Loading ...

Analysis Report 24specifications-Contract project-2902344175.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123515
Start date:15.04.2019
Start time:22:37:18
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:24specifications-Contract project-2902344175.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.troj.spyw.evad.winEXE@7/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.2% (good quality ratio 95.2%)
  • Quality average: 85%
  • Quality standard deviation: 24.1%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 96
  • Number of non-executed functions: 66
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 24specifications-Contract project-2902344175.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Scripting1Valid Accounts1Valid Accounts1Software Packing1Credentials in Registry2Process Discovery2Application Deployment SoftwareData from Local System2Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection12Valid Accounts1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection12Input CaptureSecurity Software Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingScripting1Credentials in FilesSystem Information Discovery12Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus and Machine Learning detection for unpacked fileShow sources
Source: 6.2.24specifications-Contract project-2902344175.exe.400000.0.unpackAvira: Label: TR/PSW.Fareit.iloen
Source: 6.1.24specifications-Contract project-2902344175.exe.400000.0.unpackAvira: Label: TR/PSW.Fareit.iloen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040A4D7 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,6_2_0040A4D7
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040D183 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,6_2_0040D183
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040CC02 lstrlenA,CryptUnprotectData,LocalFree,6_2_0040CC02
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040A8E9 lstrlenA,CryptUnprotectData,LocalFree,6_2_0040A8E9
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040B9FB CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,6_2_0040B9FB
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004041A1 CryptUnprotectData,LocalFree,6_2_004041A1
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040A31C WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,6_2_0040A31C
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040A732 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,6_2_0040A732

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00404C38 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_00404C38
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004088AA FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_004088AA
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004095F7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_004095F7
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00403F6B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_00403F6B
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00404FA8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,6_2_00404FA8
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00408726 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_00408726
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00404C38 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_1_00404C38
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_004088AA FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_1_004088AA
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_004095F7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_1_004095F7
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00403F6B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_1_00403F6B
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00404FA8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,6_1_00404FA8
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00408726 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_1_00408726

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004038AD recv,6_2_004038AD
Found strings which match to known social media urlsShow sources
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000002.6422456596.0000000000400000.00000040.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000001.6354681864.0000000000400000.00000040.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full
Source: 24specifications-Contract project-2902344175.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Urls found in memory or binary dataShow sources
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000001.6354681864.0000000000400000.00000040.sdmp, 24specifications-Contract project-2902344175.exe, 00000006.00000002.6422456596.0000000000400000.00000040.sdmpString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: 24specifications-Contract project-2902344175.exeString found in binary or memory: http://ectalec.com/gate.php
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000001.6354681864.0000000000400000.00000040.sdmp, 24specifications-Contract project-2902344175.exe, 00000006.00000002.6422456596.0000000000400000.00000040.sdmpString found in binary or memory: http://ectalec.com/gate.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000001.6354681864.0000000000400000.00000040.sdmp, 24specifications-Contract project-2902344175.exe, 00000006.00000002.6422456596.0000000000400000.00000040.sdmpString found in binary or memory: http://https://ftp://operawand.dat_Software
Source: 24specifications-Contract project-2902344175.exe, 24specifications-Contract project-2902344175.exe, 00000006.00000001.6354681864.0000000000400000.00000040.sdmpString found in binary or memory: http://www.ibsensoftware.com/

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00411DA96_2_00411DA9
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00402E7A6_2_00402E7A
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00411DA96_1_00411DA9
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00402E7A6_1_00402E7A
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 00404116 appears 102 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 00410234 appears 38 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 00401CEE appears 278 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 00401D75 appears 48 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 0040528D appears 32 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 004103CC appears 84 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 00401DC9 appears 60 times
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: String function: 00404161 appears 44 times
PE file contains strange resourcesShow sources
Source: 24specifications-Contract project-2902344175.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 24specifications-Contract project-2902344175.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000002.6423924937.00000000022A0000.00000002.sdmpBinary or memory string: System.OriginalFileName vs 24specifications-Contract project-2902344175.exe
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000002.6427224715.00000000027F0000.00000002.sdmpBinary or memory string: originalfilename vs 24specifications-Contract project-2902344175.exe
Source: 24specifications-Contract project-2902344175.exe, 00000006.00000002.6427224715.00000000027F0000.00000002.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 24specifications-Contract project-2902344175.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal68.troj.spyw.evad.winEXE@7/1@0/0
Contains functionality to access the windows certificate storeShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040D183 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,6_2_0040D183
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_0040D183 CertOpenSystemStoreA,lstrcmpA,lstrcmpA,6_1_0040D183
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004028E5 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,6_2_004028E5
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_004028E5 LookupPrivilegeValueA,GetCurrentProcess,AdjustTokenPrivileges,CloseHandle,6_1_004028E5
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00402C64 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,6_2_00402C64
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040A63A CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,6_2_0040A63A
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile created: C:\Users\user~1\AppData\Local\Temp\641906.batJump to behavior
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\641906.bat' 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe' '
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile read: C:\Windows\win.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe'
Source: unknownProcess created: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\641906.bat' 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess created: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe' Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\641906.bat' 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe' 'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00402453 LoadLibraryA,GetProcAddress,6_2_00402453

