Overview

overview

10

Static

static

e7c97423a3...f4.exe

windows7_x64

10

e7c97423a3...f4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe

  • Size

    1.0MB

  • MD5

    90b551346b0b7a6a24960e7254c7d8c3

  • SHA1

    615383e32cdea90c89fc858f023c1b21078fe504

  • SHA256

    e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4

  • SHA512

    6ff55086a1fb9f5734d3831f50490edefea45827c3bcb7cae8b1d7761c7e3a1d4c81add1ab897c6e425cc667e14028a079b2246b4adc57da44a3478423dfaf80

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://minhaslaw.co.uk/new/ladi/gate.php

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe
    "C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe
      "C:\Users\Admin\AppData\Local\Temp\e7c97423a3df41c9ca79bf2800c1c68c6e9efa0da200f609abbeb045520a08f4.exe"
      2⤵
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_win_path
      PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1096-56-0x0000000000270000-0x0000000000277000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1096-57-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1252-59-0x0000000000410CF2-mapping.dmp
    Download
  • memory/1252-58-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1252-61-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1252-63-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download