General
-
Target
Downloads2.rar
-
Size
1.3MB
-
Sample
210315-zkb44qmaq6
-
MD5
08169961944f78f83ec296816f4e1126
-
SHA1
cfe5e23b80d10b7b34a343b484939b9e9fde9895
-
SHA256
69fc2c605ffc41b7d121426cc8a48421aa0f04915331d491cef3ad48b78cc3fa
-
SHA512
51e54c4deb2114c6f781966a5de7ba03889246568eb7486f00eea0bb977efcddeacc168e3879d9ff75a2c7239a49bb8c676d726587dbcfd41b7e4adaa76fba40
Malware Config
Targets
-
-
Target
0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
-
Size
274B
-
MD5
dde72ae232dc63298465861482d7bb93
-
SHA1
557c5dbebc35bc82280e2a744a03ce5e78b3e6fb
-
SHA256
0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
-
SHA512
389eb8f7b18fcdd1a6f275ff8acad211a10445ff412221796cd645c9a6458719cced553561e2b4d438783459d02e494d5140c0d85f2b3df617b7b2e031d234b2
Score1/10 -
-
-
Target
09002c686e358799a9d732f4483a31a858bb140a3dfd59df54b1d449d2f8122b
-
Size
34KB
-
MD5
ca56f256dfb3ad7ee41179cf20ed9e3b
-
SHA1
b9aec780c86538f32bdfdaf39b4d2a77e4a4dced
-
SHA256
09002c686e358799a9d732f4483a31a858bb140a3dfd59df54b1d449d2f8122b
-
SHA512
b56cfcd0ffea6b96bdffeb5023365f6fc762cadfce6d7bb32f4d782fd47e03f744a5d98912f183505f20a8cb3bae54eb91930dfbf0e47fb65523653e6c95a91b
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
0b1551c0bef2ec2f87a7e3d84be6a388c7ce52ca9d2c4f791939e41a3ecffd16
-
Size
141KB
-
MD5
e5e56f9374a5a6dd331a0f57883bcbb5
-
SHA1
86ae05396644baef2ddc112c0485af1f170c5bfb
-
SHA256
0b1551c0bef2ec2f87a7e3d84be6a388c7ce52ca9d2c4f791939e41a3ecffd16
-
SHA512
3cd12ee34d28125fc82082c5b91dc82ff27069c9d21766f82fc26f1fb5487de8e63f10c751f9ae211c6ea08c47e23ed3fc2925525038ac5796a447395a248941
Score1/10 -
-
-
Target
1048caa70a44f59a621e209cc10308256e7495a427245260469812ca1b710629
-
Size
124KB
-
MD5
05e1bf4b590ce76c4bfef4d85cb6aacb
-
SHA1
dafdaf22044c3e132bed4266c192f0f5a089949e
-
SHA256
1048caa70a44f59a621e209cc10308256e7495a427245260469812ca1b710629
-
SHA512
3dd5e3eae645cc46ede187f55240cebba331398f510719e47c1a48c3671996ef34139bcb54ccf72871d8565319252505cf1fd6da439a25d21f91e5d39c2762bf
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
UAC bypass
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Disables taskbar notifications via registry modification
-
Deletes itself
-
-
-
Target
1c3170b776327a73e95e554258be94a70d6861b37242fe48a5126d06e33de1b0
-
Size
36KB
-
MD5
9baa6c3392dc9c0ad1733882a3faf2ba
-
SHA1
827fb56941d9ee428804d6462bf418494c0bf8e8
-
SHA256
1c3170b776327a73e95e554258be94a70d6861b37242fe48a5126d06e33de1b0
-
SHA512
3d5ae55af680cca52a1434c259c6cfa5cb0855de9858d62283e58a2cb1fa2ccd97aac82c544248646d4c3811c9e63a0fad78437e251d569b6111a179fae0583f
Score3/10 -
-
-
Target
240387329dee4f03f98a89a2feff9bf30dcba61fcf614cdac24129da54442762
-
Size
402KB
-
MD5
0c4374d72e166f15acdfe44e9398d026
-
SHA1
f8ac123e604137654759f2fbc4c5957d5881d3d1
-
SHA256
240387329dee4f03f98a89a2feff9bf30dcba61fcf614cdac24129da54442762
-
SHA512
76cd020e4944cd3de7da34297b320e72108759e204a92f0952e0045a4dfeaeb3ec7ee3f96d7a2a1b0c580c6cee56f6abdd5d84eec4e2182baae2fb1924812235
Score1/10 -
-
-
Target
2573b356452dd5ee24c10537fa4848d882fa40a2a8fa5a181624ba460e1f769a
-
Size
90KB
-
MD5
6b645fbf570f4d09f059d8fed734fa3e
-
SHA1
83f12011bfaa99ac994fa5b9003ff4a7123d4f14
-
SHA256
2573b356452dd5ee24c10537fa4848d882fa40a2a8fa5a181624ba460e1f769a
-
SHA512
ec428673fa3c881de143689b679fcc190897068a7cbee509c8ff6eaa0792ec8951c5b6b620de2c116cccfc3954ed71c142eb19397dcca5a6198f1e7b5d7a45ac
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
2df6c36b4784f4934afabe081335830ee9c00520070582b5a381335b4350f951
-
Size
120KB
-
MD5
a487bae084bbd75ecbdc5d9fede362ba
-
SHA1
6342522e5fd28c6a40cb4443c0300ee16caaa504
-
SHA256
2df6c36b4784f4934afabe081335830ee9c00520070582b5a381335b4350f951
-
SHA512
