Overview
overview
10Static
static
10appconsole.exe
windows7_x64
10appconsole.exe
windows10-2004_x64
10azorult.exe
windows7_x64
10azorult.exe
windows10-2004_x64
10clipper.exe
windows7_x64
1clipper.exe
windows10-2004_x64
1jester_stealer.exe
windows7_x64
10jester_stealer.exe
windows10-2004_x64
10lokibot.exe
windows7_x64
10lokibot.exe
windows10-2004_x64
10pony.exe
windows7_x64
10pony.exe
windows10-2004_x64
10raccoon.exe
windows7_x64
10raccoon.exe
windows10-2004_x64
10redline.exe
windows7_x64
10redline.exe
windows10-2004_x64
10tesla.exe
windows7_x64
10tesla.exe
windows10-2004_x64
10vidar.xll
windows7_x64
7vidar.xll
windows10-2004_x64
10Analysis
-
max time kernel
510s -
max time network
513s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-04-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
appconsole.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
appconsole.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
azorult.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
azorult.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
clipper.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
clipper.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
jester_stealer.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
jester_stealer.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
lokibot.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
lokibot.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
pony.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
pony.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
raccoon.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
raccoon.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
redline.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
redline.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
tesla.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
tesla.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
vidar.xll
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
vidar.xll
Resource
win10v2004-20220414-en
General
-
Target
pony.exe
-
Size
356KB
-
MD5
6303b080a150be26a260e9a349296b28
-
SHA1
692887c65908872c96f19ec81c28f221d5b87267
-
SHA256
8f696db90b2556c709e3dfd34fa977ca160939bb2cd2feb0d3718b33baa6cb0a
-
SHA512
c04baedd9a00166ae6a56b16afc3693a25be491393ecabf5f9958c83b53d7d78256dba56c6b7345d466be20f3f073f1b06b241359a3ce0f9865eab537c4f04c1
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
pony.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts pony.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
pony.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pony.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
pony.exedescription pid process Token: SeImpersonatePrivilege 4756 pony.exe Token: SeTcbPrivilege 4756 pony.exe Token: SeChangeNotifyPrivilege 4756 pony.exe Token: SeCreateTokenPrivilege 4756 pony.exe Token: SeBackupPrivilege 4756 pony.exe Token: SeRestorePrivilege 4756 pony.exe Token: SeIncreaseQuotaPrivilege 4756 pony.exe Token: SeAssignPrimaryTokenPrivilege 4756 pony.exe Token: SeImpersonatePrivilege 4756 pony.exe Token: SeTcbPrivilege 4756 pony.exe Token: SeChangeNotifyPrivilege 4756 pony.exe Token: SeCreateTokenPrivilege 4756 pony.exe Token: SeBackupPrivilege 4756 pony.exe Token: SeRestorePrivilege 4756 pony.exe Token: SeIncreaseQuotaPrivilege 4756 pony.exe Token: SeAssignPrimaryTokenPrivilege 4756 pony.exe Token: SeImpersonatePrivilege 4756 pony.exe Token: SeTcbPrivilege 4756 pony.exe Token: SeChangeNotifyPrivilege 4756 pony.exe Token: SeCreateTokenPrivilege 4756 pony.exe Token: SeBackupPrivilege 4756 pony.exe Token: SeRestorePrivilege 4756 pony.exe Token: SeIncreaseQuotaPrivilege 4756 pony.exe Token: SeAssignPrimaryTokenPrivilege 4756 pony.exe Token: SeImpersonatePrivilege 4756 pony.exe Token: SeTcbPrivilege 4756 pony.exe Token: SeChangeNotifyPrivilege 4756 pony.exe Token: SeCreateTokenPrivilege 4756 pony.exe Token: SeBackupPrivilege 4756 pony.exe Token: SeRestorePrivilege 4756 pony.exe Token: SeIncreaseQuotaPrivilege 4756 pony.exe Token: SeAssignPrimaryTokenPrivilege 4756 pony.exe Token: SeImpersonatePrivilege 4756 pony.exe Token: SeTcbPrivilege 4756 pony.exe Token: SeChangeNotifyPrivilege 4756 pony.exe Token: SeCreateTokenPrivilege 4756 pony.exe Token: SeBackupPrivilege 4756 pony.exe Token: SeRestorePrivilege 4756 pony.exe Token: SeIncreaseQuotaPrivilege 4756 pony.exe Token: SeAssignPrimaryTokenPrivilege 4756 pony.exe Token: SeImpersonatePrivilege 4756 pony.exe Token: SeTcbPrivilege 4756 pony.exe Token: SeChangeNotifyPrivilege 4756 pony.exe Token: SeCreateTokenPrivilege 4756 pony.exe Token: SeBackupPrivilege 4756 pony.exe Token: SeRestorePrivilege 4756 pony.exe Token: SeIncreaseQuotaPrivilege 4756 pony.exe Token: SeAssignPrimaryTokenPrivilege 4756 pony.exe -
outlook_win_path 1 IoCs
Processes:
pony.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pony.exe