General

  • Target

    BL Draft Copy-shipping DocumentsEXCEL.XLS.xlsx.gz.exe

  • Size

    170KB

  • Sample

    201109-l7tt9dhpbe

  • MD5

    a2bf53ed2269b816d8c28e469e8c2603

  • SHA1

    3f417fc14cf36208743e62309ec87e15ae9924c6

  • SHA256

    512614d4683ffe32c440266c41ca1a5b0cc9949b78850d3c131c1da388c6003d

  • SHA512

    d6e5ec3c655b2ee5b10c0d2779777f7ce1291cf5e0728e79524905453a4ac85bb6000ad8d1eaeb2caa774815ffa735d80624ae88d615a526a30ad34c52faf77a

Malware Config

Targets

    • Target

      BL Draft Copy-shipping DocumentsEXCEL.XLS.xlsx.gz.exe

    • Size

      170KB

    • MD5

      a2bf53ed2269b816d8c28e469e8c2603

    • SHA1

      3f417fc14cf36208743e62309ec87e15ae9924c6

    • SHA256

      512614d4683ffe32c440266c41ca1a5b0cc9949b78850d3c131c1da388c6003d

    • SHA512

      d6e5ec3c655b2ee5b10c0d2779777f7ce1291cf5e0728e79524905453a4ac85bb6000ad8d1eaeb2caa774815ffa735d80624ae88d615a526a30ad34c52faf77a

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Collection

Data from Local System

2
T1005

Tasks