Sample details: c4c85c75e1cd7e91b709761bc3a6fc24 --

Hashes
MD5: c4c85c75e1cd7e91b709761bc3a6fc24
SHA1: b4f5a2c04a97bdaf43ae69580de0aa3394bb9934
SHA256: 2e3cb2df6ef23187bef3749f75d2b8431f2fc6396925e7fa40506d256657f595
SSDEEP: 384:WZWOzNUaUHZgWyspYJBKn/HP9SMYJrvebizrosd5K8e9MtCQathxBw0qTb6x7E2l:WUkUaqTyJm6rosnfCNt5w0qTb6GQ
Details
File Type: PE32
Added: 2018-03-06 19:44:16
Yara Hits
YRP/Microsoft_Visual_Cpp_v50v60_MFC | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/inject_thread | YRP/escalate_priv | YRP/win_mutex | YRP/win_token | YRP/win_files_operation | YRP/win_hook | YRP/Advapi_Hash_API | YRP/BASE64_table | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API |
Parent Files
8a325e15ad434a32e7f653d77b6e4084
Source
Strings
		!This program cannot be run in DOS mode.
@.reloc
comeonboss
comres.dll
comeonboss
%s %s ins %s
gth29511.exe
rundll32.exe
FontS\gth29511.fon
elementclient.exe
FontS\gth29511.ttf
FontS\ComRes.dll
sysgth.dll
ComRes.dll
\fonts
sfc_os.dll
\sfc_os.dll
\mmsfc1.dll
WinSta0\Default
Qjehp!@
Pjehp!@
Pjfhp!@
FindClose
FindNextFileA
FindFirstFileA
CopyFileA
GetModuleFileNameA
CloseHandle
TerminateProcess
OpenProcess
MoveFileExA
GetWindowsDirectoryA
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
MultiByteToWideChar
lstrlenA
lstrcpyA
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
WriteFile
CreateFileA
LoadResource
SizeofResource
FindResourceA
lstrcatA
GetFileSize
ReadFile
SetFilePointer
CreateProcessA
KERNEL32.DLL
wsprintfA
USER32.dll
ADVAPI32.dll
StrStrIA
PathFileExistsA
SHLWAPI.dll
rename
_stricmp
strstr
strncat
MSVCRT.dll
IMAGEHLP.dll
WININET.dll
NETAPI32.dll
!This program cannot be run in DOS mode.
.reloc
kernel32.dll
ComRes.dll
explorer.exe
SeDebugPrivilege
FontS\
FontS\gth%02x*.ttf
SVWh|#
SVWj@3
CloseHandle
CreateThread
GetModuleFileNameA
GetCurrentProcessId
lstrcpyA
RtlFillMemory
GetLastError
OpenProcess
RtlZeroMemory
ReleaseMutex
CreateMutexA
LoadLibraryA
SetEvent
OpenEventA
DeleteFileA
FreeLibrary
GetCurrentThreadId
Process32Next
lstrcmpiA
Process32First
CreateToolhelp32Snapshot
WriteProcessMemory
WideCharToMultiByte
lstrlenA
lstrlenW
Module32Next
Module32First
GetWindowsDirectoryA
lstrcatA
VirtualFreeEx
WaitForSingleObject
CreateRemoteThread
VirtualAllocEx
FindClose
FindNextFileA
FindFirstFileA
KERNEL32.dll
CallNextHookEx
wsprintfA
SetWindowsHookExA
GetMessageA
PostThreadMessageA
GetWindowThreadProcessId
UnhookWindowsHookEx
EnumWindows
USER32.dll
OpenProcessToken
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AdjustTokenPrivileges
LookupPrivilegeValueA
ADVAPI32.dll
StrStrIA
PathFileExistsA
SHLWAPI.dll
strcmp
strrchr
strcat
strcpy
MSVCRT.dll
IMAGEHLP.dll
WININET.dll
NETAPI32.dll
DllHost.dll
COMResModuleInstance
sysgth.COMResModuleInstance
LpkPSMTextOut
lpk1.LpkPSMTextOut
LpkUseGDIWidthCache
lpk1.LpkUseGDIWidthCache
SetMsgHook
ftsWordBreak
lpk1.ftsWordBreak
4(4.444>4C4K4P4X4^4d4k4s4x4}4
5"5(5-5=5P5V5c5
6B6G6o6t6
7#7(7-7R7\7b7m7x7
8	8*8/8P8_8
9&9.9S9f9
: :F:j:o:w:|:
;*;?;m;w;|;
<><K<v<}<
>">(>->N>u>}>
?A?T?c?
