sii
siYO.Sii
siS6O.Sii
R66Q54iN.Sii
R66N.Sii
6W85WwRN.Sii
R66SVlN.Sii
Ed5FWSQid_4idLCldjfD
psapi.dll
kernel32.dll
%.2d/%.2d/%d %.2d:%.2d:%.2d
0x%.8X (%d)
0x%.16llX (%I64d)
%c%.8x%s
%c%.8x%s%s
%c%.8x%s\%s
%c%.8x%s\%s
ComSpec
WINDIR
%6\6Z65dlNh\YlS.dfd
localhost
CS2Cs4Nh.Sii
Ed5u6d0LCldD
uMjrLDFj
Unknown
Ed5LC542dMZ65dlXR8W
wd0RdiNh.Sii
EiWVCiFdlW0ZM5C5Q6jf
kernel32.dll
-DraUDrj\ajMPrX9qXTL\MZ65dl\PdR50Ci90WYd66W0\y
ProcessorNameString
DiiWYC5dDRSXR454Ci4kdM4S
advapi32.dll
PIdYwqWwdRFdlVd06I4s
_0ddM4S
WINDIR
%d:%s%s;
%d:%I64u:%s%s;
%c%llu
.pdata
Argument domain error (DOMAIN)
Argument singularity (SIGN)
Overflow range error (OVERFLOW)
Partial loss of significance (PLOSS)
Total loss of significance (TLOSS)
The result is too small to be represented (UNDERFLOW)
Unknown error
_matherr(): %s in %s(%g, %g)  (retval=%g)
Mingw-w64 runtime failure:
Address %p has no image-section
  VirtualQuery failed for %d bytes at address %p
  VirtualProtect failed with code 0x%x
  Unknown pseudo relocation protocol version %d.
  Unknown pseudo relocation bit size %d.
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
GCC: (GNU) 4.8.3
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
CryptUnprotectData
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject
CloseHandle
CreateDirectoryA
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFileA
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetFileAttributesExA
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GetVolumeInformationA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LocalFree
MoveFileA
OpenProcess
PeekNamedPipe
Process32First
Process32Next
QueryPerformanceCounter
ReadFile
ReleaseMutex
ResumeThread
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetErrorMode
SetFileAttributesA
SetFilePointer
SetUnhandledExceptionFilter
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WideCharToMultiByte
WriteFile
__C_specific_handler
__dllonexit
__doserrno
__getmainargs
__initenv
__iob_func
__lconv_init
__pioinfo
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_errno
_filelengthi64
_fileno
_fmode
_fpreset
_initterm
_lseeki64
_onexit
_unlock
_vscprintf
_vsnprintf
_write
calloc
fclose
ferror
fflush
fgetpos
fprintf
fsetpos
fwrite
getenv
malloc
memcpy
realloc
signal
sprintf
strcat
strchr
strcmp
strcpy
strlen
strncmp
vfprintf
NetApiBufferFree
NetWkstaGetInfo
CoTaskMemFree
SHFileOperationA
ShellExecuteA
CreateWindowExA
DefWindowProcA
DispatchMessageA
EnumWindows
GetDesktopWindow
GetForegroundWindow
GetKeyNameTextA
GetKeyState
GetKeyboardState
GetLastInputInfo
GetMessageA
GetSystemMetrics
GetWindowTextA
IsWindowVisible
MapVirtualKeyA
PostQuitMessage
RegisterClassExA
ReleaseDC
SendMessageA
SetCursorPos
SetWindowTextA
ShowWindow
ToAscii
TranslateMessage
keybd_event
mouse_event
WSACleanup
WSAGetLastError
WSAIoctl
WSAStartup
__WSAFDIsSet
closesocket
connect
gethostbyname
gethostname
inet_ntoa
ioctlsocket
select
setsockopt
shutdown
socket
ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
msvcrt.dll
NETAPI32.dll
ole32.dll
SHELL32.dll
USER32.dll
WS2_32.dll