Pony case - slupred Credential to send to Pony

1. // Credential List Slurped by the Fareit in Pony Loader...
2. // (from decrypted sample)
3. // VT: https://www.virustotal.com/en/file/8aeb0f35588e8286d0bb4fe253dc6b76c6751392708d7bc2b43660b1d6bc9a76/analysis/
4. // Analysis:
5.  
6. My Documents
7. AppData
8. Local AppData
9. Cache
10. Cookies
11. History
12. My Documents
13. Common AppData
14. My Pictures
15. Common Documents
16. Common Administrative Tools
17. Administrative Tools
18. Personal
19. Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
20. explorer.exe
21. SeImpersonatePrivilege
22. SeTcbPrivilege
23. SeChangeNotifyPrivilege
24. SeCreateTokenPrivilege
25. SeBackupPrivilege
26. SeRestorePrivilege
27. SeIncreaseQuotaPrivilege
28. SeAssignPrimaryTokenPrivilege
29. Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
30. POST %s HTTP/1.0
31. Host: %s
32. Accept: */*
33. Accept-Encoding: identity, *;q=0
34. Accept-Language: en-US
35. Content-Length: %lu
36. Content-Type: application/octet-stream
37. Connection: close
38. Content-Encoding: binary
39. User-Agent: %s
40. Content-Length:
41. Location:
42. HWID
43. {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
44. GetNativeSystemInfo
45. kernel32.dll
46. IsWow64Process
47. Software\Far\Plugins\FTP\Hosts
48. Software\Far2\Plugins\FTP\Hosts
49. Software\Far Manager\Plugins\FTP\Hosts
50. Software\Far\SavedDialogHistory\FTPHost
51. Software\Far2\SavedDialogHistory\FTPHost
52. Software\Far Manager\SavedDialogHistory\FTPHost
53. Password
54. HostName
55. User
56. Line
57. _cx_ftp.ini
58. \GHISLER
59. InstallDir
60. FtpIniName
61. Software\_hisler\Windows Commander
62. Software\_hisler\Total Commander
63. \Ipswitch
64. Sites\
65. \Ipswitch\WS_FTP
66. \win.ini
67. .ini
68. WS_FTP
69. DIR
70. DEFDIR
71. CUTEFTP
72. QCHistory
73. Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
74. Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
75. Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
76. Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
77. Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
78. Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
79. Software\GlobalSCAPE\CuteFTP 9\QCToolbar
80. \GlobalSCAPE\CuteFTP
81. \GlobalSCAPE\CuteFTP Pro
82. \GlobalSCAPE\CuteFTP Lite
83. \CuteFTP
84. \sm.dat
85. _oftware\FlashFXP\3
86. _oftware\FlashFXP
87. _oftware\FlashFXP\4
88. InstallerDathPath
89. path
90. Install Path
91. DataFolder
92. \Sites.dat
93. \Quick.dat
94. \_istory.dat
95. \FlashFXP\3
96. \FlashFXP\4
97. \FileZilla
98. \sitemanager.xml
99. \recentservers.xml
100. \filezilla.xml
101. Software\FileZilla
102. Software\FileZilla Client
103. Install_Dir
104. Host
105. User
106. Pass
107. Port
108. Remote Dir
109. Server Type
110. Server.Host
111. Server.User
112. Server.Pass
113. Server.Port
114. Path
115. ServerType
116. Last Server Host
117. Last Server User
118. Last Server Pass
119. Last Server Port
120. Last Server Path
121. Last Server Type
122. FTP Navigator
123. FTP Commander
124. ftplist.txt
125. \BulletProof Software
126. .dat
127. .bps
128. Software\BPFTP\Bullet Proof FTP\Main
129. Software\BulletProof Software\BulletProof FTP Client\Main
130. Software\BPFTP\Bullet Proof FTP\Options
131. Software\BulletProof Software\BulletProof FTP Client\Options
132. Software\BPFTP
133. LastSessionFile
134. SitesDir
135. InstallDir1
136. .xml
137. \SmartFTP
138. Favorites.dat
139. _istory.dat
140. _ddrbk.dat
141. quick.dat
142. \TurboFTP
143. Software\TurboFTP
144. installpath
145. Software\Sota\FFFTP
146. CredentialSalt
147. CredentialCheck
148. Software\Sota\FFFTP\Options
149. Password
150. UserName
151. HostAdrs
152. RemoteDir
153. Port
154. HostName
155. Port
156. Username
157. Password
158. HostDirName
159. Software\CoffeeCup Software\Internet\Profiles
160. Software\FTPWare\COREFTP\Sites
161. Host
162. User
163. Port
164. PthR
165. SSH
166. profiles.xml
167. \FTP Explorer
168. Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
169. Buttons
170. Software\FTP Explorer\Profiles
171. Password
172. PasswordType
173. Host
174. Login
175. Port
176. InitialPath
177. FtpSite.xml
178. \Frigate3
179. .ini
180. _VanDyke\Config\Sessions
181. \Sessions
182. Software\VanDyke\SecureFX
183. Config Path
184. UltraFXP
185. \sites.xml
186. \FTPRush
187. RushSite.xml
188. Server
189. Username
190. Password
191. FtpPort
192. Software\Cryer\WebSitePublisher
193. \BitKinex
194. bitkinex.ds
195. Hostname
196. Username
197. Password
198. Port
199. Software\ExpanDrive\Sessions
200. \ExpanDrive
201. \drives.js
202. "password" : "
203. Software\ExpanDrive
204. ExpanDrive_Home
205. Server
206. UserName
207. Password
208. _Password
209. Directory
210. Software\NCH Software\ClassicFTP\FTPAccounts
211. FtpServer
212. FtpUserName
213. FtpPassword
214. _FtpPassword
215. FtpDirectory
216. SOFTWARE\NCH Software\Fling\Accounts
217. Software\FTPClient\Sites
218. Software\SoftX.org\FTPClient\Sites
219. .oxc
220. .oll
221. ftplast.osd
222. \GPSoftware\Directory Opus
223. \SharedSettings.ccs
224. \SharedSettings_1_0_5.ccs
225. \SharedSettings.sqlite
226. \SharedSettings_1_0_5.sqlite
227. \CoffeeCup Software
228. leapftp
229. unleap.exe
230. sites.dat
231. sites.ini
232. \LeapWare\LeapFTP
233. SOFTWARE\LeapWare
234. InstallPath
235. DataDir
236. Password
237. HostName
238. UserName
239. RemoteDirectory
240. PortNumber
241. FSProtocol
242. Software\Martin Prikryl
243. \32BitFtp.ini
244. NDSites.ini
245. \NetDrive
246. PassWord
247. Url
248. UserName
249. RootDirectory
250. Port
251. Software\South River Technologies\WebDrive\Connections
252. ServerType
253. FTP CONTROL
254. FTPCON
255. .prf
256. \Profiles
257. http://
258. https://
259. ftp://
260. opera
261. wand.dat
262. _Software\Opera Software
263. Last Directory3
264. Last Install Path
265. Opera.HTML\shell\open\command
266. wiseftpsrvs.bin
267. \AceBIT
268. Software\AceBIT
269. MRU
270. SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
271. SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
272. wiseftpsrvs.ini
273. wiseftp.ini
274. FTPVoyager.ftp
275. FTPVoyager.qc
276. \RhinoSoft.com
277. nss3.dll
278. NSS_Init
279. NSS_Shutdown
280. NSSBase64_DecodeBuffer
281. SECITEM_FreeItem
282. PK11_GetInternalKeySlot
283. PK11_Authenticate
284. PK11SDR_Decrypt
285. PK11_FreeSlot
286. sqlite3.dll
287. sqlite3_open
288. sqlite3_close
289. sqlite3_prepare
290. sqlite3_step
291. sqlite3_column_bytes
292. sqlite3_column_blob
293. mozsqlite3.dll
294. sqlite3_open
295. sqlite3_close
296. sqlite3_prepare
297. sqlite3_step
298. sqlite3_column_bytes
299. sqlite3_column_blob
300. profiles.ini
301. Profile
302. IsRelative
303. Path
304. PathToExe
305. prefs.js
306. signons.sqlite
307. signons.txt
308. signons2.txt
309. signons3.txt
310. SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
311. Firefox
312. \Mozilla\Firefox\
313. Software\Mozilla
314. ftp://
315. http://
316. https://
317. ftp.
