Windows Analysis Report
I7fn013KZY.exe

Overview

General Information

Sample Name: I7fn013KZY.exe
Original Sample Name: c9a9fdd768de9f423e24dcf46d3ef838.exe
Analysis ID: 879631
MD5: c9a9fdd768de9f423e24dcf46d3ef838
SHA1: 5df4667ae097b4872e8cae8df0f003ac228650d1
SHA256: c82b062d79bbce1df07ed3dfe3d72faf33edd98a883f36344cc8cd4da9ffa36b
Tags: exePony
Infos:

Detection

Pony
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Pony
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Self deletion via cmd or bat file
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Binary is likely a compiled AutoIt script file
Found API chain indicative of debugger detection
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to simulate keystroke presses
Abnormal high CPU Usage
Is looking for software installed on the system
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Potential key logger detected (key state polling based)
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
EvilPony Privately modded version of the Pony stealer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

AV Detection
barindex
Found malware configuration
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack Malware Configuration Extractor: Pony {"C2 list": ["http://185.79.156.18/bit/03/gate.php"]}
Multi AV Scanner detection for submitted file
Source: I7fn013KZY.exe ReversingLabs: Detection: 78%
Source: I7fn013KZY.exe Virustotal: Detection: 78% Perma Link
Antivirus / Scanner detection for submitted sample
Source: I7fn013KZY.exe Avira: detected
Yara detected Pony
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR
Antivirus detection for URL or domain
Source: http://185.79.156.18/bit/03/gate.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://185.79.156.18/bit Virustotal: Detection: 12% Perma Link
Source: http://185.79.156.18/bit/03/gate.php Virustotal: Detection: 7% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\BitLockerWizardElev\CallHistoryClient.exe Avira: detection malicious, Label: TR/Dropper.Gen2
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040A4D7 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree, 1_2_0040A4D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040D183 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, 1_2_0040D183
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040CC02 lstrlenA,CryptUnprotectData,LocalFree, 1_2_0040CC02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040A8E9 lstrlenA,CryptUnprotectData,LocalFree, 1_2_0040A8E9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040B9FB CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA, 1_2_0040B9FB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004041A1 CryptUnprotectData,LocalFree, 1_2_004041A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040A31C WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree, 1_2_0040A31C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040A732 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree, 1_2_0040A732
Uses 32bit PE files
Source: I7fn013KZY.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00404C38 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_00404C38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004088AA FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_004088AA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00403F6B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_00403F6B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00404FA8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00404FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004095F7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_004095F7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00408726 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_00408726
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.79.156.18/bit/03/gate.php
Source: RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: RegAsm.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.79.156.18/bit
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp String found in binary or memory: http://185.79.156.18/bit/03/gate.php
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp String found in binary or memory: http://185.79.156.18/bit/03/gate.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496550551.0000000000413000.00000002.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CallHistoryClient.exe.0.dr String found in binary or memory: https://precisionsec.com/wp-content/uploads/2017/07/precisionsec-logo-website-edited-1-e150043196313
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004038AD recv, 1_2_004038AD
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00E4CABC
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00DC2344

