Overview

overview

10

Static

static

3532dd3d0f...45.exe

windows7_x64

10

3532dd3d0f...45.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3532dd3d0f0ba1c2d0fe796ed4f26bfcd9cc62c2cc9c1199181591798d8d7145.zip

  • Size

    460KB

  • Sample

    201211-vjnpczgc1x

  • MD5

    5d53d873153840ac5318ec6ed35a132d

  • SHA1

    d480adfc8e1e023c58a23413ea8353e4a5bd00cb

  • SHA256

    9c859cf761688c7b16b1251c64d379b84b5cf54dfcd6c0e04eacdba2cf1451fc

  • SHA512

    533387f257eec779cfd4c640fe1abdb80c2942a16c2fe6753543857811ad28e980fe00895d58f93041ea82c51fb19c59ab025f45ae31db495022195b06ec75f2

Score
10/10
ponybootkitdiscoverypersistenceratspywarestealer

Malware Config

Targets

    • Target

      3532dd3d0f0ba1c2d0fe796ed4f26bfcd9cc62c2cc9c1199181591798d8d7145

    • Size

      789KB

    • MD5

      adeb3a88f0ffe993d94ddd6b9e8fdab3

    • SHA1

      e480d5519822b36493256cb9fd25915003f107e4

    • SHA256

      3532dd3d0f0ba1c2d0fe796ed4f26bfcd9cc62c2cc9c1199181591798d8d7145

    • SHA512

      4cb3ce0b939e3316ae3d26dba9c372177ec719302e9195c495670cac24c69985920715ba3dac1776c6ea3c453dcb031e550e8bd2528591cacf2e163da818647b

    Score
    10/10
    ponybootkitdiscoverypersistenceratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Deletes itself

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks