Sample details: f23454946e040f9503d450ee4f43007c --

Hashes
MD5: f23454946e040f9503d450ee4f43007c
SHA1: 7b53eae9fd87361c4f406eeb5a1544f13e9004fc
SHA256: 9d899a40db639ce1c4c8c9040511751c50f4516d08ff192f36f15c0ed6737d21
SSDEEP: 6144:7HNAWXmUEs6SnpHzBmgw4D+8MNEo8cd6bUfFdXThU:T5ms6SnpHtmB4D+8MNmwPXK
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsWindowsGUI | YRP/HasOverlay | YRP/maldoc_find_kernel32_base_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Browsers | YRP/DebuggerCheck__QueryInfo | YRP/DebuggerHiding__Active | YRP/anti_dbg | YRP/disable_dep | YRP/network_dns | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/Str_Win32_Winsock2_Library | YRP/with_sqlite |
Strings
		!This program cannot be run in DOS mode.
93u.U$
}kn7X'
>~a7&uy
	Hd\LRh(6v[Z?]
 *uPpZ M
|hBZ )[
s?Z S{
Z nsY#a8
X ntinT
7sxZ k[cIa85
X l.dlT
 ntdlT 
, aPr`Z \
#XGR $
Z	Z ke
 NtCoT
X ntinT
SZ Z+sEa8
 NtCoT
 	XOj%&
, 1c^~Z HG
G=RZ 4
%QrZa8
7u@Z p
X l.dlT
Z ^ToNa8}
 ntdlT
Z iz"va8
^EsZ s&
OHea8b
R}(%&8
YtZ ^x3
 FMESa%
 jP 8Z 1
kZ }oK
"Z ]BD
LLSZa8R
[{Z X)%8a8b
'Z 6Kd
g~}a89
k2F 2)
Fd%&8X
FZ nT=
 =wxdZ 
Z 2jj,a8_
 JDv9%+
fO8%&8+
 f(b=8z
  7B|Z G
,fF%&8g
  Qy]Z c
 AW^tZ _
AYZ __q
.Q RW,
AZ K	0
3yZ IS
 ?@2kZ (
F!UZa8%
+*bZ L
)&Z =q[
XZ Qh1
Z 6$yLa8|
 p1bi(
G;B%&+
+C 1gXT 
 1gXT%+
Z NYqOa+
 mnv9(
=5&a8r
&	 B3A
9NBa80
 TF*xZ . 
 j&'J(
 <`9Q%+
 EE0'%&
'Z 6h-
~xZ 2b
 l0*k 
 ;RTJZ _
 p1bi(
 Vgw?(
 <$4z%+
nZ 2Xl
 |~x#Z 
 g(e-%+
 9V}|%+
O1%&8}
XGR OlRt8g
Z Xzwma8
. `sLdZ 
. ?*	FZ 
HuZ &C
 8)QW%&
. k\R5Z 
=oLZ HB
 ntdlT
X l.dlT
 {H+	%&8
.  +	;Z q
. $I WZ 
yrk%&8
X ntinT
 NtCoT
X ntinT
 ntdlT 
 NtCoT
X l.dlT
	cZ Udt\a8
`9Za8p
2Z Fw}ra82
 Y]'~%+
9_0Z e
QbZa8d
 _:`(8
 ]%cfZa8
Y}i%&8
Ii%&	 _
&	 jc5
e{(Za85
 x)6%Z 
Z *S>(a+
B>NZ o
!k Yo'
2Z HkX
HKZ P/
wZ f,h
 {LTfZ 
M-2%&8
ASh%&8
IZ/a8r
 UDfN 
 }IP|Z 
NtContinue
ntdll.dll
v2.0.50727
stub.exe
mscorlib
UnverifiableCodeAttribute
System.Security
SuppressIldasmAttribute
System.Runtime.CompilerServices
<Module>
.cctor
VirtualProtect
kernel32.dll
System
RuntimeTypeHandle
MethodInfo
System.Reflection
MethodBase
Thread
System.Threading
ParameterizedThreadStart
Module
ValueType
Object
Stream
System.IO
StubCode
WM_CLOSE
DBG_CONTINUE
DBG_EXCEPTION_NOT_HANDLED
ResourceManager
System.Resources
DebugActiveProcess
WaitForDebugEvent
ContinueDebugEvent
DeleteFile
IsWow64Process
SetKernelObjectSecurity
GetKernelObjectSecurity
NtSetInformationProcess
VirtualProtectEx
<>9__CachedAnonymousMethodDelegate1
<>9__CachedAnonymousMethodDelegate3
ThreadStart
<>9__CachedAnonymousMethodDelegate5
<>9__CachedAnonymousMethodDelegateb
<>9__CachedAnonymousMethodDelegated
StartProcess
BypassAvastScan
ProcessExecutablePath
Process
System.Diagnostics
