API tools faq
paste
Neonprimetime

2018-06-04 #pony sample #malware

Neonprimetime
Jun 4th, 2018
873
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.16 KB | None | 0 0
raw download clone embed print report
  1. found by @neonprimetime security
  2. #pony #opendir #malware
  3. Subject FW: Bank Copy
  4. Bank Copy Confirmation.ppt
  5. fusionpoint[.]pk/wptheme/nel/hawk.exe
  6. fusionpoint[.]pk/wptheme/nel/gate.php
  7. https://www.hybrid-analysis.com/sample/1ed23307f87ab31507a473474343880f50f982409f659a6c5b9919713028d0b5?environmentId=100
  8. https://app.any.run/tasks/e5bad6d9-4bf9-4041-8fc1-43ebe26762d3
  9.  
  10. Bank Copy Confirmation.ppt
  11. 17b52e5811b23b6e4ddab049e01b6e7a
  12. Hxxp://fusionpoint[.]pk
  13. Hawk.exe
  14. 9F19E28B9127692C96B12A9CF46A8A7F
  15. PAYMENT CONFIRMATION.exe
  16. BE1A3FF797187F1C5DF0508D4197E3C2
  17. 1351125.exe
  18. 9F19E28B9127692C96B12A9CF46A8A7F
  19. 1363343.bat
  20.  
  21. interesting in-memory strings
  22.  
  23. 0x64fe58 (42): http://fusionpoint.pk/wptheme/nel/gate.php
  24. 0x64ff58 (42): http://fusionpoint.pk/wptheme/nel/hawk.exe
  25. 0x65067a (243): POST %s HTTP/1.0
  26. Host: %s
  27. Accept: */*
  28. Accept-Encoding: identity, *;q=0
  29. Content-Length: %lu
  30. Connection: close
  31. Content-Type: application/octet-stream
  32. Content-Encoding: binary
  33. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  34.  
  35.  
  36. 0x65076e (15): Content-Length:
  37. 0x650788 (155): GET %s HTTP/1.0
  38. Host: %s
  39. Accept: */*
  40. Accept-Encoding: identity, *;q=0
  41. Connection: close
  42. User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
  43.  
  44.  
  45. 0x650837 (50): {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
  46. 0x65086a (19): GetNativeSystemInfo
  47. 0x65087e (12): kernel32.dll
  48. 0x65088b (14): IsWow64Process
  49. 0x65089a (30): Software\Far\Plugins\FTP\Hosts
  50. 0x6508b9 (31): Software\Far2\Plugins\FTP\Hosts
  51. 0x6508d9 (38): Software\Far Manager\Plugins\FTP\Hosts
  52. 0x650900 (39): Software\Far\SavedDialogHistory\FTPHost
  53. 0x650928 (40): Software\Far2\SavedDialogHistory\FTPHost
  54. 0x650951 (47): Software\Far Manager\SavedDialogHistory\FTPHost
  55. 0x65099d (11): wcx_ftp.ini
  56. 0x6509b2 (10): InstallDir
  57. 0x6509bd (10): FtpIniName
  58. 0x6509c8 (34): Software\Ghisler\Windows Commander
  59. 0x6509eb (32): Software\Ghisler\Total Commander
  60. 0x650a1d (16): \Ipswitch\WS_FTP
  61. 0x650a60 (45): Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
  62. 0x650a8e (53): Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
  63. 0x650ac4 (45): Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
  64. 0x650af2 (53): Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
  65. 0x650b28 (45): Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
  66. 0x650b56 (53): Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
  67. 0x650b8c (20): \GlobalSCAPE\CuteFTP
  68. 0x650ba1 (24): \GlobalSCAPE\CuteFTP Pro
  69. 0x650bba (25): \GlobalSCAPE\CuteFTP Lite
  70. 0x650be5 (19): Software\FlashFXP\3
  71. 0x650bf9 (17): Software\FlashFXP
  72. 0x650c0b (19): Software\FlashFXP\4
