Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: ff05f3751bbf931758f054d4ce5270de --

Hashes
MD5: ff05f3751bbf931758f054d4ce5270de
SHA1: d8354a5124e99388bc09d2e10f11494543394ca9
SHA256: ae272838808f70b7306e7853886fab8f88c06a0bdd429fbd7468c657709b8c32
SSDEEP: 1536:7PUm7lYykq6JTGGiBepJ5Yze0qy+1+xVliFYy2DrK0doeJK6liU+CcDe:n7lm4GQepLYz+X1+Euy2i2UC
Details
File Type: PE32
Yara Hits
YRP/yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h | YRP/UPXv20MarkusLaszloReiser | YRP/UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/contentis_base64 | YRP/screenshot | YRP/win_mutex | YRP/win_files_operation | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | YRP/UPX | YRP/suspicious_packer_section |
Source
http://122.114.215.99/a.exe
http://111.231.226.12/a.exe
Strings
		!This program cannot be run in DOS mode.
.rmnet
{AVvs&
c/paa{j
LPRQVG
,l<>>t-^8
8V-:m;
79=,xK
qH=,|B
j,=E6uS
WgH=V8
O8ufVt^R
R%N&+8F
:W4j)G
lv_w4}
19gV7n
t,l]%?v
V*Z_/'
tc#G./
PiI=qM
3(\H}t
Z5Jm4C
I;\+\9
KKYKfY
Pa!kOG
vbdyhvywqw
h  ZSs
;DR;;r
CF?QsN;Lq
&?=rBq
YYzt>j,op
.wx,WQq
VC20XC00
VSil4Y3
!khK!63
sO;>|C;
sHTQ64
>yBH5lR
it:jtT
Yt+7!h
[ShT0[`
D'@u;+
x`#w"c[
FY|.0t	
t^}%95
H }("N 
WP{|e$
~(wqt\
)tO>o 
])+-sf
I	@\RP
~< >W3
GC((6XPK
cc{R)NH
0Q*<p,
6x39wt&
0tnv[)
Vz#Am{
u,;C	'
,u^W@~P
`=;oF,VA
<wF@FD
JU0l%T:
T?N _ED<h
m[FB<HO
A_Z)5z
o2d/YQ
cAB:+u#
_I0Tfa
@`Md6A
zK1x03
$!7&Eb
4MhZN:(
4xbVD2k
XL<, M
g/CNotSupportedExceptionl
YxMem+y)
CObjectv
MapPtrTo
GCmdTarge
TpWnd;
AfxOld6
Proc423
MDIFrame
OrView7We:
EnumDisplay
OomPoi=7
W"dow[Syst
qicoUSER32
c/m>rl_D
'Resour.
>H:K:sp_s
SKGC7yC?n
X{O^	Th
{nC;7/'#
G_GLOBAL_HEAP_
MSVCRT
SING;D
 iviali|
heq7'7
vac#f{l
)_*ex\/X
opeX1+
lc+8F$@
ad!ck/
A*+0.6 
|+8(uk
(s_02f
%,klwn>r
\z^s'bs
}#K0'd(
v>7X'/h
DVAPISHELL^$BQ
go6her59
tbW10LSztdC1
O3pg==G
r6+vqY=EB
B42V-02-11>
Jklmno Qrstuvwx Abc
pq Syab D
http:/
/ftp6215739.ho706.zhujiwu.m)
e/.sys
^%'T@ck
_AFX_B
_THREAD_STATE@@
gBASEM
type_i
W_Y{4M7
`/TPLH
D@<840i
RtlUnwK
indais
gStartupm
$lpdLCurr
balFla
fj7V1s
Addaa[
By4ToWi
hnA+DeS
ve=B-	
jIL$l6{)
M4yP%6
7if6\	-
XPTPSW
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
imagehlp.dll
USER32.dll
WININET.dll
WINSPOOL.DRV
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
Escape
MakeSureDirectoryPathExists
InternetOpenA
ClosePrinter
&FKyUffThOkYwRRtgPP
Srv.exe
FreeLibrary
CreateMutexA
CloseHandle
ReleaseMutex
GetLastError
CreateFileA
WriteFile
GetModuleFileNameA
CreateProcessA
kernel32.dll
G.(b6-
,8	Jga
j 0/Lj
px{H[gk4
ERI%hI
]<9C>#
}GCqnH=
|`|GZ(
ewiYxsMk
?^bc1W
g83;|rG
T}2e\H
	!4x%l+v
ukySuo
gvU`$A;#
|MmrkJ
/NFr`2
\LE@mx,
6gLO@m
}d"c$`
xx(7&]B
`OHw)=
Z4#m,!T
"v])qT
LP1|^G
"<.n[	!
~ ;jsnf
B:LsRAuT-
yHX6p8b
G\q;TQ
8ZQ|pd
(QUpReF
Ui[Ay@
19|[\\
`Cj/!G
;{[Cp'[
q%6qo.
n#t1Gw
(O~)U&
eJ|}Le
v`I\GU
{MyH\8\
^CK+4ZhoR
':&tu$k
|]1$c,0VS
e;E=V2
ZAV?J@
a6IUr@
do:m:g
*PHOOu
cnQ+?<
"~`j4r
+ye#m-{D
m-Uy6P
xJwR2N>
b'of88
F*3{Wg
wU!0uw
q/m:[Dc
uwUju8
Iv{by aW
>?&g\O
E?..#!
[HhF{0
- +g`"
h~_U	A
7,WzXPl#
"iz(^]
LySZ[O
'	W&'L
1*(K<[N
mg:>2d
j1ljwV
.g3-~"EVj
Xig=mS}
&GhTW	a
n<a%9HH]
i|FCdG
}IDKHAe
D#HjfH
AL#4RL
h%3|d{.{
@8ig}/U
M!*^E@
X#=)YF