Sample details: f9dc2a5cc0d303ded71a3f22c3bfa7f9 --

Hashes
MD5: f9dc2a5cc0d303ded71a3f22c3bfa7f9
SHA1: 30390cd262ea593290f92749a392a0b7f001dfa0
SHA256: 372ee63dcbe1849a5d52181ea295f6602f21c4c33edf5d20436eb0efdd5c900b
SSDEEP: 384:/vP7kzbCnMGYPObAIUxDNb24hJaNVaQTSCMu6z7WwH:P7kzbCnXjwb2yENVTH36v
Details
File Type: data
Yara Hits
CuckooSandbox/embedded_win_api | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Browsers | YRP/network_tcp_socket | YRP/network_dns | YRP/escalate_priv | YRP/cred_local | YRP/cred_ff | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/CRC32_poly_Constant | YRP/CRC32_table | YRP/DES_sbox | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/with_sqlite | YRP/pony | BAMFDetect/pony |
Strings
		7zjLyx4X57
http://legendlogs.net/buchi1/Server/gate.php
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
Software\WinRAR
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateProcessAsUserA
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
userenv.dll
CreateEnvironmentBlock
DestroyEnvironmentBlock
j@shell32.dll
SHGetFolderPathA
My Documents
AppData
Local AppData
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
S-1-5-18
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: %lu
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: %s
Content-Length:
Location:
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
_cx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\_hisler\Windows Commander
Software\_hisler\Total Commander
\Ipswitch
Sites\
\Ipswitch\WS_FTP
\win.ini
WS_FTP
DEFDIR
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 9\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
_oftware\FlashFXP\3
_oftware\FlashFXP
_oftware\FlashFXP\4
InstallerDathPath
Install Path
DataFolder
\Sites.dat
\Quick.dat
\_istory.dat
\FlashFXP\3
\FlashFXP\4
\FileZilla
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Software\FileZilla
Software\FileZilla Client
Install_Dir
Remote Dir
Server Type
Server.Host
Server.User
Server.Pass
Server.Port
ServerType
Last Server Host
Last Server User
Last Server Pass
Last Server Port
Last Server Path
Last Server Type
FTP Navigator
FTP Commander
ftplist.txt
\BulletProof Software
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
LastSessionFile
SitesDir
InstallDir1
\SmartFTP
Favorites.dat
_istory.dat
_ddrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
installpath
Software\Sota\FFFTP
CredentialSalt
CredentialCheck
Software\Sota\FFFTP\Options
Password
UserName
HostAdrs
RemoteDir
HostName
Username
Password
HostDirName
Software\CoffeeCup Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Buttons
Software\FTP Explorer\Profiles
Password
PasswordType
InitialPath
FtpSite.xml
\Frigate3
_VanDyke\Config\Sessions
\Sessions
Software\VanDyke\SecureFX
Config Path
UltraFXP
\sites.xml
\FTPRush
RushSite.xml
Server
Username
Password
FtpPort
Software\Cryer\WebSitePublisher
\BitKinex
bitkinex.ds
Hostname
Username
Password
Software\ExpanDrive\Sessions
\ExpanDrive
\drives.js
"password" : "
Software\ExpanDrive
ExpanDrive_Home
Server
UserName
Password
_Password
Directory
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
SOFTWARE\NCH Software\Fling\Accounts
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
ftplast.osd
\GPSoftware\Directory Opus
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
\CoffeeCup Software
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