process
CurrentDomain_AssemblyResolve
Assembly
ResolveEventArgs
sender
DisableSafeMode
DisableCMD
DisableUAC
DisableTaskManager
StartupPersistance
ProcessPersistence
handle
SystemWidePersistence
Decompress
ElevateProcess
CriticalProcess
ProcessKiller
GetProcessKiller
List`1
System.Collections.Generic
GetCMDArgs
ReflectionInvoke
GetInjectionPath
GetDefaultBrowser
SetCreationDate
filename
SetAttributes
StartAdAdmin
IsAdmin
AddToStartup
GetFolderPath
Environment
SpecialFolder
folder
GetStartupFolder
IsInStartupFolder
GetFolderFromString
GetDownloaderItems
GetBinderItems
ChangeZoneID
GetSetting
DetectSandboxie
AntiDump
GetSystemInfo
kernel32
memoryinfo
VirtualQueryEx
hProcess
lpAddress
lpBuffer
dwLength
OpenProcess
processAccess
bInheritHandle
processId
ReadProcessMemory
lpBaseAddress
buffer
lpNumberOfBytesRead
WriteProcessMemory
dwSize
lpNumberOfBytesWritten
memcmp
msvcrt.dll
MemorySafeLoad
ByteArrayCompare
CompareArrays
array2
ModifyArrays
GetProcAddress
hModule
procName
GetModuleHandle
running
CreateApi
dllname
procname
DebugProgram
RunPEDll
RunPEHandler
PROCESS_INFORMATION
NewImageBase
SizeOfHeaders
<Run>b__0
<StartupPersistance>b__2
<ProcessPersistence>b__4
<ProcessKiller>b__a
<ReflectionInvoke>b__c
AppDomain
ResolveEventHandler
System.Windows.Forms
DialogResult
MessageBoxButtons
MessageBoxIcon
WebClient
System.Net
DirectoryInfo
Exception
ProcessStartInfo
ProcessWindowStyle
StreamWriter
TextWriter
ProcessModule
System.Management
ManagementObjectSearcher
ManagementObjectCollection
ManagementObjectEnumerator
ManagementBaseObject
RegistryKey
Microsoft.Win32
RegistryValueKind
RawSecurityDescriptor
System.Security.AccessControl
RawAcl
SecurityIdentifier
System.Security.Principal
WellKnownSidType
CommonAce
AceFlags
AceQualifier
GenericAce
GenericSecurityDescriptor
MemoryStream
GZipStream
System.IO.Compression
CompressionMode
IDisposable
ParameterInfo
ApartmentState
StringComparison
DateTime
FileInfo
FileAttributes
FileSystemInfo
WindowsIdentity
WindowsPrincipal
WindowsBuiltInRole
Random
IEnumerator
System.Collections
ProcessModuleCollection
ReadOnlyCollectionBase
Delegate
MemoryInfo
BaseAddress
AllocationBase
AllocationProtect
RegionSize
Protect
SystemInfo
dwOemId
dwPageSize
lpMinimumApplicationAddress
lpMaximumApplicationAddress
dwActiveProcessorMask
dwNumberOfProcessors
dwProcessorType
dwAllocationGranularity
dwProcessorLevel
dwProcessorRevision
debugactiveprocess
MulticastDelegate
object
method
Invoke
dwProcessId
BeginInvoke
IAsyncResult
AsyncCallback
callback
EndInvoke
result
waitfordebugevent
lpDebugEvent
dwMilliseconds
continuedebugevent
dwThreadId
dwContinueStatus
deletefile
lpFileName
iswow64process
processHandle