bb6905072339b8c7f94b1a9edf825678f1a279b5968a68728d764c546f363d2059c3e819f15968c1c68aa4ab33ac36021e155443f785806050bfc71c65d68873
Score7/10-
Loads dropped DLL
-
-
-
Target
2df6c36b4784f4934afabe081335830ee9c00520070582b5a381335b4350f951(1)
-
Size
120KB
-
MD5
a487bae084bbd75ecbdc5d9fede362ba
-
SHA1
6342522e5fd28c6a40cb4443c0300ee16caaa504
-
SHA256
2df6c36b4784f4934afabe081335830ee9c00520070582b5a381335b4350f951
-
SHA512
bb6905072339b8c7f94b1a9edf825678f1a279b5968a68728d764c546f363d2059c3e819f15968c1c68aa4ab33ac36021e155443f785806050bfc71c65d68873
Score7/10-
Loads dropped DLL
-
-
-
Target
2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
-
Size
181KB
-
MD5
0826df3aaa157edff9c0325f298850c2
-
SHA1
ed35b02fa029f1e724ed65c2de5de6e5c04f7042
-
SHA256
2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
-
SHA512
af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
Score3/10 -
-
-
Target
2fba2aba4b6d7ff3a8b262399a30c7f45ff15cfab932c25fc61477278171a107
-
Size
266KB
-
MD5
585a7796703434f21de2188a5e294aa8
-
SHA1
a3b2bcec4b9b9ce0e8cc65e95d24eaba1f71d157
-
SHA256
2fba2aba4b6d7ff3a8b262399a30c7f45ff15cfab932c25fc61477278171a107
-
SHA512
0fcd7e3d566b5168034dfcf4795306d56577492499b83fd35ac85cdc22b578d7cede3e689bb5b1d6c5f69bed7f14c58eaf679b4e3e2a262306ff7b6d6bf03f5a
Score1/10 -
-
-
Target
3ed5d687a46e865424395d3dd455f69c82ac0b22fa24f361db6e87e7aa5019bd
-
Size
294KB
-
MD5
5455364b437d431400267a9092d65442
-
SHA1
e34ddbf5ba33ffff8beca910cb17237553f4bfd1
-
SHA256
3ed5d687a46e865424395d3dd455f69c82ac0b22fa24f361db6e87e7aa5019bd
-
SHA512
a00fcf59f67062b112139b0ecdb9a65b9e80b63f90a0dcccc088100e65086e91d1cf704e1e48ef6093e5dcbcb996c00d242792fef7aafe220bacf453251f9f0a
Score3/10 -
-
-
Target
4fc17a5cf81946e26f1846986557801c0a802e56255c7d112cc3edc0d70255d5
-
Size
156KB
-
MD5
11c9115ed7a92a5496cec4e240cd5dda
-
SHA1
bfdc6d0e75ac80c8aaf3b6746e74feef158e1b63
-
SHA256
4fc17a5cf81946e26f1846986557801c0a802e56255c7d112cc3edc0d70255d5
-
SHA512
359c126066052fb3c21129dc22b105a6a29cfa9bd4c903da9a31cb5bdafab5f2cfdcdc6f1dac679e8333b82aaadcf0f5776a1979d0f2be277abbfaac06c87aaf
Score6/10-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
-
-
Target
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3
-
Size
68KB
-
MD5
0e9a211f76500fcb3f47f4ea3c94b1c5
-
SHA1
f92f1d121642844b1dab7eee204aa83a5ee0a1e2
-
SHA256
5942a02bc0a0e32875bc71e9a678b065d5f0e144938467a3590ba884884153d3
-
SHA512
15ccb1a92f48bcbd5b9043b9dc275170030a73ad5ffc9e55550a32cf3f2ac3379dc65b95851ec9c5bd643093b28f37dbb41fe2319af374a725e83a7a1870d76f
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
6e7785213d6af20f376a909c1ecb6c9bddec70049764f08e5054a52997241e3d
-
Size
117KB
-
MD5
31963075abec1ca51a7c8416baf097f2
-
SHA1
44b5e306c4b3af5c7819eaef7b13a3560ecaefac
-
SHA256
6e7785213d6af20f376a909c1ecb6c9bddec70049764f08e5054a52997241e3d
-
SHA512
44b0eea2e51040c3e93b8a8935ce95d277ba195543fa345e849c894ebff22bbc4eadbb0dee504c8d39e70441bf4a19ce9ecd87cdd6c2d7997ddc33bcc6f06f56
Score8/10-
Adds policy Run key to start application
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
-
-
Target
83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0
-
Size
270KB
-
MD5
bcc1d244f31ebe1bd48e91671a902486
-
SHA1
7803926b6bbb704ed8f63809d6635ae811bdbdc2
-
SHA256
83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0
-
SHA512
654161503f7c3ead23dad8ba37ebd3e56a8c41826a2ed82d7247b350e11cb5749996daaeb69af200f32c8a27716db09d18818b126d5df992b5e44f5d541c8933
Score10/10-
Registers COM server for autorun
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Hidden Files and Directories
1Registry Run Keys / Startup Folder
3Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Hidden Files and Directories
1Install Root Certificate
1Modify Registry
5