SOFTWARE\LeapWare
InstallPath
DataDir
Password
HostName
UserName
RemoteDirectory
PortNumber
FSProtocol
Software\Martin Prikryl
\32BitFtp.ini
NDSites.ini
\NetDrive
PassWord
UserName
RootDirectory
Software\South River Technologies\WebDrive\Connections
ServerType
FTP CONTROL
FTPCON
\Profiles
http://
https://
ftp://
wand.dat
_Software\Opera Software
Last Directory3
Last Install Path
Opera.HTML\shell\open\command
\Opera Software
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wiseftp.ini
FTPVoyager.ftp
FTPVoyager.ftp.backup
FTPVoyager.ftp.old.backup
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
profiles.ini
Profile
IsRelative
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
Firefox
\Mozilla\Firefox\
Software\Mozilla
ftp://
http://
https://
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
\Flock\Browser\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
AppDir
LocalDir
bookmark.dat
SiteInfo.QFP
Favorites.dat
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
Internet Explorer
WininetCacheCredentials
MS IE FTP Passwords
DPAPI: 
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Microsoft_WinInet_*
ftp://
Software\Adobe\Common
SiteServers
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
SQLite format 3
CONSTRAINT
PRIMARY
UNIQUE
FOREIGN
Web Data
Login Data
logins
origin_url
password_value
username_value
ftp://
http://
https://
moz_logins
hostname
encryptedPassword
encryptedUsername
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
Install_Dir
\Bromium
\Nichrome
\Comodo
\RockMelt
K-Meleon
\K-Meleon
\Profiles
\Epic\Epic
Staff-FTP
sites.ini
\Sites
\Visicom Media
\Global Downloader
SM.arch
FreshFTP
BlazeFtp
site.dat
LastPassword
LastAddress
LastUser
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
FTP++.Link\shell\open\command
Connections.txt
3D-FTP
sites.ini
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
\NetSarang
TERMSRV/*
password 51:b:
username:s:
full address:s:
TERMSRV/
FTP Now
FTPNow
sites.xml
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
Password
ServerName
UserID
InitialDirectory
PortNumber
ServerType
2.5.29.37
Software\LinasFTP\Site Manager
Remote Dir
\Cyberduck
user.config
<setting name="
value="
Software\SimonTatham\PuTTY\Sessions
HostName
UserName
Password
PortNumber
TerminalType
NppFTP.xml
\Notepad++
Software\CoffeeCup Software
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
DataDir
\FTPInfo
ServerList.xml
NexusFile
ftpsite.ini
FastStone Browser
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
UserID
xflags
Folder
winex="
\Yandex
My FTP
project.ini
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
<_OP3_Password2
<_MTP_Password2
<IMAP_Password2
<HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
_mtpServer
_mtpPort
_mtpAccount
_mtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Default
Dir #%d
RLUQ!Dl`hm!@eesdrr
RLUQ!Rdswds
QNQ2!Rdswds
QNQ2!Trds!O`ld
RLUQ!Trds!O`ld
OOUQ!Dl`hm!@eesdrr
OOUQ!Trds!O`ld
OOUQ!Rdswds
HL@Q!Rdswds
HL@Q!Trds!O`ld
IUUQ!Trds
IUUQ!Rdswds!TSM
QNQ2!Trds
HL@Q!Trds
IUUQL`hm!Trds!O`ld
IUUQL`hm!Rdswds
RLUQ!Trds
QNQ2!Qnsu
RLUQ!Qnsu
HL@Q!Qnsu
QNQ2!Q`rrvnse3
HL@Q!Q`rrvnse3
OOUQ!Q`rrvnse3
IUUQL`hm!Q`rrvnse3
RLUQ!Q`rrvnse3
QNQ2!Q`rrvnse
HL@Q!Q`rrvnse
OOUQ!Q`rrvnse
IUUQ!Q`rrvnse
RLUQ!Q`rrvnse
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords
identities
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Thunderbird
\Thunderbird
FastTrack
