Sample details: 3faa5627991fa0002540acfcc3593854 --

Hashes
MD5: 3faa5627991fa0002540acfcc3593854
SHA1: 1b83a783869c88965d95e4cac6948e54be79f90e
SHA256: 4a78786e4eb29d42a2b0ee1170a2fb009a15603d57ac1cea25b3e2639633f168
SSDEEP: 768:XQe/fmE1gsBBQARQkWV/p76rikQ3Q80nm82+0pXYnAtZTtX4MBDJGxIduBBQARQ9:fBBQARcpJ3186jGxIduBBQAR+1t2GH
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/DebuggerCheck__QueryInfo | YRP/ThreadControl__Context | YRP/anti_dbg | YRP/network_tcp_socket | YRP/win_registry | YRP/win_private_profile | YRP/win_files_operation | YRP/win_hook | YRP/MD5_Constants | YRP/Str_Win32_Winsock2_Library |
Parent Files
ef0130d76576bf27c15f3d99b4ca4aa5
Source
Strings
		!This program cannot be run in DOS mode.
.rdata
@.data
""""""""93
"+^ +]
QWVhDE@
:Repeat
if exist "
" goto Repeat
rmdir "
RtlZeroMemory
_wcsicmp
memcpy
memcmp
strstr
_wcsupr
wcsstr
_strupr
RtlAllocateHeap
RtlFreeHeap
GetModuleHandleA
GetProcAddress
lstrlenA
lstrcpyA
lstrcatA
GetSystemDirectoryA
LoadLibraryA
GetTempFileNameA
CloseHandle
DeleteFileA
MoveFileExA
FreeLibrary
CreateFileA
GetTempPathA
WriteFile
GlobalAlloc
GlobalFree
GetModuleFileNameA
GetStartupInfoA
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
lstrcmpiA
GetCurrentProcessId
GetExitCodeThread
GetFileSize
ReadFile
VirtualProtectEx
SetFileTime
GetFileTime
VirtualProtect
CreateToolhelp32Snapshot
Process32First
OpenProcess
TerminateProcess
Process32Next
GetLocalTime
FindResourceA
SizeofResource
LoadResource
LockResource
GetProcessHeap
SystemTimeToFileTime
WaitForDebugEvent
ReadProcessMemory
WriteProcessMemory
GetThreadContext
lstrcmpW
lstrcpyW
SetThreadContext
ContinueDebugEvent
VirtualAlloc
VirtualFree
CreateRemoteThread
GetCurrentProcess
OpenFileMappingA
MapViewOfFile
UnmapViewOfFile
CallNextHookEx
SetWindowsHookExA
UnhookWindowsHookEx
FindWindowA
SendMessageA
KillTimer
GetWindowThreadProcessId
SetTimer
RegisterWindowMessageA
wsprintfA
StringFromGUID2
CoCreateGuid
RegDeleteKeyA
RegOpenKeyExA
RegDeleteValueA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
ShellExecuteA
GetModuleInformation
user32.dll
ole32.dll
advapi32.dll
shell32.dll
psapi.dll
\InProcServer32
Apartment
ThreadingModel
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
kernel32.dll
ExitProcess
SelfDel.bat
%08x.dll
explorer.exe
\ntoskrnl.exe
VERIFY_CODE
POST_URL1
POST_URL2
POST_URL3
POST_URL4
SOURCE_FLAG
KERNEL32.DLL
ntdll.dll
PSAPI.DLL
lstrcpyA
CloseHandle
lstrcmpiA
OpenProcess
GetCurrentProcess
lstrlenA
ExitProcess
memcpy
RtlZeroMemory
NtQueryInformationProcess
GetProcessImageFileNameA
HKCBKD
elementclient.exe
CLSID\
a6499563
SSWORD
http://221.195.40.139/tuleichibi/tulei001/post.asp
http://221.195.40.139/tuleichibi/ableitu/post.asp
OSTURL3
OSTURL4
TOM_FLAG
?FFFFF?
Pj j j
VWRS?FF
P?+  j
E?   ?
uH93uD
@@Pj ?
E?   ?
E    h
E?E?E?u
Pj j j 
Pj j j 
      ^
Pj j ?
jkbgfkjbngfkjbngfkjbngbfkbngklkmwqweio 
E?  ?u
D      
A  (A  2A  FA  XA  pA  
B  0B  >B  RB  hB  |B  
B   C  
C  .C  BC  XC  vC  
D  0D  JD  dD  rD  
@                             
                  
                      
                           
               
                          
                               
              
                
                      
               
                                                         
                                                            
                      
         
                        
                 ?          
                   
