Overview

overview

10

Static

static

119a655f81...5d.exe

windows7_x64

10

119a655f81...5d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-06-2022 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    119a655f8180863569b3104863d1373102a06f936ebd9a69297c6fc3dabab55d.exe

  • Size

    93KB

  • MD5

    9d84403a1d3483348e691803d1f35fda

  • SHA1

    eeaec022550b0e7603af26e0fa02492cd4b48c45

  • SHA256

    119a655f8180863569b3104863d1373102a06f936ebd9a69297c6fc3dabab55d

  • SHA512

    157c89abdbc803c923c0c7e6669a6585f73004f011394078d530a35beeaa3664e89334db170d5be2efed2fec09afdc0e8689e590f8c29b9421491c5060bfc795

Score
10/10
ponydiscoveryratspywarestealersuricata

Malware Config

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32.Fareit.A/Pony Downloader Checkin

    suricata: ET MALWARE Win32.Fareit.A/Pony Downloader Checkin

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\119a655f8180863569b3104863d1373102a06f936ebd9a69297c6fc3dabab55d.exe
    "C:\Users\Admin\AppData\Local\Temp\119a655f8180863569b3104863d1373102a06f936ebd9a69297c6fc3dabab55d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\119a655f8180863569b3104863d1373102a06f936ebd9a69297c6fc3dabab55d.exe" "
      2⤵
        PID:4108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ytk.bat
      Filesize

      71B

      MD5

      e6b031b9b7d40fa332ebc6f38b2f9f64

      SHA1

      d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f

      SHA256

      66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b

      SHA512

      7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948

      Download Submit

    • memory/3848-130-0x0000000002250000-0x000000000226A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3848-131-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3848-132-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download