ftplist.txt
wallet.dat
\Bitcoin
electrum.dat
\Electrum
.wallet
\MultiBit
Accounts.ini
\Maxprog\FTP Disk
wallet.dat
\Litecoin
wallet.dat
\Namecoin
wallet.dat
\Terracoin
.wallet
\Armory
wallet.dat
\PPCoin
wallet.dat
\Primecoin
wallet.dat
\Feathercoin
wallet.dat
\NovaCoin
wallet.dat
\Freicoin
wallet.dat
\Devcoin
wallet.dat
\Franko
wallet.dat
\ProtoShares
wallet.dat
\Megacoin
wallet.dat
\Quarkcoin
wallet.dat
\Worldcoin
wallet.dat
\Infinitecoin
wallet.dat
\Ixcoin
wallet.dat
\Anoncoin
wallet.dat
\BBQcoin
wallet.dat
\Digitalcoin
wallet.dat
\Mincoin
wallet.dat
\GoldCoin (GLD)
wallet.dat
\Yacoin
wallet.dat
\Zetacoin
wallet.dat
\Fastcoin
wallet.dat
\I0coin
wallet.dat
\Tagcoin
wallet.dat
\Bytecoin
wallet.dat
\Florincoin
wallet.dat
\Phoenixcoin
wallet.dat
\Luckycoin
wallet.dat
\Craftcoin
wallet.dat
\Junkcoin
samantha
michelle
eminem
scooter
asdfasdf
diamond
maxwell
justin
chicken
danielle
iloveyou2
fuckoff
prince
junior
rainbow
112233
fuckyou1
nintendo
peanut
church
bubbles
robert
222222
destiny
loving
gfhjkm
mylove
jasper
123321
cocacola
helpme
nicole
guitar
billgates
looking
scooby
joseph
genesis
emmanuel
cassie
victory
passw0rd
foobar
ilovegod
nathan
blabla
digital
peaches
football1
11111111
thunder
gateway
iloveyou!
football
tigger
corvette
killer
creative
123456789
google
zxcvbnm
startrek
ashley
cheese
sunshine
christ
000000
soccer
qwerty1
friend
summer
1234567
merlin
12345678
jordan
dexter
winner
sparky
windows
123abc
anthony
ghbdtn
hotdog
baseball
password1
dragon
trustno1
internet
mustdie
letmein
knight
jordan23
abc123
red123
praise
freedom
jesus1
london
computer
microsoft
muffin
mother
master
111111
qazwsx
samuel
canada
slayer
rachel
onelove
qwerty
prayer
iloveyou1
whatever
password
blessing
snoopy
1q2w3e4r
cookie
chelsea
pokemon
hahaha
aaaaaa
hardcore
shadow
welcome
mustang
654321
bailey
blahblah
matrix
jessica
stella
benjamin
testing
secret
trinity
richard
shalom
monkey
iloveyou
thomas
blink182
jasmine
purple
angels
blessed
1234567890
heaven
hunter
pepper
john316
buster
andrew
ginger
7777777
hockey
hello1
angel1
superman
daniel
123123
forever
nothing
dakota
kitten
banana
flower
taylor
lovely
hannah
princess
compaq
jennifer
myspace1
smokey
matthew
harley
rotimi
fuckyou
soccer1
123456
single
joshua
123qwe
starwars
silver
austin
michael
amanda
charlie
bandit
maggie
maverick
online
spirit
george
friends
dallas
adidas
1q2w3e
orange
testtest
asshole
biteme
666666
william
mickey
asdfgh
wisdom
batman
Client Hash
STATUS-IMPORT-OK
%d.bat
      "%s"   
ShellExecuteA
	   :ktk   
     del    	 %1  
	if  		 exist 	   %1  	  goto 	
 del 	  %0 
shell32.dll
;3+#>6.&
'2, /+0&7!4-)1#
XrAoYr
j@o>j@
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
GetTickCount
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
GetPrivateProfileStringA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
GetModuleFileNameA
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
kernel32.dll
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
CoCreateInstance
OleInitialize
ole32.dll
wsprintfA
user32.dll
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
advapi32.dll
InternetCrackUrlA
InternetCreateUrlA
wininet.dll
StrStrIA
StrRChrIA
StrToIntA
StrStrA
StrCmpNIA
StrStrIW
shlwapi.dll
ObtainUserAgentString
urlmon.dll
inet_addr
gethostbyname
socket
connect
closesocket
select
setsockopt
WSAStartup
wsock32.dll
LoadUserProfileA
UnloadUserProfile
userenv.dll
Qkkbal