                                                                 
             
            
                                                                        
                                             
                      
                                                 ?          
D  ?  ?          
D  ?                      
D      
A  (A  2A  FA  XA  pA  
B  0B  >B  RB  hB  |B  
B   C  
C  .C  BC  XC  vC  
D  0D  JD  dD  rD  
@      7 ExAllocatePool  G ExFreePool  ?RtlAnsiStringToUnicodeString 
MmSystemRangeStart  ]
MmSectionObjectType 0
IoFileObjectType  ?KeDelayExecutionThread  ?PsTerminateSystemThread 
ZwCreateKey 8
ZwOpenFile  f
ZwSetValueKey 
RtlCompareUnicodeString H
ZwQueryInformationFile  T
ZwReadFile         <   63<374D4??.545???????
6?8;>;????
  \   u6|6??????????????
8#8*818=8D8V8(9??????}=????
?	???       
0%0P0V0??61s1????????????-333Y3????
4-4V4\4??????5E5??
6P6V6??
7s7????F:L:?
:);/;??
<2<8<??
=;=A=y=~=?   0     ??????84>4~6?????????????????????
7 7&7,72787>7D7J7P7V7\7b7h7n7t7z7
7?????????? 
jhesgefjkdshgkjjgkhjgkhdrkjghkiqwjfoir4uw39etrweu98tue98ture98tre98yter8theoijskjzcxnZXb jAHDVWUFVWJHFBESUFBSJDHFBDSJHFJHDSFGSJHDFVJSHDFDSJHFVDSJHFVDJHJHDSFSJHDVF
vgfdsjhfvdsjhfv
vbjhdsvfdsjhfvj
                        PADMZ
!This program cannot be run in DOS mode.
.rdata
@.data
.reloc
""""""""93
ws2_32.dll
connect
%s(%d)
%s	%s	%s
RtlUnwind
RtlZeroMemory
_snprintf
RtlDeleteElementGenericTable
RtlGetElementGenericTable
RtlInitializeGenericTable
RtlInsertElementGenericTable
RtlNumberGenericTableElements
sscanf
ntdll.dll
WS2_32.dll
GlobalAlloc
GlobalFree
CloseHandle
CreateThread
DeleteCriticalSection
EnterCriticalSection
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
TerminateThread
WaitForSingleObject
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
GetPrivateProfileStringA
WideCharToMultiByte
CreateFileA
GetFileSize
ReadFile
CreateFileMappingA
CreateProcessA
DeleteFileA
GetExitCodeThread
GetLastError
GetStartupInfoA
GetSystemDirectoryA
GetTempFileNameA
GetTempPathA
MapViewOfFile
MoveFileExA
UnmapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtectEx
WriteFile
lstrcpynA
IsBadReadPtr
KERNEL32.dll
wsprintfA
CallNextHookEx
GetWindowThreadProcessId
KillTimer
RegisterWindowMessageA
SendMessageA
SetTimer
UnhookWindowsHookEx
USER32.dll
memcmp
memcpy
strlen
strstr
VERIFY_CODE
POST_URL1
POST_URL2
POST_URL3
POST_URL4
SOURCE_FLAG
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
?456789:;<=
 !"#$%&'()*+,-./0123
HKCBKD
3;3C3m3u3
5+535?5G5S5[5g5o5{5
:=:C:_:f:k:
;#;B;I;N;
>J>Q>V>
2E2L2Q2
2*3/34393>3C3p3{3
4+414=4B4H4N4Z4_4d4i445=5Y5`5e5
6	6%6,616f6o6
6	747J7V7b7n7z7
8#8.8>8Q8c8x8
9&929>9M9T9^9e9
;5;D;U;e;
<><N<w<
1,2?2b2
3 3&3,323
6(616<6>8S8`8
6"6(6.646:6@6F6L6R6X6^6d6j6p6v6|6
7$7*70767
HBVERIFY_DATA