E-Banking Fraud
barindex
Yara detected Pony
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Binary is likely a compiled AutoIt script file
Source: I7fn013KZY.exe, 00000000.00000002.360730844.0000000000E74000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script.
Source: I7fn013KZY.exe, 00000000.00000002.360730844.0000000000E74000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`
Uses 32bit PE files
Source: I7fn013KZY.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: I7fn013KZY.exe, type: SAMPLE Matched rule: SUSP_Imphash_Mar23_3 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, score = b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = fe53b9d820adf3bcddf42976b8af1411e87d9dfd9aa479f12b2db50a5600f348
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.0.I7fn013KZY.exe.dc0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_Imphash_Mar23_3 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, score = b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = fe53b9d820adf3bcddf42976b8af1411e87d9dfd9aa479f12b2db50a5600f348
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\BitLockerWizardElev\CallHistoryClient.exe, type: DROPPED Matched rule: SUSP_Imphash_Mar23_3 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, score = b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = fe53b9d820adf3bcddf42976b8af1411e87d9dfd9aa479f12b2db50a5600f348
Detected potential crypto function
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DCFCE0 0_2_00DCFCE0
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DCE6A0 0_2_00DCE6A0
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DCDF00 0_2_00DCDF00
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DE1484 0_2_00DE1484
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DD8808 0_2_00DD8808
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E47DDB 0_2_00E47DDB
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DF6DB6 0_2_00DF6DB6
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DEBDA6 0_2_00DEBDA6
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DED975 0_2_00DED975
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DF62D2 0_2_00DF62D2
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DD66E1 0_2_00DD66E1
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC1287 0_2_00DC1287
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DD6F9E 0_2_00DD6F9E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00411DB9 1_2_00411DB9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00402E7A 1_2_00402E7A
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: String function: 00404116 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: String function: 00401CEE appears 139 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: String function: 004103DE appears 42 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 0_2_00DC3633
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC189B NtdllDialogWndProc_W, 0_2_00DC189B
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C8BE NtdllDialogWndProc_W, 0_2_00E4C8BE
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C88F NtdllDialogWndProc_W, 0_2_00E4C88F
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 0_2_00E4C498
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C860 NtdllDialogWndProc_W, 0_2_00E4C860
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 0_2_00E4D43E
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_00E4C5FE
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_00E4C1AC
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C57D SendMessageW,NtdllDialogWndProc_W, 0_2_00E4C57D
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C93E ClientToScreen,NtdllDialogWndProc_W, 0_2_00E4C93E
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4C909 NtdllDialogWndProc_W, 0_2_00E4C909
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC16DE GetParent,NtdllDialogWndProc_W, 0_2_00DC16DE
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 0_2_00DC1290
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00E4CABC
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73C34310,NtdllDialogWndProc_W, 0_2_00DC1287
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC16B5 NtdllDialogWndProc_W, 0_2_00DC16B5
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4CA7C GetWindowLongW,NtdllDialogWndProc_W, 0_2_00E4CA7C
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC167D NtdllDialogWndProc_W, 0_2_00DC167D
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4D3B8 NtdllDialogWndProc_W, 0_2_00E4D3B8
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_00E4BF8C
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4D78C NtdllDialogWndProc_W, 0_2_00E4D78C
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E4BF30 NtdllDialogWndProc_W, 0_2_00E4BF30
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: I7fn013KZY.exe, 00000000.00000003.360149865.0000000001100000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.353206416.0000000003B2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000002.360976618.0000000000EEF000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.359225619.00000000010F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.358334075.00000000010F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.358255257.00000000010E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.353116161.0000000003B29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000002.361321837.0000000001107000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.353494500.0000000003B26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.353266122.0000000003BE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000000.352301415.0000000000EEF000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.358633934.00000000010F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe, 00000000.00000003.353418936.0000000003BEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Source: I7fn013KZY.exe Binary or memory string: OriginalFilenameAuditPolicyGPInterop0 vs I7fn013KZY.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: I7fn013KZY.exe ReversingLabs: Detection: 78%
Source: I7fn013KZY.exe Virustotal: Detection: 78%
Source: C:\Users\user\Desktop\I7fn013KZY.exe File read: C:\Users\user\Desktop\I7fn013KZY.exe Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\I7fn013KZY.exe C:\Users\user\Desktop\I7fn013KZY.exe
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\user\Desktop\I7fn013KZY.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TimeOut 1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3841921.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\user\Desktop\I7fn013KZY.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3841921.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TimeOut 1 Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004028E5 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification, 1_2_004028E5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040D183 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, 1_2_0040D183
Source: C:\Users\user\Desktop\I7fn013KZY.exe File created: C:\Users\user\AppData\Roaming\BitLockerWizardElev Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\3841921.bat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/2@0/0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040A63A CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 1_2_0040A63A
Source: C:\Users\user\Desktop\I7fn013KZY.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E2A06A GetLastError,FormatMessageW, 0_2_00E2A06A
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00E23C55 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00E23C55
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3360:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3841921.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 0.3.I7fn013KZY.exe.3d110a8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3ce19e0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.496550551.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DE8945 push ecx; ret 0_2_00DE8958
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00EEE260 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00EEE260
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\I7fn013KZY.exe File created: C:\Users\user\AppData\Roaming\BitLockerWizardElev\CallHistoryClient.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\I7fn013KZY.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File dump: 3841921.bat.1.dr 3880EEB1C736D853EB13B44898B718AB Jump to dropped file
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\user\Desktop\I7fn013KZY.exe
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\user\Desktop\I7fn013KZY.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00DC48D7
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\I7fn013KZY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\BitLockerWizardElev\CallHistoryClient.exe Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Found evasive API chain checking for process token information
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\I7fn013KZY.exe API coverage: 6.3 %
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004043C2 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 1_2_004043C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00404C38 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_00404C38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004088AA FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_004088AA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00403F6B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_00403F6B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00404FA8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00404FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004095F7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_004095F7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00408726 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_00408726
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: RegAsm.exe, 00000001.00000002.496636700.000000000160A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\I7fn013KZY.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DF58B9 IsDebuggerPresent, 0_2_00DF58B9
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DF5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_00DF5A7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00EEE260 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00EEE260
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_3_00AD00BE mov esi, dword ptr fs:[00000030h] 0_3_00AD00BE
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_3_00AD00BE mov esi, dword ptr fs:[00000030h] 0_3_00AD00BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040F749 mov eax, dword ptr fs:[00000030h] 1_2_0040F749
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DEA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DEA155
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004101B7 SetUnhandledExceptionFilter,RevertToSelf, 1_2_004101B7

