Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe

Overview

General Information

Sample Name:2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
Analysis ID:499220
MD5:3087b67577a90aa611436c94ed23ae5a
SHA1:6a84f2dd65787b2f9041421357c9939c63dd796d
SHA256:2cec15c8fef9435abd5c332486d8ad7083eeb9eb84de9077b5bf6bb42458dba5
Tags:exePony
Infos:

Most interesting Screenshot:

Detection

Fareit Pony
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Yara detected Fareit stealer
Detected unpacking (changes PE section rights)
Yara detected Pony
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Sigma detected: PowerShell Script Run in AppData

Classification

Process Tree

  • System is w10x64
  • 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' MD5: 3087B67577A90AA611436C94ED23AE5A)
    • 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' MD5: 3087B67577A90AA611436C94ED23AE5A)
      • cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 3184 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Adnexal8.exe (PID: 5600 cmdline: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' MD5: CEA30515CD73B348562CA2ABE1E4D47C)
      • Adnexal8.exe (PID: 6892 cmdline: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' MD5: CEA30515CD73B348562CA2ABE1E4D47C)
        • cmd.exe (PID: 4540 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Pony

{"C2 list": ["http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmpJoeSecurity_FareitYara detected Fareit stealerJoe Security
    0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmpponyIdentify PonyBrian Wallace @botnet_hunter
      • 0x12ddb:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
      • 0x14f5b:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
      • 0x12610:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
      • 0x12cce:$s3: POST %s HTTP/1.0
      • 0x12cf7:$s4: Accept-Encoding: identity, *;q=0
      00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmpJoeSecurity_FareitYara detected Fareit stealerJoe Security
        00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          Click to see the 33 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpackJoeSecurity_FareitYara detected Fareit stealerJoe Security
            1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpackponyIdentify PonyBrian Wallace @botnet_hunter
                • 0x14819:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                • 0x16999:$s1: {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
                • 0x1404e:$s2: YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
                • 0x1470c:$s3: POST %s HTTP/1.0
                • 0x14735:$s4: Accept-Encoding: identity, *;q=0
                12.2.Adnexal8.exe.400000.0.raw.unpackJoeSecurity_FareitYara detected Fareit stealerJoe Security
                  Click to see the 33 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: PowerShell Script Run in AppDataShow sources
                  Source: Process startedAuthor: Florian Roth, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', CommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\Adnexal8.exe' , ParentImage: C:\Users\user\AppData\Roaming\Adnexal8.exe, ParentProcessId: 6892, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' ', ProcessId: 4540

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpackMalware Configuration Extractor: Pony {"C2 list": ["http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeVirustotal: Detection: 73%Perma Link
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeMetadefender: Detection: 71%Perma Link
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeReversingLabs: Detection: 89%
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeAvira: detected
                  Yara detected PonyShow sources
                  Source: Yara matchFile source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeAvira: detection malicious, Label: HEUR/AGEN.1112794
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeMetadefender: Detection: 72%Perma Link
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeReversingLabs: Detection: 89%
                  Machine Learning detection for sampleShow sources
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeJoe Sandbox ML: detected
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeJoe Sandbox ML: detected
                  Source: 10.2.Adnexal8.exe.4d141c2.1.unpackAvira: Label: TR/Kryptik.avp.8
                  Source: 12.2.Adnexal8.exe.400000.0.unpackAvira: Label: TR/Kryptik.avp.8
                  Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpackAvira: Label: TR/Kryptik.avp.8
                  Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpackAvira: Label: TR/Kryptik.avp.8
                  Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpackAvira: Label: TR/Kryptik.avp.8
                  Source: 12.1.Adnexal8.exe.400000.0.unpackAvira: Label: TR/Kryptik.avp.8
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,1_2_0040D423
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040A364 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,1_2_0040A364
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040A1A9 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,1_2_0040A1A9
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_004041BC CryptUnprotectData,LocalFree,1_2_004041BC
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040A5BD CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,1_2_0040A5BD
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040BA2E CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,1_2_0040BA2E
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040CEA2 lstrlenA,CryptUnprotectData,LocalFree,1_2_0040CEA2
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040A774 lstrlenA,CryptUnprotectData,LocalFree,1_2_0040A774
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040D423 CertOpenSystemStoreA,CertEnumCertificatesInStore,lstrcmpA,lstrcmpA,CryptAcquireCertificatePrivateKey,CryptGetUserKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CertCloseStore,12_2_0040D423
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040A364 lstrlenW,wsprintfA,wsprintfA,lstrlenW,CryptUnprotectData,LocalFree,12_2_0040A364
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040A1A9 WideCharToMultiByte,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,CryptUnprotectData,LocalFree,CoTaskMemFree,12_2_0040A1A9
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_004041BC CryptUnprotectData,LocalFree,12_2_004041BC
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040A5BD CredEnumerateA,lstrlenW,CryptUnprotectData,LocalFree,CredFree,12_2_0040A5BD
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040BA2E CryptUnprotectData,LocalFree,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,lstrlenA,StrCmpNIA,12_2_0040BA2E
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040CEA2 lstrlenA,CryptUnprotectData,LocalFree,12_2_0040CEA2
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040A774 lstrlenA,CryptUnprotectData,LocalFree,12_2_0040A774

                  Compliance:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeUnpacked PE file: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeUnpacked PE file: 12.2.Adnexal8.exe.400000.0.unpack
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,1_2_00404C68
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,1_2_0040890D
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,1_2_00404FD8
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,1_2_00403F86
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,1_2_00409484
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,1_2_00408789
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,1_1_00404C68
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,1_1_0040890D
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,1_1_00404FD8
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,1_1_00403F86
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,1_1_00409484
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,1_1_00408789
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,12_2_00404C68
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_2_0040890D
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,12_2_00404FD8
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_2_00403F86
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,12_2_00409484
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_2_00408789
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_00404C68 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,FindNextFileA,FindClose,12_1_00404C68
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_0040890D FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_1_0040890D
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_00404FD8 FindFirstFileA,lstrcmpiA,lstrcmpiA,FindNextFileA,FindClose,12_1_00404FD8
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_00403F86 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_1_00403F86
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_00409484 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,StrStrIA,lstrlenA,StrStrIA,StrStrIA,StrStrIA,FindNextFileA,FindClose,12_1_00409484
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_00408789 FindFirstFileA,lstrcmpiA,lstrcmpiA,StrStrIA,FindNextFileA,FindClose,12_1_00408789
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ?%02XSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7Microsoft_WinInet_*ftp://Software\Adobe\CommonSiteServersSiteServer %d\HostSiteServer %d\WebUrlSiteServer %d\Remote DirectorySiteServer %d-UserSiteServer %d-User PW%s\KeychainSiteServer %d\SFTPDeluxeFTPsites.xmlSQLite format 3table() CONSTRAINTPRIMARYUNIQUECHECKFOREIGNWeb DataLogin Dataloginsorigin_urlpassword_valueusername_valueftp://http://https://moz_loginshostnameencryptedPasswordencryptedUsername\Google\Chrome\Chromium\ChromePlusSoftware\ChromePlusInstall_Dir\Bromium\Nichrome\Comodo\RockMeltK-Meleon\K-Meleon\ProfilesEpic\Epic\EpicStaff-FTPsites.ini\Sites\Visicom Media.ftpSettings\Global DownloaderSM.archFreshFTP.SMFBlazeFtpsite.datLastPasswordLastAddressLastUserLastPortSoftware\FlashPeak\BlazeFtp\Settings\BlazeFtp.fplFTP++.Link\shell\open\commandGoFTPConnections.txt3D-FTPsites.ini\3D-FTP\SiteDesignerSOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32EasyFTP\NetSarang.xfp.rdpTERMSRV/*password 51:b:username:s:full address:s:.TERMSRV/FTP NowFTPNowsites.xmlSOFTWARE\Robo-FTP 3.7\ScriptsSOFTWARE\Robo-FTP 3.7\FTPServersFTP CountFTP File%dPasswordServerNameUserIDInitialDirectoryPortNumberServerType equals www.facebook.com (Facebook)
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, Adnexal8.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmpString found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://https://ftp://operawand.dat_Software
                  Source: Adnexal8.exeString found in binary or memory: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.php
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, Adnexal8.exe, 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://n3systems.com.br/layouts/libraries/.trash/cphorde/rem.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI
                  Source: Adnexal8.exe, Adnexal8.exe, 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591=
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591B
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652515440.00000000006B4000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/setpc=s&uxe=4421591W
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=168R
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmp, 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651859842.00000000006DF000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/?gws_rd=ssl
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/gws_rd=ssl
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.651943509.0000000000708000.00000004.00000001.sdmp, Adnexal8.exe, 0000000C.00000003.692004376.00000000006E3000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/W9
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000001.00000003.652533561.00000000006CB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/searchLMEM
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00403879 recv,1_2_00403879
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000002.649420968.000000000072A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected PonyShow sources
                  Source: Yara matchFile source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTR

                  System Summary:

                  barindex
                  Potential malicious icon foundShow sources
                  Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTRMatched rule: Identify Pony Author: Brian Wallace @botnet_hunter
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 12.2.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 0.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.4c441c2.1.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 10.2.Adnexal8.exe.4d141c2.1.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 12.1.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 1.2.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 12.1.Adnexal8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 1.1.2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 10.2.Adnexal8.exe.4d141c2.1.raw.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 12.2.Adnexal8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 0000000A.00000002.690187796.0000000004D14000.00000040.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 00000001.00000001.649108673.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 00000000.00000002.649932554.0000000004C44000.00000040.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 0000000C.00000002.696443700.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 0000000C.00000001.689692906.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: 00000001.00000002.657098932.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7012, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: Process Memory Space: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe PID: 7060, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: Process Memory Space: Adnexal8.exe PID: 5600, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: Process Memory Space: Adnexal8.exe PID: 6892, type: MEMORYSTRMatched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 0_2_04B40D590_2_04B40D59
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_0041280A1_2_0041280A
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_2_00402E461_2_00402E46
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_0041280A1_1_0041280A
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 1_1_00402E461_1_00402E46
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 10_2_04B20D5910_2_04B20D59
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_0041280A12_2_0041280A
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_2_00402E4612_2_00402E46
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_0041280A12_1_0041280A
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 12_1_00402E4612_1_00402E46
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00401D69 appears 60 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 0040417C appears 118 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00410D46 appears 36 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00410C9E appears 38 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00410E30 appears 84 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00401D15 appears 48 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00404131 appears 106 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 00401C8E appears 278 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: String function: 004052CA appears 32 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00401D69 appears 60 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 0040417C appears 118 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00410D46 appears 36 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00410C9E appears 38 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00410E30 appears 84 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00401D15 appears 48 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00404131 appears 106 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 00401C8E appears 278 times
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: String function: 004052CA appears 32 times
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 0_2_04B41491 NtProtectVirtualMemory,0_2_04B41491
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeCode function: 0_2_04B40A06 NtSetContextThread,0_2_04B40A06
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 10_2_04B21491 NtProtectVirtualMemory,10_2_04B21491
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeCode function: 10_2_04B20A06 NtSetContextThread,10_2_04B20A06
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe, 00000000.00000000.645443664.000000000042B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTohndiges5.exe vs 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeBinary or memory string: OriginalFilenameTohndiges5.exe vs 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Adnexal8.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: Adnexal8.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeVirustotal: Detection: 73%
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeMetadefender: Detection: 71%
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeReversingLabs: Detection: 89%
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeFile read: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeJump to behavior
                  Source: 2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeProcess created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe'
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' '
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adnexal8.vbe'
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeProcess created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe'
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' '
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeProcess created: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' Jump to behavior
                  Source: C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12537875.bat' 'C:\Users\user\Desktop\2CEC15C8FEF9435ABD5C332486D8AD7083EEB9EB84DE9.exe' 'Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe' Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeProcess created: C:\Users\user\AppData\Roaming\Adnexal8.exe 'C:\Users\user\AppData\Roaming\Adnexal8.exe' Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Adnexal8.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\12556453.bat' 'C:\Users\user\AppData\Roaming\Adnexal8.exe' '