Overview

overview

10

Static

static

ba0b2518a0...3d.exe

windows7_x64

10

ba0b2518a0...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-12-2020 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe

  • Size

    485KB

  • MD5

    7b3a0c8d0b05933156402de9a42490fc

  • SHA1

    49ea0ae6f2740dbbb7231423c16f8e88566bdb92

  • SHA256

    ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d

  • SHA512

    49e37363637fb91c2a8325c0a6f734f194d38a3aecdbf9f271a7dc2d22241a287467f7ad672a81e8b6fe6c5a642c45c3ceba05f762b18c7f5525f6c9c8988164

Score
10/10
ponydiscoveryratspywarestealer

Malware Config

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Deletes itself 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe
    "C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\259346467.bat" "C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe" "
        3⤵
        • Deletes itself
        PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\259346467.bat
    MD5

    3880eeb1c736d853eb13b44898b718ab

    SHA1

    4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

    SHA256

    936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

    SHA512

    3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

    Download Submit
  • memory/396-27-0x0000000000000000-mapping.dmp
    Download
  • memory/612-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/612-3-0x0000000000A50000-0x0000000000A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/612-5-0x0000000000350000-0x000000000039D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/612-20-0x0000000000480000-0x000000000048E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/612-21-0x0000000004EE0000-0x0000000004F31000-memory.dmp
    Filesize

    324KB

    Download
  • memory/1216-26-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1612-23-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1612-24-0x0000000000410621-mapping.dmp
    Download
  • memory/1612-25-0x0000000000400000-0x0000000000419000-memory.dmp
    Filesize

    100KB

    Download