 0'0-0T0Z0_0
1F1r1y1
333?3]3
5=5E5J5
6?6j6s6
7%7:7`7i7
7/8:8F8m8w8
9-9Y9j9
:%:9:m:
:5;?;a;
<@<F<L<R<X<^<d<j<
!This program cannot be run in DOS mode.
)RichWf
.reloc
Accept: */*
Internet Explorer 7.0
Microsoft Base Cryptographic Provider v1.0
&t@bdujpo>'Obnf>&t'Tubuf>&e
hbnfUzqf>&t'qbsb>&t'&wfs>&t'[pof>&t'Tfswfs>&t'Obnf>&t'qbttxpse>&t'tfdpQbtt>&t'ojdlObnf>&t'mpse>&t'Mfwfm>&t'Npofz>&v'hpmeDpjo>&v'ZC>&v'frvjqnfou>&t'cbh>&t'NC>&e'NCujnf>&e'opSfgsftiDpef>&t'ibseJogp>&t'cbolQbtt>&t
hbnfUzqf>&t'Obnf>&t'qbttxpse>&t'[pof>&t'Tfswfs>&t'cbolZC>&e'cbolNpofz>&e'opSfgsftiDpef>&t'Mfwfm>&t'NC>&e
hbnfUzqf>&t'Obnf>&t'qbttxpse>&t'[pof>&t'Tfswfs>&t'cbolQbtt>&t'opSfgsftiDpef>&t'Mfwfm>&t'NC>&e
Obnf>&t'qbttxpse>&t'[pof>&t'Tfswfs>&t'tipqQbtt>&t'opSfgsftiDpef>&t'Mfwfm>&t'NC>&e
hbnfUzqf>&t'qbsb>&t'&wfs>&t'Obnf>&t'qbttxpse>&t'[pof>&t'tfswfs>&t'ojdlObnf>&t'opSfgsftiDpef>&t'Mfwfm>&t'Dbse>&t>&t}&t>&t}&t>&t'NC>&e
Obnf>&t'qbttxpse>&t'[pof>&t'Tfswfs>&t'cbolNpofz>&e'opSfgsftiDpef>&t'Mfwfm>&t'NC>&e
comeonboss
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
FontS\gth29511.fon
ws2_32.dll
%s?s=%s
elementclient.exe
WSSSSh
CloseHandle
CreateToolhelp32Snapshot
WriteProcessMemory
VirtualProtect
VirtualProtectEx
OpenProcess
ReadProcessMemory
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrlenW
Module32Next
Module32First
GetCurrentProcessId
GetWindowsDirectoryA
GetProcAddress
CreateFileA
ReadFile
GetModuleHandleA
LocalAlloc
GetModuleFileNameA
CreateThread
KERNEL32.dll
GetWindowThreadProcessId
EnumWindows
wsprintfA
USER32.dll
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextA
ADVAPI32.dll
StrStrIA
SHLWAPI.dll
IMAGEHLP.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
NETAPI32.dll
??3@YAXPAX@Z
strcmp
memcpy
strcpy
memset
??2@YAPAXI@Z
strlen
isprint
_purecall
strrchr
_except_handler3
memcmp
MSVCRT.dll
WS2_32.dll
zx.dll
LpkGetCharacterPlacement
lpk1.LpkGetCharacterPlacement
LpkGetTextExtentExPoint
lpk1.LpkGetTextExtentExPoint
>'>4>A>N>[>h>u>
> ?$?0?4?8?<?G?q?
+0b0j0
141K1P1u1
3,3K3}3
6J6O6p6
8#8(8B8S8k8v8
=?=J=l=
=0>:>O>T>_>f>k>
)030^0q0{0
2C2M2V2t2
3V3y3~3
3"4'42474<4A4F4K4V4]4b4
5)6L6Q6W6b6g6l6q6|6
7(7.7<7f7u7
7(838O8n8
9'9G9L9Q9X9_9
:$:):3:8:g:w:
;.;G;Z;h;r;x;
< <(<4<:<B<H<T<Z<`<i<w<}<
="=(=-=3=?=G=S=Y=^=d=}=
>*>0>5>B>G>S>[>b>m>s>z>
? ?*?0?J?R?Y?_?i?o?
0%0.0E0M0T0]0b0n0t0
1"1)1.1:1@1L1T1[1`1l1r1~1
2"2(2.242:2@2F2L2R2