Windows Analysis Report
820.exe

Overview

General Information

Sample name: 820.exe
(renamed file extension from none to exe)
Original sample name: 820
Analysis ID: 1428492
MD5: f318a9ad5a22eb8b1a0849d82b171cc6
SHA1: 4206d66d1279f24097aeec8184dc3dd22cc6513a
SHA256: 820b7ea29750ecab25b85ef56f24d42b51b332b404e594ee55cdff2bc63097df
Infos:

Detection

Pony
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Pony
C2 URLs / IPs found in malware configuration
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Machine Learning detection for sample
Pony trojan / infostealer detected
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
EvilPony, Ponyshe Privately modded version of the Pony stealer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 820.exe Avira: detected
Found malware configuration
Source: 0.0.820.exe.400000.0.unpack Malware Configuration Extractor: Pony {"C2 list": ["http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php"]}
Multi AV Scanner detection for domain / URL
Source: assuredexpresscourierservice.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: 820.exe ReversingLabs: Detection: 100%
Source: 820.exe Virustotal: Detection: 87% Perma Link
Yara detected Pony
Source: Yara match File source: 820.exe, type: SAMPLE
Source: Yara match File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR
Machine Learning detection for sample
Source: 820.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040A67C lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree, 0_2_0040A67C
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040D328 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, 0_2_0040D328
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040A4C1 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,757283B0, 0_2_0040A4C1
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040A8D7 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree, 0_2_0040A8D7
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040CDA7 lstrlen,CryptUnprotectData,LocalFree, 0_2_0040CDA7
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040AA8E lstrlen,CryptUnprotectData,LocalFree, 0_2_0040AA8E
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404346 CryptUnprotectData,LocalFree, 0_2_00404346
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040BBA0 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA, 0_2_0040BBA0
Uses 32bit PE files
Source: 820.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040514D FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, 0_2_0040514D
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404110 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 0_2_00404110
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404DDD FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 0_2_00404DDD
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00408A4F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 0_2_00408A4F
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_004088CB FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 0_2_004088CB
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040979C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 0_2_0040979C
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: assuredexpresscourierservice.com replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: 820.exe, 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 820.exe String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: 820.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: assuredexpresscourierservice.com
Source: 820.exe String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: 820.exe String found in binary or memory: http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php
Source: 820.exe String found in binary or memory: http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.phphttp://assuredexpresscourierservice.c
Source: 820.exe String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: 820.exe String found in binary or memory: http://www.ibsensoftware.com/
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 820.exe, 00000000.00000002.1635331357.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: 820.exe, 00000000.00000002.1635331357.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected Pony
Source: Yara match File source: 820.exe, type: SAMPLE
Source: Yara match File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 820.exe, type: SAMPLE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 820.exe, type: SAMPLE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 820.exe, type: SAMPLE Matched rule: Fareit Payload Author: kevoreilly
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Fareit Payload Author: kevoreilly
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Fareit Payload Author: kevoreilly
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Pony trojan / infostealer detected
Source: Signatures Results : All Signatures
Detected potential crypto function
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00412009 0_2_00412009
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00402E67 0_2_00402E67
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\820.exe Code function: String function: 00401CF9 appears 139 times
Source: C:\Users\user\Desktop\820.exe Code function: String function: 0041062E appears 42 times
Source: C:\Users\user\Desktop\820.exe Code function: String function: 004042BB appears 51 times
Uses 32bit PE files
Source: 820.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 820.exe, type: SAMPLE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 820.exe, type: SAMPLE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 820.exe, type: SAMPLE Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/0
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040D328 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore, 0_2_0040D328
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_004028F0 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification, 0_2_004028F0
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00402C5B WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle, 0_2_00402C5B
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Users\user\Desktop\820.exe File created: C:\Users\user\AppData\Local\Temp\6575781.bat Jump to behavior
Source: C:\Users\user\Desktop\820.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "
Source: 820.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\820.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 820.exe, 00000000.00000003.1621410526.00000000006E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 820.exe ReversingLabs: Detection: 100%
Source: 820.exe Virustotal: Detection: 87%
Source: unknown Process created: C:\Users\user\Desktop\820.exe "C:\Users\user\Desktop\820.exe"
Source: C:\Users\user\Desktop\820.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\820.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" " Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior

Data Obfuscation
barindex
Yara detected aPLib compressed binary
Source: Yara match File source: 820.exe, type: SAMPLE
Source: Yara match File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1616594000.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040245E LoadLibraryA,GetProcAddress, 0_2_0040245E

Hooking and other Techniques for Hiding and Protection
barindex
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Source: C:\Users\user\Desktop\820.exe File dump: 6575781.bat.0.dr 3880EEB1C736D853EB13B44898B718AB Jump to dropped file
Source: C:\Users\user\Desktop\820.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\Desktop\820.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\820.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040514D FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose, 0_2_0040514D
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404110 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 0_2_00404110
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404DDD FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 0_2_00404DDD
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00408A4F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 0_2_00408A4F
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_004088CB FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose, 0_2_004088CB
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040979C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose, 0_2_0040979C
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404567 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00404567
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: 820.exe, 00000000.00000002.1635331357.000000000068E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk^[
Source: 820.exe, 00000000.00000002.1635331357.00000000006D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040245E LoadLibraryA,GetProcAddress, 0_2_0040245E
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00410194 lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,74781B10,ImpersonateLoggedOnUser,RevertToSelf,74775030,CloseHandle, 0_2_00410194
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\820.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" " Jump to behavior
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_0040443C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_0040443C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\820.exe Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00404567
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00410365 OleInitialize,GetUserNameA, 0_2_00410365
Source: C:\Users\user\Desktop\820.exe Code function: 0_2_00404567 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00404567

Stealing of Sensitive Information
barindex
Yara detected Pony
Source: Yara match File source: 820.exe, type: SAMPLE
Source: Yara match File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\Frigate3\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FTP Explorer\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\SiteDesigner\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\TurboFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\RhinoSoft.com\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\TurboFTP Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\NetSarang\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\AceBIT Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FileZilla\filezilla.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\SharedSettings.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\SmartFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FTP Explorer\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\NetSarang\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\SmartFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224 Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\TurboFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\Frigate3\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\AceBIT\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\TurboFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\RhinoSoft.com\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FTP Explorer\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\AceBIT\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FTPRush\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\Estsoft\ALFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\ExpanDrive\drives.js Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FlashFXP\3\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\AceBIT\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FTPRush\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Windows\32BitFtp.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FlashFXP\4\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\3D-FTP\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\Frigate3\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\NetSarang\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FTPRush\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FlashFXP\3\History.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\FlashFXP\4\History.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Windows\wcx_ftp.ini Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\ Jump to behavior
Source: C:\Users\user\Desktop\820.exe File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\820.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\820.exe Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword 0_2_0040EB0D
Source: C:\Users\user\Desktop\820.exe Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword 0_2_0040EB0D

Remote Access Functionality
barindex
Yara detected Pony
Source: Yara match File source: 820.exe, type: SAMPLE
Source: Yara match File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428492 Sample: 820 Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 15 assuredexpresscourierservice.com 2->15 17 Multi AV Scanner detection for domain / URL 2->17 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 7 other signatures 2->23 8 820.exe 1 14 2->8         started        signatures3 process4 signatures5 25 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 8->25 27 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->27 29 Tries to steal Mail credentials (via file registry) 8->29 31 3 other signatures 8->31 11 cmd.exe 1 8->11         started        process6 process7 13 conhost.exe 11->13         started       
No contacted IP infos

Contacted Domains

Name IP Active
assuredexpresscourierservice.com unknown unknown