Sample details: 5046930b0ee1a2ffb3463187add44b2a --

Hashes
MD5: 5046930b0ee1a2ffb3463187add44b2a
SHA1: 27f74d615bd19a4185214c32bd61f57831eabdc0
SHA256: e7ce6eecb536e8e6bf53f997cfc768cf2de0f22b85993a52b05ba9c7ae87faeb
SSDEEP: 3072:2r/zIEyQIrPP+r4MrdN/086ibgqGWkcy:2rsEyQUPPGxFsYG
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/IsBeyondImageSize | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Browsers | YRP/VM_Generic_Detection | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/network_tcp_socket | YRP/network_dns | YRP/screenshot | YRP/keylogger | YRP/cred_local | YRP/cred_ff | YRP/cred_ie7 | YRP/win_mutex | YRP/win_registry | YRP/win_files_operation | YRP/Big_Numbers1 | YRP/Advapi_Hash_API | YRP/MD5_Constants | YRP/Str_Win32_Winsock2_Library | YRP/NetWiredRC_B | FlorianRoth/CredentialStealer_Generic_Backdoor | FlorianRoth/RAT_NetWire |
Strings
		!This program cannot be run in DOS mode.
0`.data
.idata
;D$l}9
D$@;D$
D$8h@A
D$@;D$
D$X;D$L
?u'<.uP
D$TH4A
D$Hl4A
D$Dl5A
#D$ ;D$ 
$;\$ }8A
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
8ccccc/Bcccccccccccccccccccccccccccccccccccccc
%8DmgM
#7@Qhq\1@NWgyxeH\_bpdgc
s={{.|
S.N{r'
@echo off
ping 192.0.2.2 -n 1 -w %d >nul 2>&1
DEL /s "%s" >nul 2>&1
call :deleteSelf&exit /b
:deleteSelf
start /b "" cmd /c del "%%~f0"&exit /b
%c%.8x%s
%s @ %s
%s\%s.exe
%s\%s.%s
!&.37<
"%/28;=#$019:>?
FCONNECT %s:%d HTTP/1.0
Host: %s:%d
200 OK
%.2d/%.2d/%d %.2d:%.2d:%.2d
shell32.dll
SHFileOperationA
%.4d-%.2d-%.2d %.2d:%.2d:%.2d
http://%s%s
GET %s HTTP/1.1
Host: %s 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8
Connection: close
200 OK
psapi.dll
GetModuleFileNameExA
kernel32.dll
%.2d/%.2d/%d %.2d:%.2d:%.2d
ComSpec
WINDIR
%s\system32\cmd.exe
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
nss3.dll
SOFTWARE\Mozilla\%s\
CurrentVersion
SOFTWARE\Mozilla\%s\%s\Main
Install Directory
%s\msvcr100.dll
%s\msvcp100.dll
%s\msvcr120.dll
%s\msvcp120.dll
mozutils.dll
mozglue.dll
mozsqlite3.dll
%s\nss3.dll
Mozilla Firefox
APPDATA
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\%s
Mozilla Thunderbird
%s\Thunderbird\profiles.ini
%s\Thunderbird\%s
SeaMonkey
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\%s
%s\signons.sqlite
%s\logins.json
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
PK11_FreeSlot
NSS_Shutdown
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select *  from moz_logins
hostname
encryptedUsername
encryptedPassword
%s\Opera\Opera\wand.dat
%s\Opera\Opera\profile\wand.dat
%s\.purple\accounts.xml
<protocol>
<name>
<password>
advapi32.dll
CredEnumerateA
CredFree
WindowsLive:name=*
POP3 User
POP3 Server
POP3 Password
IMAP User
IMAP Server
IMAP Password
HTTP User
HTTP Server
HTTP Password
SMTP User
SMTP Server
SMTP Password
%c%c%S
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
abe2869f-9b47-4cd9-a358-c22904dba7f7
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
%s\*.*
index.dat
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultFree
History
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\Google\Chrome\User Data\Default\Login Data
%s\Chromium\User Data\Default\Login Data
%s\Opera Software\Opera Stable\Login Data
localhost
USERNAME
Unknown
kernel32.dll
GetNativeSystemInfo
SYSTEM\CurrentControlSet\Control\ProductOptions
ProductType
LANMANNT
SERVERNT
GlobalMemoryStatusEx
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
WINDIR
%s\%s.bat
ComSpec
%s /c "%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Active Setup\Installed Components
.Identifier
%Rand%
-m "%s"
SOFTWARE\Microsoft\Active Setup\Installed Components\%s
StubPath
%d:%s%s;
%d:%I64u:%s%s;
%c%llu
6%s%.2d-%.2d-%.4d
[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
[Backspace]
[Enter]
[Arrow Left]
[Arrow Up]
[Arrow Right]
[Arrow Down]
[Home]
[Page Up]
[Page Down]
[Break]
[Delete]
[Insert]
[Print Screen]
[Scroll Lock]
[Caps Lock]
[Ctrl+%c]
user32.dll
RegisterRawInputDevices
GetRawInputData
wcnwClass
%.2d-%.2d-%.4d
Secur32.dll
LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions
%.2d/%.2d/%d %.2d:%.2d:%.2d
0x%.8X (%d)
0x%.16llX (%I64d)
%c%.8x%s
%c%.8x%s%s
%c%.8x%s\%s
%c%.8x%s\%s
iphlpapi.dll
GetExtendedTcpTable
GetExtendedUdpTable
psapi.dll
GetProcessImageFileNameA
kernel32.dll
Closed
Listening...
SYN Sent
SYN Received
Established
Fin Wait (1)
Fin Wait (2)
Close Wait
Closing...
Last ACK
Time Wait
Delete TCB
Local Disk
%s (%s)
7v@f7v
Ww`wVwe
Gwy=HwBAHw@
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
GetUserNameA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
CryptUnprotectData
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject
CloseHandle
CreateDirectoryA
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateToolhelp32Snapshot
DeleteFileA
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetFileAttributesExA
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemInfo
GetSystemTime
GetTickCount
GetVersionExA
GetVolumeInformationA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LocalFree
MoveFileA
OpenProcess
PeekNamedPipe
Process32First
Process32Next
ReadFile
ReleaseMutex
ResumeThread
SetErrorMode
SetFileAttributesA
SetFilePointer
TerminateProcess
WideCharToMultiByte
WriteFile
_beginthreadex
_filelengthi64
_vscprintf
_vsnprintf
fclose
fflush
fgetpos
fsetpos
fwrite
getenv
malloc
realloc
strlen
SHGetPathFromIDListA
SHGetSpecialFolderLocation
CreateWindowExA
DefWindowProcA
DispatchMessageA
EnumWindows
GetDesktopWindow
GetForegroundWindow
GetKeyNameTextA
GetKeyState
GetKeyboardState
GetMessageA
GetSystemMetrics
GetWindowTextA
IsWindowVisible
MapVirtualKeyA
PostQuitMessage
RegisterClassExA
ReleaseDC
SendMessageA
SetCursorPos
SetWindowTextA
ShowWindow
ToAscii
TranslateMessage
keybd_event
mouse_event
WSACleanup
WSAGetLastError
WSAIoctl
WSAStartup
__WSAFDIsSet
closesocket
connect
gethostbyname
gethostname
inet_ntoa
ioctlsocket
select
setsockopt
shutdown
socket
ADVAPI32.DLL
CRYPT32.DLL
GDI32.dll
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
USER32.dll
WS2_32.dll