  73. 0x650c1f (17): InstallerDathPath
  74. 0x650c36 (12): Install Path
  75. 0x650c43 (10): DataFolder
  76. 0x650c4e (10): \Sites.dat
  77. 0x650c59 (10): \Quick.dat
  78. 0x650c64 (12): \History.dat
  79. 0x650c71 (11): \FlashFXP\3
  80. 0x650c7d (11): \FlashFXP\4
  81. 0x650c89 (10): \FileZilla
  82. 0x650c94 (16): \sitemanager.xml
  83. 0x650ca5 (18): \recentservers.xml
  84. 0x650cb8 (14): \filezilla.xml
  85. 0x650cc7 (18): Software\FileZilla
  86. 0x650cda (25): Software\FileZilla Client
  87. 0x650cf4 (11): Install_Dir
  88. 0x650d14 (10): Remote Dir
  89. 0x650d1f (11): Server Type
  90. 0x650d2b (11): Server.Host
  91. 0x650d37 (11): Server.User
  92. 0x650d43 (11): Server.Pass
  93. 0x650d4f (11): Server.Port
  94. 0x650d60 (10): ServerType
  95. 0x650d6b (16): Last Server Host
  96. 0x650d7c (16): Last Server User
  97. 0x650d8d (16): Last Server Pass
  98. 0x650d9e (16): Last Server Port
  99. 0x650daf (16): Last Server Path
  100. 0x650dc0 (16): Last Server Type
  101. 0x650dd1 (13): FTP Navigator
  102. 0x650ddf (13): FTP Commander
  103. 0x650ded (11): ftplist.txt
  104. 0x650df9 (21): \BulletProof Software
  105. 0x650e19 (36): Software\BPFTP\Bullet Proof FTP\Main
  106. 0x650e3e (57): Software\BulletProof Software\BulletProof FTP Client\Main
  107. 0x650e78 (39): Software\BPFTP\Bullet Proof FTP\Options
  108. 0x650ea0 (60): Software\BulletProof Software\BulletProof FTP Client\Options
  109. 0x650edd (14): Software\BPFTP
  110. 0x650eec (15): LastSessionFile
  111. 0x650f05 (11): InstallDir1
  112. 0x650f20 (13): Favorites.dat
  113. 0x650f2e (11): History.dat
  114. 0x650f3a (10): addrbk.dat
  115. 0x650f59 (17): Software\TurboFTP
  116. 0x650f6b (11): installpath
  117. 0x650f77 (19): Software\Sota\FFFTP
  118. 0x650f8b (14): CredentialSalt
  119. 0x650f9a (15): CredentialCheck
  120. 0x650faa (27): Software\Sota\FFFTP\Options
  121. 0x651010 (11): HostDirName
  122. 0x65101c (45): Software\CoffeeCup Software\Internet\Profiles
  123. 0x65104a (30): Software\FTPWare\COREFTP\Sites
  124. 0x651084 (12): profiles.xml
  125. 0x651091 (13): \FTP Explorer
  126. 0x65109f (59): Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
  127. 0x6510e3 (30): Software\FTP Explorer\Profiles
  128. 0x65110b (12): PasswordType
  129. 0x651128 (11): InitialPath
  130. 0x651134 (11): FtpSite.xml
  131. 0x65114f (24): _VanDyke\Config\Sessions
  132. 0x651172 (25): Software\VanDyke\SecureFX
  133. 0x65118c (11): Config Path
  134. 0x6511a1 (10): \sites.xml
  135. 0x6511b5 (12): RushSite.xml
  136. 0x6511e3 (31): Software\Cryer\WebSitePublisher
  137. 0x65120d (11): bitkinex.ds
  138. 0x651239 (28): Software\ExpanDrive\Sessions
  139. 0x651256 (11): \ExpanDrive
  140. 0x651262 (10): \drives.js
  141. 0x65126d (14): "password" : "
  142. 0x65127f (19): Software\ExpanDrive
  143. 0x651293 (15): ExpanDrive_Home
  144. 0x6512d0 (44): Software\NCH Software\ClassicFTP\FTPAccounts
  145. 0x651307 (11): FtpUserName
  146. 0x651313 (11): FtpPassword
  147. 0x65131f (12): _FtpPassword
  148. 0x65132c (12): FtpDirectory
  149. 0x651339 (36): SOFTWARE\NCH Software\Fling\Accounts
