Sample details: d84dde1d98e12ca6cda73a1bc969b194 --

Hashes
MD5: d84dde1d98e12ca6cda73a1bc969b194
SHA1: 0b139bd7f267e3e1d83e542af1ac4b4f2a4af13a
SHA256: 400370ec9f7a1733c33ebadb5ce73090f99fd32cf25bf204753cb51aefc00ba9
SSDEEP: 768:12isAJf5KTqNpQDVCDNTAeLuQF+kN+Dei3:12isK5JNpsVCBTHL1FXgei
Details
File Type: PE32
Added: 2018-02-23 16:54:08
Yara Hits
YRP/Nullsoft_PiMP_Stub_SFX | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/HasRichSignature | YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Misc_Suspicious_Strings | YRP/inject_thread | YRP/escalate_priv | YRP/screenshot | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/Str_Win32_Winsock2_Library | FlorianRoth/DragonFly_APT_Sep17_3 |
Parent Files
04f27bc8c61fa9a27c0bf0d7e5dfd33b
Strings
		!This program cannot be run in DOS mode.
5<5=5>D3<95>D^5H5
guojicg%d.dll
AABBCC
5<5=5>D3<95>D^5H5
BINDATA
MoveFileA
TerminateProcess
OpenProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
WriteFile
CreateFileA
SizeofResource
LoadResource
FindResourceA
kernel32.dll
cmd.exe /c del "%s" 
<1E>385B
#?6DG1B5,s<1CC5C, 5B653DP'?B<4Pu>D5BD19>=5>D, 5B653DP'?B<4Py>D5B>1D9?>1<Ps~,y~#$q||/ q$x
elementskill.dll
immwrapper.dll
dsound.dll
SeDebugPrivilege
VirtualProtect
LoadLibraryA
%s\*.*
userdata\server\serverlist.txt
music\ambiencestereo
ifc22.dll
w2i.com.cn
NVjAY3
D$4h<"@
t/VVVj
u	FA;u
jQh!.@
Tj@j W
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WinExec
GetModuleFileNameA
CopyFileA
DeleteFileA
GetSystemDirectoryA
SetCurrentDirectoryA
GetWindowsDirectoryA
GetCurrentProcess
GetDriveTypeA
GetLogicalDriveStringsA
FindClose
LoadLibraryA
FindFirstFileA
Module32Next
Module32First
CreateToolhelp32Snapshot
WideCharToMultiByte
lstrlenW
ReadFile
SetFilePointer
HeapAlloc
GetProcessHeap
GetFileSize
CreateFileA
GetProcAddress
GetModuleHandleA
CloseHandle
GetFileAttributesA
FindNextFileA
SetFileAttributesA
RegQueryValueExA
RegOpenKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
sprintf
_strcmpi
strstr
strncpy
_stricmp
_strlwr
strrchr
EnumWindows
PostMessageA
wsprintfA
GetWindowThreadProcessId
!This program cannot be run in DOS mode.
.reloc
??3@YAXPAX@Z
??2@YAPAXI@Z
msvcrt.dll
GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipSaveImageToFile
GdipDisposeImage
GdipGetImageEncodersSize
GdipGetImageEncoders
gdiplus.dll
;|{q2A
rC!6k&b	
0123456789ABCDEF
rundll32.exe
5<5=5>D3<95>D^5H5
CIC`a``b^4<<
act=&d10=%s
act=postmb&d10=%s&d20=%s:%s|%s:%s|%s:%s
d10=%s&d11=%s&d00=%s&d01=%s&d30=%s&d32=%d&d40=%u&d42=%u&d71=%d&d22=%s&d23=%s&d70=%d&d80=%s&d81=%s
gj1026
~gjtemp
music\ambiencestereo
ifc22.dll
elementskill.dll
CurrentGroup
Server
CurrentServer
EC5B41D1,,3EBB5>DC5BF5B^9>9
%s\%s_%d.jpg
internet
Content-Length: %d
Connection: Keep-Alive
------------------------------64b23e4066ed
Content-Type: image/gif
Content-Disposition: form-data; name="File1"; filename="
------------------------------64b23e4066ed
Content-Type: multipart/form-data; boundary=----------------------------64b23e4066ed
Accept: */*
Host: 
User-Agent: Mozilla/4.0
 HTTP/1.1
%d.%d.%d
GetAdaptersInfo
Iphlpapi.dll
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
host:%s,port:%d,path:%s,ExtraInfo:%s
%s?mac=%s&os=%s&ver=%s&fs=%d&t=%d
H(-aok27(hg;:9r574R
G714d^:@7
SeTakeOwnershipPrivilege
ws2_32.dll
VVVhCM
WWWh*a
D$ WPh
PPVhr]
SSSSh$
SVWj<^3
WWWWh$
VVVVh$
VVWPhpF
VVVVh$
VVWPhpF
GetProcAddress
LoadLibraryA
lstrcmpiA
GetModuleFileNameA
CloseHandle
ReleaseMutex
CreateThread
CreateMutexA
GetCurrentProcessId
OpenProcess
FreeLibrary
ReadFile
WriteFile
CreateFileA
GetFileAttributesA
GetPrivateProfileStringA
DeleteFileA
GetSystemDirectoryA
GetModuleHandleA
lstrlenA
lstrcatA
LocalFree
GetLastError
GetVersionExA
GlobalFree
GlobalAlloc
HeapFree
HeapAlloc
GetProcessHeap
SearchPathA
GetTempPathA
GetTickCount
lstrcpyA
Process32Next
Process32First
CreateToolhelp32Snapshot
VirtualFreeEx
WaitForSingleObject
WriteProcessMemory
VirtualAllocEx
CreateRemoteThread
DuplicateHandle
GetCurrentProcess
MultiByteToWideChar
WideCharToMultiByte
lstrlenW
VirtualProtectEx
KERNEL32.dll
wsprintfA
GetWindowTextA
GetForegroundWindow
USER32.dll
DeleteDC
DeleteObject
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
CreateDCA
GDI32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
SetSecurityInfo
SetEntriesInAclA
GetTokenInformation
OpenProcessToken
ADVAPI32.dll
wcscmp
mbstowcs
strlen
memcpy
memset
wcscpy
strcpy
strstr
strrchr
malloc
fclose
??2@YAPAXI@Z
rewind
??3@YAXPAX@Z
sprintf
printf
MSVCRT.dll
WS2_32.dll
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
MSVCP60.dll
InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA
InternetCrackUrlA
WININET.dll
_stricmp
_strlwr
chivalry.dll
Install
757<7D7K7S7Y7`7f7m7s7z7
:B:r:x:
;$;1;8;E;T;x;
<$<.<6<=<O<a<y<
=!=/=<=O=
0+070B0K0Q0]0w0|0
1)141:1@1E1M1[1`1k1p1{1
2!2'272=2C2H2P2\2a2g2{2
3#3+393?3G3M3S3Z3`3l3r3x3}3
4 4,424>4D4J4O4W4\4h4n4
4E5J5O5T5Y5^5c5
5N6T6Z6t6
757<7T7
8%8:8@8F8m8s8x8
93999>9Z9`9e9
;<<T<g<
?#?+?V?`?
0&010R0{0
1>1T1"2,292@2I2p2w2
31363H3^3c3u3z3
4 4%474<4N4d4i4{4
5#515_5h5~5
7=7D7i7o7
8#8;8P8^8g8p8
8*90999K9
:-:L:`:t:
? ?8?F?U?`?r?
1*1;1z1
2#262<2K2\2b2z2
3,333K3T3f3r3
4+474N4
5(5/5;5A5H5O5W5e5u5|5
6 6&6,62686B6