wow64Process
setkernelobjectsecurity
Handle
securityInformation
pSecurityDescriptor
getkernelobjectsecurity
nLength
lpnLengthNeeded
ntsetinformationprocess
processInformationClass
processInformation
processInformationLength
virtualprotect
flNewProtect
lpflOldProtect
ntprotectvirtualmemory
PTHREAD_START_ROUTINE
lpThreadParameter
DEBUG_EVENT
dwDebugEventCode
debugInfo
get_Exception
get_CreateThread
get_CreateProcessInfo
get_ExitThread
get_ExitProcess
get_LoadDll
get_UnloadDll
get_DebugString
get_RipInfo
GetDebugInfo
CreateThread
CreateProcessInfo
ExitThread
ExitProcess
LoadDll
UnloadDll
DebugString
RipInfo
DebugEventType
value__
CREATE_PROCESS_DEBUG_EVENT
CREATE_THREAD_DEBUG_EVENT
EXCEPTION_DEBUG_EVENT
EXIT_PROCESS_DEBUG_EVENT
EXIT_THREAD_DEBUG_EVENT
LOAD_DLL_DEBUG_EVENT
OUTPUT_DEBUG_STRING_EVENT
RIP_EVENT
UNLOAD_DLL_DEBUG_EVENT
Protection
PAGE_EXECUTE_READWRITE
PAGE_READWRITE
PAGE_GUARD
CREATE_THREAD_DEBUG_INFO
hThread
lpThreadLocalBase
lpStartAddress
EXCEPTION_DEBUG_INFO
ExceptionRecord
dwFirstChance
EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
EXIT_THREAD_DEBUG_INFO
dwExitCode
EXIT_PROCESS_DEBUG_INFO
UNLOAD_DLL_DEBUG_INFO
lpBaseOfDll
OUTPUT_DEBUG_STRING_INFO
lpDebugStringData
fUnicode
nDebugStringLength
LOAD_DLL_DEBUG_INFO
dwDebugInfoFileOffset
nDebugInfoSize
lpImageName
CREATE_PROCESS_DEBUG_INFO
lpBaseOfImage
RIP_INFO
dwError
dwType
SafeQuickLZ
QLZ_VERSION_MAJOR
QLZ_VERSION_MINOR
QLZ_VERSION_REVISION
QLZ_STREAMING_BUFFER
QLZ_MEMORY_SAFE
HASH_VALUES
MINOFFSET
UNCONDITIONAL_MATCHLEN
UNCOMPRESSED_END
CWORD_LEN
DEFAULT_HEADERLEN
QLZ_POINTERS_1
QLZ_POINTERS_3
HeaderLength
source
SizeDecompressed
SizeCompressed
WriteHeader
compressible
sizeCompressed
sizeDecompressed
FastWrite
numbytes
ArgumentException
InjectionType
Itself
Winlogon
RegAsm
Svchost
Browser
Reflection
AlgorithmType
TripleDES
Rijndael
CMDArgType
Dynamic
FileInfoType
Default
Custom
Cloned
Delete
RunMode
Always
DownloaderMenuItem
location
runmode
BinderStubItem
<>c__DisplayClass8
<SystemWidePersistence>b__6
InjectionLibrary
InjectionMethod
InjectionMethodType
PortableExecutable
JLibrary.PortableExecutable
ConfusedByAttribute
Attribute
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
CompilerGeneratedAttribute
STUB.resources
String
UInt32
IntPtr
op_Explicit
GetTypeFromHandle
GetMethod
Concat
Equals
FailFast
set_IsBackground
get_CurrentThread
Debugger
get_IsAttached
IsLogging
get_IsAlive
get_Module
Marshal
System.Runtime.InteropServices
GetHINSTANCE
get_FullyQualifiedName
get_Chars
ReadByte
get_Length
RuntimeHelpers
InitializeArray
RuntimeFieldHandle
Buffer
BlockCopy
Encoding
System.Text
get_UTF8
GetString
Intern
GetElementType
CreateInstance