  150. 0x65135e (24): Software\FTPClient\Sites
  151. 0x651377 (34): Software\SoftX.org\FTPClient\Sites
  152. 0x6513a4 (11): ftplast.osd
  153. 0x6513b0 (26): \GPSoftware\Directory Opus
  154. 0x6513cb (19): \SharedSettings.ccs
  155. 0x6513df (25): \SharedSettings_1_0_5.ccs
  156. 0x6513f9 (22): \SharedSettings.sqlite
  157. 0x651410 (28): \SharedSettings_1_0_5.sqlite
  158. 0x65142d (19): \CoffeeCup Software
  159. 0x651449 (10): unleap.exe
  160. 0x651468 (17): \LeapWare\LeapFTP
  161. 0x65147a (17): SOFTWARE\LeapWare
  162. 0x65148c (11): InstallPath
  163. 0x6514bb (15): RemoteDirectory
  164. 0x6514cb (10): PortNumber
  165. 0x6514d6 (10): FSProtocol
  166. 0x6514e1 (23): Software\Martin Prikryl
  167. 0x6514f9 (13): \32BitFtp.ini
  168. 0x651507 (11): NDSites.ini
  169. 0x651533 (13): RootDirectory
  170. 0x651546 (54): Software\South River Technologies\WebDrive\Connections
  171. 0x65157d (10): ServerType
  172. 0x651588 (11): FTP CONTROL
  173. 0x6515dc (24): _Software\Opera Software
  174. 0x6515f5 (15): Last Directory3
  175. 0x651605 (17): Last Install Path
  176. 0x651617 (29): Opera.HTML\shell\open\command
  177. 0x651635 (15): wiseftpsrvs.bin
  178. 0x65164d (15): Software\AceBIT
  179. 0x651661 (63): SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
  180. 0x6516a1 (63): SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
  181. 0x6516e1 (15): wiseftpsrvs.ini
  182. 0x6516f1 (11): wiseftp.ini
  183. 0x6516fd (14): FTPVoyager.ftp
  184. 0x65170c (13): FTPVoyager.qc
  185. 0x65171a (14): \RhinoSoft.com
  186. 0x65173b (12): NSS_Shutdown
  187. 0x651748 (22): NSSBase64_DecodeBuffer
  188. 0x65175f (16): SECITEM_FreeItem
  189. 0x651770 (23): PK11_GetInternalKeySlot
  190. 0x651788 (17): PK11_Authenticate
  191. 0x65179a (15): PK11SDR_Decrypt
  192. 0x6517aa (13): PK11_FreeSlot
  193. 0x6517d9 (11): sqlite3.dll
  194. 0x6517e5 (12): sqlite3_open
  195. 0x6517f2 (13): sqlite3_close
  196. 0x651800 (15): sqlite3_prepare
  197. 0x651810 (12): sqlite3_step
  198. 0x65181d (20): sqlite3_column_bytes
  199. 0x651832 (19): sqlite3_column_blob
  200. 0x651847 (14): mozsqlite3.dll
  201. 0x651856 (12): sqlite3_open
  202. 0x651863 (13): sqlite3_close
  203. 0x651871 (15): sqlite3_prepare
  204. 0x651881 (12): sqlite3_step
  205. 0x65188e (20): sqlite3_column_bytes
  206. 0x6518a3 (19): sqlite3_column_blob
  207. 0x6518d8 (12): profiles.ini
  208. 0x6518ed (10): IsRelative
  209. 0x651910 (14): signons.sqlite
  210. 0x65191f (11): signons.txt
  211. 0x65192b (12): signons2.txt
  212. 0x651938 (12): signons3.txt
  213. 0x651951 (69): SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
  214. 0x65199f (17): \Mozilla\Firefox\
  215. 0x6519b1 (16): Software\Mozilla
  216. 0x6519e3 (16): fireFTPsites.dat
  217. 0x6519fe (19): \Mozilla\SeaMonkey\
  218. 0x651a18 (15): \Flock\Browser\
  219. 0x651a30 (18): \Mozilla\Profiles\
  220. 0x651a43 (17): Software\LeechFTP
  221. 0x651a65 (12): bookmark.dat
  222. 0x651a72 (12): SiteInfo.QFP
  223. 0x651a84 (13): Favorites.dat
  224. 0x651aa2 (59): CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
  225. 0x651ade (11): servers.xml
  226. 0x651aea (10): \FTPGetter