Hooking and other Techniques for Hiding and Protection:

barindex
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source codeShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile dump: 641906.bat.6.dr 3880EEB1C736D853EB13B44898B718ABJump to dropped file
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-11321
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00404C38 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_00404C38
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004088AA FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_004088AA
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004095F7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_2_004095F7
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00403F6B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_00403F6B
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00404FA8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,6_2_00404FA8
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00408726 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_2_00408726
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00404C38 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_1_00404C38
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_004088AA FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_1_004088AA
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_004095F7 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,6_1_004095F7
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00403F6B FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_1_00403F6B
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00404FA8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,6_1_00404FA8
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_00408726 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,6_1_00408726
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004043C2 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_2_004043C2
Program exit pointsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeAPI call chain: ExitProcess graph end nodegraph_6-11164
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess queried: DebugObjectHandleJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00402453 LoadLibraryA,GetProcAddress,6_2_00402453
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040F749 mov eax, dword ptr fs:[00000030h]6_2_0040F749
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_0040F749 mov eax, dword ptr fs:[00000030h]6_1_0040F749
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004101A5 SetUnhandledExceptionFilter,RevertToSelf,6_2_004101A5
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_1_004101A5 SetUnhandledExceptionFilter,6_1_004101A5

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeSection loaded: unknown target pid: 5024 protection: execute and read and writeJump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: CreateToolhelp32Snapshot,Process32First,StrStrIA,OpenProcess,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle, explorer.exe6_1_00402C64
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: StrStrIA,OpenProcess,RegOpenCurrentUser,Process32Next,CloseHandle, explorer.exe6_1_00402DAC
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_0040FEFC lstrcmpiA,LogonUserA,lstrlenA,LCMapStringA,LogonUserA,LogonUserA,LoadUserProfileA,ImpersonateLoggedOnUser,RevertToSelf,UnloadUserProfile,CloseHandle,6_2_0040FEFC
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess created: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe' Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\641906.bat' 'C:\Users\user\Desktop\24specifications-Contract project-2902344175.exe' 'Jump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_00404297 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,6_2_00404297

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_2_004043C2
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_1_004043C2
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004100ED OleInitialize,GetUserNameA,6_2_004100ED
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: 6_2_004043C2 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,6_2_004043C2

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journalJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journalJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbarJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\RhinoSoft.com\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\NetDrive\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\RhinoSoft.com\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbarJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\AceBIT\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\BitKinex\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\TurboFTPJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FTP Explorer\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBITJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.iniJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\LeapWare\LeapFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\TurboFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GPSoftware\Directory Opus\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\wcx_ftp.iniJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\AceBITJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FileZilla\filezilla.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\Frigate3\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\BitKinex\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\TurboFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\NetDrive\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\SharedSettings_1_0_5.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\SharedSettings.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GHISLER\wcx_ftp.iniJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FlashFXP\4\Sites.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FTP Explorer\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\History.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\Frigate3\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTPJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\SmartFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\BitKinex\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\FTP Explorer\ProfilesJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\History.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\Frigate3\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\SmartFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FileZilla\sitemanager.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\TurboFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FlashFXP\3\Quick.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\ExpanDrive\drives.jsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\ExpanDrive\drives.jsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FlashFXP\3\Sites.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FTP Explorer\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbarJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbarJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\SharedSettings.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\SharedSettings.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\AceBIT\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\CuteFTP\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Windows\32BitFtp.iniJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FlashFXP\4\Quick.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\FTPRush\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\NetDrive\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbarJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.jsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\AceBIT\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FTPRush\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbarJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FlashFXP\3\History.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: HKEY_LOCAL_MACHINE\Software\TurboFTPJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\FlashFXP\4\History.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqliteJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\Jump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccsJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Windows\wcx_ftp.iniJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.datJump to behavior
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeFile opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.iniJump to behavior
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword6_2_0040E968
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword6_2_0040E968
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword6_1_0040E968
Source: C:\Users\user\Desktop\24specifications-Contract project-2902344175.exeCode function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword6_1_0040E968

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 123515 Sample: 24specifications-Contract project-2902344175.exe Startdate: 15/04/2019 Architecture: WINDOWS Score: 68 18 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 2->18 20 Tries to steal Mail credentials (via file registry) 2->20 22 Antivirus and Machine Learning detection for unpacked file 2->22 8 24specifications-Contract project-2902344175.exe 2->8         started        process3 signatures4 24 Maps a DLL or memory area into another process 8->24 11 24specifications-Contract project-2902344175.exe 1 14 8->11         started        process5 signatures6 26 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->26 28 Tries to harvest and steal ftp login credentials 11->28 30 Tries to harvest and steal browser information (history, passwords, etc) 11->30 14 cmd.exe 1 11->14         started        process7 process8 16 conhost.exe 14->16         started       

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
6.2.24specifications-Contract project-2902344175.exe.400000.0.unpack100%AviraTR/PSW.Fareit.iloenDownload File
6.1.24specifications-Contract project-2902344175.exe.400000.0.unpack100%AviraTR/PSW.Fareit.iloenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ectalec.com/gate.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.00%Avira URL Cloudsafe
http://ectalec.com/gate.php0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.