ManagementObject
MoveNext
ToString
op_Equality
Dispose
Registry
LocalMachine
CurrentUser
Resize
ClassesRoot
ToArray
ToInt32
op_Inequality
get_Count
Contains
GetExecutingAssembly
get_CurrentDomain
add_AssemblyResolve
Application
get_ExecutablePath
MessageBox
WriteAllBytes
LastIndexOf
Substring
Exists
DownloadFile
Directory
CreateDirectory
GetCurrentProcess
get_Id
get_Handle
get_Message
get_StartInfo
set_FileName
set_UseShellExecute
set_WindowStyle
set_CreateNoWindow
set_RedirectStandardInput
set_RedirectStandardOutput
get_StandardInput
WriteLine
WaitForExit
GetProcesses
get_ProcessName
GetLastWin32Error
get_MainModule
get_FileName
GetEnumerator
get_Current
get_Item
get_Name
CreateSubKey
DeleteSubKey
SetValue
get_DiscretionaryAcl
Convert
InsertAce
get_BinaryLength
GetBinaryForm
ToLower
get_EntryPoint
GetParameters
SetApartmentState
GetEnvironmentVariable
OpenSubKey
GetValue
Replace
EndsWith
SetCreationTime
get_Attributes
set_Attributes
set_Arguments
set_Verb
GetCurrent
IsInRole
GetTempPath
Format
WriteAllText
get_StartupPath
ToCharArray
Combine
GetValues
GetObject
get_Modules
get_ModuleName
get_BaseAddress
GetDelegateForFunctionPointer
ChangeType
Collect
SizeOf
AllocHGlobal
PtrToStructure
FreeHGlobal
Inject
Create
ConfuserEx v1.0.0
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
WrapNonExceptionThrows
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
^System.Object[][], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\System.String[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089PAD
GCfBD11ib5XKLK 
!This program cannot be run in DOS mode.
`.rdata
@.data
9D$(ub
L$(9L$@
v89l$D|0
uM9l$D}G
D$0;D$(
9|$4r4
9|$4r4
+L$PRQW
+D$P][_^
AP32uS
L$<+L$
L$<+L$
L$<+L$
XjTZj3f
XjNYjEf
Xjr^jlf
ZjPXjIf
Xj2_jSf
je[j3f
ZjHXjEf
WWhM8g
t8VVh@
QVVVWVV
tCVVh[
YYGt]h
WWhQ]V
QSSSSSSh 
WWh_*y
WWh_*y
SWh0QA
uiSShx
t{;Atsv
u.hpSA
QQQQQQRP
uWSVW3
u.hTSA
[Sh@TA
>versu
VVVQPR
u8hXaA
tOWVhPeA
t-Sh,dA
tOSVWh
tOSVWh
t3hPdA
tOSVWh
tOSVWh
tOSVWh
tJSVWh
t3hPdA
_PSh\QA
t2Wh@?
QWWWVWWW
uVhpiA
WVhTlA
j*XjMf
XjiYjlf
HSVWjAXjcYjof
Xjt[j*f
Xjf_j%f
Yj\ZjDf
Xje^jkf
YjSXjof
HSVWj%Xjsf
Xji[jlf
Xjo^jt_jfZjef
XjrYjPf
jmXjlf
pSVWj%ZjS^jYXjTf
XjEYjMf
ZjoXjff
Xja[jrf
Xje_jnf
ji^jlZjgf
Yj\XjD_jtf
_jmXj.f
SVWjSXjof
Xjr[je^j\ZjWf
XjiYjn_jCf
YjUXjAf
DSVWj%Xjsf
Xje[jr_jaf
Xj ^jMZjiYjlf
WVh`sA
0SVWj%Xjs[j\Zj._jpYju^jrf
YjeXjaf
4SVWj%Xjsf
Xj\^jPf
Xjo_jcZjmf
XjaYji[jlf
SVWjSXjOf
XjE[j\Yjf_jl^jaf
XjkZjaf
jmZVXjp^j.f
^juYjhf
YjaXjpf
YjaXjpf
js[jmXjaYj.f
YjtZjp^jaf
[jmXjaf
ZjpXjhf
ju^jhXjef
^jpXjof
VjaXjdf
PSVWj%Xjsf
Xj\[jTf
Xju^jlYjyf
XjaZji_jDf
SVWj%Xjsf
Xj\Yjyf
Xj2ZjPf
YjOXj3f
Xj.[jx^jm_jlf
j\XjSf
Yj%Xjsf
j\XjyZjMf
XjiYj\f
VShLwA
VShhwA
7PSh|wA
umj1Xf
u.hpiA
<0u8Wh
t]VWh0
Vj*Xj.f
SVWj*Xj.f
XjnYjff
Xjs[j\_jNf
Xjo^jtZjef
YjFXjlf
HSVWj%Xjsf
XjoYjnf
Xje[jpf
Xjt_jwf
XjlZjd^j\f
YjoXjzf
j8Xj.f
SVWj*Xj.Zjpf
XjgYj%f
Zj\Xjtf
Xjc[jk_je^j\f
j%Xjsf
TSVWj%Xjs^j\[jMf
XjiZjcYjrf
XjS_jkf
j*Xj.f
8VWj%Xjs_j\^jTf
XjoZj-f
XjDYj f
YjLXjif
j%XjsYj\f
 j*Xj.f
XjsYj\f
$SVWj*[j._jk^jdZjbYjxXf
(j%Xjsf
Xj ZjRf
XjoYjbf
,VWj*Xj.f
Xjb_jMf
Xji^jkYjrf
XjoZjtf
@SVWjSXjof
Xjt^jwf
Xjr[je_jFf
XjlZj YjTf
8VWjPXja^jsYjwf
XjrZjdf
jSXjof
SjcXj:f
jSXjoZjf
Xjr[jef
XjB_j Yjaf
XjiYjnf
Xjs[j\f
ZjtXjaf
YjeXjAf
VjPXjof
XjrYjSf
Sj%XjsYj\f
u@h(mA
uLh(mA
j.Xjzf
(Vj*Xj.f
XjmZjsYjc^jwf
WWh_*y
QQSVWh
tqNt*Nt
PWh\QA
jOXjLf
Xj3[j2_j.ZjdYjl^f
PPhM8g
t:WPVh
$@0123456789ABCDEF
UNIQUE
SQLite format 3
DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
http://
https://
MachineGuid
SOFTWARE\Microsoft\Cryptography
LdrGetProcedureAddress
RtlNtStatusToDosError
RtlSetLastWin32Error
ZwQueryInformationProcess
RtlCreateUserThread
ZwAllocateVirtualMemory
NtFreeVirtualMemory
NtWriteVirtualMemory
ZwReadVirtualMemory
ZwResumeThread
last_compatible_version
password_value
username_value
origin_url
logins
VaultEnumerateItems
VaultEnumerateVaults
VaultFree
VaultGetItem
VaultOpenVault
VaultCloseVault
SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
hostname
encryptedUsername
encryptedPassword
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_CheckUserPassword
SECITEM_FreeItem
sqlite3_finalize
sqlite3_step
sqlite3_close
sqlite3_column_text
sqlite3_open16
sqlite3_prepare_v2
sqlite3_prepare
ffffff
CloseHandle
CreateFileW
WriteFile
ExitProcess
CryptStringToBinaryA
StrStrA
GetProcAddress
LoadLibraryW
X!2$6*9(SKiasb+!v<.qF58_qwe~QsRTYvdeTYb
string
Server
settings
server
username
protocol
LsaICryptUnprotectData
UserName
Password
MAC=%02X%02X%02XINSTALL=%08X%08Xk
Fuckav.ru
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Qkkbal
getaddrinfo
freeaddrinfo
WS2_32.dll
GetLastError
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
KERNEL32.dll
CoInitialize
CoUninitialize
CoCreateInstance
ole32.dll
OLEAUT32.dll
Fjpl2U2
+}U/rq[
$R^R'/
}[{t	a
tp66SW?
rf6MORj
#9?%:/Hn_'|
"Jvy 0
*yK/{+
67Pa:(4#tH
D|ii |
be%*wp
db1HjGGb
wserve.exe
Windows Server
ApplicationData
Windows Server
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2014-10-25T14:27:44.8929027</Date>
    <Author>%USER%</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <UserId>%USER%</UserId>
    </LogonTrigger>
    <RegistrationTrigger>
      <Enabled>false</Enabled>
    </RegistrationTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>%USER%</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%COMMAND%</Command>
	  <Arguments>%ARGUMENTS%</Arguments>
    </Exec>
  </Actions>
</Task>