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\I7fn013KZY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 10BD008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\I7fn013KZY.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\I7fn013KZY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_3_00AD00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread, 0_3_00AD00BE
Contains functionality to execute programs as a different user
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_0040FF0E lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle, 1_2_0040FF0E
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\I7fn013KZY.exe Code function: 0_2_00DC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00DC48D7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Source: C:\Users\user\Desktop\I7fn013KZY.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\user\Desktop\I7fn013KZY.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3841921.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe TimeOut 1 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_00404297 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_00404297
Source: I7fn013KZY.exe, 00000000.00000002.360730844.0000000000E74000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: I7fn013KZY.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 1_2_004043C2
Source: C:\Users\user\Desktop\I7fn013KZY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004043C2 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 1_2_004043C2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_004100FF OleInitialize,GetUserNameA, 1_2_004100FF

Stealing of Sensitive Information
barindex
Yara detected Pony
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\wcx_ftp.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\RhinoSoft.com\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\SharedSettings.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\TurboFTP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\TurboFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\AceBIT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\BitKinex\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FileZilla\filezilla.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\BitKinex\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\SharedSettings.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FTP Explorer\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FTPGetter\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Frigate3\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FTPRush\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Frigate3\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\SmartFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\BitKinex\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FTPRush\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FTP Explorer\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\Frigate3\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\TurboFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\TurboFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\Estsoft\ALFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\ExpanDrive\drives.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FTPGetter\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\AceBIT\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FTP Explorer\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\AceBIT\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\SmartFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\SharedSettings.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\AceBIT\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\32BitFtp.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FTPRush\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\RhinoSoft.com\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FlashFXP\3\History.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\FlashFXP\4\History.dat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\wcx_ftp.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword 1_2_0040E968
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword 1_2_0040E968
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal Jump to behavior

Remote Access Functionality
barindex
Yara detected Pony
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 879631 Sample: I7fn013KZY.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 8 other signatures 2->33 8 I7fn013KZY.exe 1 3 2->8         started        process3 file4 25 C:\Users\user\...\CallHistoryClient.exe, PE32 8->25 dropped 35 Creates an undocumented autostart registry key 8->35 37 Self deletion via cmd or bat file 8->37 39 Found API chain indicative of debugger detection 8->39 41 4 other signatures 8->41 12 RegAsm.exe 1 14 8->12         started        15 cmd.exe 1 8->15         started        signatures5 process6 signatures7 43 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 12->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->45 47 Tries to steal Mail credentials (via file registry) 12->47 49 2 other signatures 12->49 17 cmd.exe 1 12->17         started        19 conhost.exe 15->19         started        21 timeout.exe 1 15->21         started        process8 process9 23 conhost.exe 17->23         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.79.156.18/bit/03/gate.php true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown