I had a look, gave it a name and posted some info on VirusTotal (https://www.virustotal.com/en/file/ba47 ... /analysis/).
If somebody already gave it a name or you know the real name, please let me know.
Attached you can find the dumps and also the decrypted strings (with RVAs where the string is created in the code of the according module).
CirhashBot (uses "^#" (circumflex hash) as newline escape sequence in crypto strings)
- complex.dll: main component. Possible tasks seem to be "LINK" (download and execute) and "FILE" (execute from provided buffer). DLLs seem to be executed in memory, EXE files will be dropped to disk and started via CreateProcess
- stealer_component.dll: Steals email/FTP/WebDrive accounts
- detects_component.dll: Checks for analysis system and some AV products
RC4-key for POST data and response: "j76TRADHOj7yg54ihkbGQ1"
Base64-string replacements for POST data and response: "+" -> "-", "/" -> "_", "=" -> "."