318. fireFTPsites.dat
319. SeaMonkey
320. \Mozilla\SeaMonkey\
321. Flock
322. \Flock\Browser\
323. Mozilla
324. \Mozilla\Profiles\
325. Software\LeechFTP
326. AppDir
327. LocalDir
328. bookmark.dat
329. SiteInfo.QFP
330. Odin
331. Favorites.dat
332. WinFTP
333. sites.db
334. CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
335. servers.xml
336. \FTPGetter
337. ESTdb2.dat
338. QData.dat
339. \Estsoft\ALFTP
340. Internet Explorer
341. WininetCacheCredentials
342. MS IE FTP Passwords
343. DPAPI:
344. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
345. Microsoft_WinInet_*
346. ftp://
347. Software\Adobe\Common
348. SiteServers
349. SiteServer %d\Host
350. SiteServer %d\WebUrl
351. SiteServer %d\Remote Directory
352. SiteServer %d-User
353. SiteServer %d-User PW
354. %s\Keychain
355. SiteServer %d\SFTP
356. DeluxeFTP
357. sites.xml
358. Web Data
359. Login Data
360. SQLite format 3
361. table
362. CONSTRAINT
363. PRIMARY
364. UNIQUE
365. CHECK
366. FOREIGN
367. logins
368. origin_url
369. password_value
370. username_value
371. ftp://
372. http://
373. https://
374. \Google\Chrome
375. \Chromium
376. \ChromePlus
377. Software\ChromePlus
378. Install_Dir
379. \Bromium
380. \Nichrome
381. \Comodo
382. \RockMelt
383. K-Meleon
384. \K-Meleon
385. \Profiles
386. Epic
387. \Epic\Epic
388. Staff-FTP
389. sites.ini
390. \Sites
391. \Visicom Media
392. .ftp
393. \Global Downloader
394. SM.arch
395. FreshFTP
396. .SMF
397. BlazeFtp
398. site.dat
399. LastPassword
400. LastAddress
401. LastUser
402. LastPort
403. Software\FlashPeak\BlazeFtp\Settings
404. \BlazeFtp
405. .fpl
406. FTP++.Link\shell\open\command
407. GoFTP
408. Connections.txt
409. 3D-FTP
410. sites.ini
411. \3D-FTP
412. \SiteDesigner
413. SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
414. EasyFTP
415. \NetSarang
416. .xfp
417. .rdp
418. TERMSRV/*
419. password 51:b:
420. username:s:
421. full address:s:
422. TERMSRV/
423. FTP Now
424. FTPNow
425. sites.xml
426. SOFTWARE\Robo-FTP 3.7\Scripts
427. SOFTWARE\Robo-FTP 3.7\FTPServers
428. FTP Count
429. FTP File%d
430. Password
431. ServerName
432. UserID
433. InitialDirectory
434. PortNumber
435. ServerType
436. fMY
437. Software\LinasFTP\Site Manager
438. Host
439. User
440. Pass
441. Port
442. Remote Dir
443. \Cyberduck
444. .duck
445. user.config
446. <setting name="
447. value="
448. Software\SimonTatham\PuTTY\Sessions
449. HostName
450. UserName
451. Password
452. PortNumber
453. TerminalType
454. NppFTP.xml
455. \Notepad++
456. Software\CoffeeCup Software
457. FTP destination server
458. FTP destination user
459. FTP destination password
460. FTP destination port
461. FTP destination catalog
462. FTP profiles
463. FTPShell
464. ftpshell.fsi
465. Software\MAS-Soft\FTPInfo\Setup
466. DataDir
467. \FTPInfo
468. ServerList.xml
469. NexusFile
470. ftpsite.ini
471. FastStone Browser
472. FTPList.db
473. \MapleStudio\ChromePlus
474. Software\Nico Mak Computing\WinZip\FTP
475. Software\Nico Mak Computing\WinZip\mru\jobs
476. Site
477. UserID
478. xflags
479. Port
480. Folder
481. .wjf
482. winex="
483. \Yandex
484. My FTP
485. project.ini
486. .xml
487. {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
488. NovaFTP.db
489. \INSoftware\NovaFTP
490. .oeaccount
491. Salt
492. <_OP3_Password2
493. <_MTP_Password2
494. <IMAP_Password2
495. <HTTPMail_Password2
496. \Microsoft\Windows Live Mail
497. Software\Microsoft\Windows Live Mail
498. \Microsoft\Windows Mail
499. Software\Microsoft\Windows Mail
500. Software\RimArts\B2\Settings
501. DataDir
502. DataDirBak
503. Mailbox.ini
504. Software\Poco Systems Inc
505. Path
506. \PocoSystem.ini
507. Program
508. DataPath
509. accounts.ini
510. \Pocomail
511. Software\IncrediMail
512. EmailAddress
513. Technology
514. PopServer
515. PopPort
516. PopAccount
517. PopPassword
518. _mtpServer
519. _mtpPort
520. _mtpAccount
521. _mtpPassword
522. account.cfg
523. account.cfn
524. \BatMail
525. \The Bat!
526. Software\RIT\The Bat!
527. Software\RIT\The Bat!\Users depot
528. Working Directory
529. ProgramDir
530. Count
531. Default
532. Software\Microsoft\Internet Account Manager\Accounts
533. Identities
534. Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
535. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
536. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
537. Software\Microsoft\Internet Account Manager
538. Outlook
539. \Accounts
540. identification
541. identitymgr
542. inetcomm server passwords
543. outlook account manager passwords
544. identities
545. Thunderbird
546. \Thunderbird
547. FastTrack
548. ftplist.txt
549.  
550. #MalwareMustDie! @unixfreaxjp