  227. 0x651af5 (10): ESTdb2.dat
  228. 0x651b0a (14): \Estsoft\ALFTP
  229. 0x651b19 (17): Internet Explorer
  230. 0x651b2b (23): WininetCacheCredentials
  231. 0x651b43 (19): MS IE FTP Passwords
  232. 0x651b98 (58): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  233. 0x651bd3 (48): http://www.facebook.com/
  234. 0x651c09 (72): abe2869f-9b47-4cd9-a358-c22904dba7f7
  235. 0x651c53 (19): Microsoft_WinInet_*
  236. 0x651c6e (21): Software\Adobe\Common
  237. 0x651c84 (11): SiteServers
  238. 0x651c90 (18): SiteServer %d\Host
  239. 0x651ca3 (20): SiteServer %d\WebUrl
  240. 0x651cb8 (30): SiteServer %d\Remote Directory
  241. 0x651cd7 (18): SiteServer %d-User
  242. 0x651cea (21): SiteServer %d-User PW
  243. 0x651d00 (11): %s\Keychain
  244. 0x651d0c (18): SiteServer %d\SFTP
  245. 0x651d3c (10): Login Data
  246. 0x651d47 (15): SQLite format 3
  247. 0x651d63 (10): CONSTRAINT
  248. 0x651d93 (10): origin_url
  249. 0x651d9e (14): password_value
  250. 0x651dad (14): username_value
  251. 0x651dd4 (14): \Google\Chrome
  252. 0x651ded (11): \ChromePlus
  253. 0x651df9 (19): Software\ChromePlus
  254. 0x651e0d (11): Install_Dir
  255. 0x651e60 (10): \Epic\Epic
  256. 0x651e86 (14): \Visicom Media
  257. 0x651eac (18): \Global Downloader
  258. 0x651ee7 (12): LastPassword
  259. 0x651ef4 (11): LastAddress
  260. 0x651f12 (36): Software\FlashPeak\BlazeFtp\Settings
  261. 0x651f46 (29): FTP++.Link\shell\open\command
  262. 0x651f6a (15): Connections.txt
  263. 0x651f93 (13): \SiteDesigner
  264. 0x651fa1 (75): SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
  265. 0x651ff5 (10): \NetSarang
  266. 0x652014 (14): password 51:b:
  267. 0x652023 (11): username:s:
  268. 0x65202f (15): full address:s:
  269. 0x652063 (29): SOFTWARE\Robo-FTP 3.7\Scripts
  270. 0x652081 (32): SOFTWARE\Robo-FTP 3.7\FTPServers
  271. 0x6520ac (10): FTP File%d
  272. 0x6520c0 (10): ServerName
  273. 0x6520d2 (16): InitialDirectory
  274. 0x6520e3 (10): PortNumber
  275. 0x6520ee (10): ServerType
  276. 0x65212b (30): Software\LinasFTP\Site Manager
  277. 0x65215e (10): Remote Dir
  278. 0x652169 (10): \Cyberduck
  279. 0x65217a (11): user.config
  280. 0x652186 (15): <setting name="
  281. 0x6521a0 (35): Software\SimonTatham\PuTTY\Sessions
  282. 0x6521df (10): PortNumber
  283. 0x6521ea (12): TerminalType
  284. 0x6521f7 (10): NppFTP.xml
  285. 0x652202 (10): \Notepad++
  286. 0x65220d (27): Software\CoffeeCup Software
  287. 0x652229 (22): FTP destination server
  288. 0x652240 (20): FTP destination user
  289. 0x652255 (24): FTP destination password
  290. 0x65226e (20): FTP destination port
  291. 0x652283 (23): FTP destination catalog
  292. 0x65229b (12): FTP profiles
  293. 0x6522b1 (12): ftpshell.fsi
  294. 0x6522be (31): Software\MAS-Soft\FTPInfo\Setup
  295. 0x6522ef (14): ServerList.xml
  296. 0x652308 (11): ftpsite.ini
  297. 0x652314 (17): FastStone Browser
  298. 0x652326 (10): FTPList.db
  299. 0x652331 (23): \MapleStudio\ChromePlus
  300. 0x652349 (38): Software\Nico Mak Computing\WinZip\FTP
  301. 0x652370 (43): Software\Nico Mak Computing\WinZip\mru\jobs
  302. 0x6523db (11): project.ini
  303. 0x6523ec (38): {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
  304. 0x652413 (10): NovaFTP.db
  305. 0x65241e (19): \INSoftware\NovaFTP
  306. 0x652432 (10): .oeaccount
  307. 0x65244f (15): <POP3_Password2
  308. 0x65245f (15): <SMTP_Password2
  309. 0x65246f (15): <IMAP_Password2
  310. 0x65247f (19): <HTTPMail_Password2
  311. 0x652494 (28): \Microsoft\Windows Live Mail
  312. 0x6524b1 (36): Software\Microsoft\Windows Live Mail
  313. 0x6524d6 (23): \Microsoft\Windows Mail
  314. 0x6524ee (31): Software\Microsoft\Windows Mail
  315. 0x65250e (28): Software\RimArts\B2\Settings
  316. 0x652533 (10): DataDirBak
  317. 0x65253e (11): Mailbox.ini
  318. 0x65254a (25): Software\Poco Systems Inc
  319. 0x652569 (15): \PocoSystem.ini
  320. 0x65258a (12): accounts.ini
  321. 0x6525a1 (20): Software\IncrediMail
  322. 0x6525b6 (12): EmailAddress
  323. 0x6525c3 (10): Technology
  324. 0x6525e0 (10): PopAccount
  325. 0x6525eb (11): PopPassword
  326. 0x6525f7 (10): SmtpServer
  327. 0x65260b (11): SmtpAccount
  328. 0x652617 (12): SmtpPassword
  329. 0x652624 (11): account.cfg
  330. 0x652630 (11): account.cfn
  331. 0x65264f (21): Software\RIT\The Bat!
  332. 0x652665 (33): Software\RIT\The Bat!\Users depot
  333. 0x652687 (17): Working Directory
  334. 0x652699 (10): ProgramDir
  335. 0x6526ba (18): SMTP Email Address
  336. 0x6526cd (11): SMTP Server
  337. 0x6526d9 (11): POP3 Server
  338. 0x6526e5 (14): POP3 User Name
  339. 0x6526f4 (14): SMTP User Name
  340. 0x652703 (18): NNTP Email Address
  341. 0x652716 (14): NNTP User Name
  342. 0x652725 (11): NNTP Server
  343. 0x652731 (11): IMAP Server
  344. 0x65273d (14): IMAP User Name
  345. 0x65275c (15): HTTP Server URL
  346. 0x652780 (18): HTTPMail User Name
  347. 0x652793 (15): HTTPMail Server
  348. 0x6527cd (14): POP3 Password2
  349. 0x6527dc (14): IMAP Password2
  350. 0x6527eb (14): NNTP Password2
  351. 0x6527fa (18): HTTPMail Password2
  352. 0x65280d (14): SMTP Password2
  353. 0x65281d (13): POP3 Password
  354. 0x65282b (13): IMAP Password
  355. 0x652839 (13): NNTP Password
  356. 0x652847 (13): HTTP Password
  357. 0x652855 (13): SMTP Password
  358. 0x652864 (52): Software\Microsoft\Internet Account Manager\Accounts
  359. 0x652899 (10): Identities
  360. 0x6528a4 (62): Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
  361. 0x6528e3 (117): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
  362. 0x652959 (89): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  363. 0x6529b3 (43): Software\Microsoft\Internet Account Manager
  364. 0x6529f1 (14): identification
  365. 0x652a00 (11): identitymgr
  366. 0x652a0c (25): inetcomm server passwords
  367. 0x652a26 (33): outlook account manager passwords
  368. 0x652a48 (10): identities
  369. 0x652a53 (50): {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
  370. 0x652a86 (11): Thunderbird
  371. 0x652a92 (12): \Thunderbird
  372. 0x652aa9 (11): ftplist.txt
  373. 0x652c4d (11): Client Hash
  374. 0x652c59 (16): STATUS-IMPORT-OK
  375. 0x652c86 (13): "%s"
  376. 0x652c94 (13): ShellExecuteA
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!