Overview

overview

10

Static

static

c5a48a8322...10.exe

windows7-x64

10

c5a48a8322...10.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910

  • Size

    235KB

  • Sample

    221001-16j3gababn

  • MD5

    782bf83934e23b701fe82e2758bd3270

  • SHA1

    a12f64aef769958101bda0370a8fb7065ee46a06

  • SHA256

    c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910

  • SHA512

    3524622fe8e7ee606d7638efdfc6b8d9ffce3c56d16fafb84586fe710a52f2ed99b06d8e360d1bd1222489a18e991f0528fb5e6409a1bb5c9d279f15604d76d0

  • SSDEEP

    3072:CeNVOhiPoML3O07vuzaeVYPQaXhQB07Uxri+4/7u5BChYiABdVLZrWMXDDu5ofKj:nOhWLluOeweBxW+4/7uyhYpXp3hK

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://www.retetethermomix.ro/wp-includes/fonts/fonts.php

http://www.sumterswebdesign.com/wp-content/themes/throttle.php

http://www.schenkdirgesundheit.com/wp-content/plugins/plugins.php

http://youngswanky.com/wp-includes/pomo/com_jumi.php

http://www.savingmummy.com.au/wp-content/upgrade/upgrade.php

http://alejandropawliszyn.com//apweb/wp-adminshortcut.php

http://ankaraotodoseme.org/wp-includes/fonts/fonts.php

http://arabicgermany.com/wp-includes/certificates/88nicholasroberts.php

http://artemis.isolutiontank.com/wp-includes/pomo/i.php

http://beatcancerinms.com//yahoo_site_admin/credentialspierwsza-pomoc.php

http://canyonsdelmaresme.cat/wp-content/languages/languages.php

http://campoflor.com/wp-includes/pomo/Circolari.php

http://cekharga.ariefew.com/wp-includes/certificates/boredbreak.php

http://cekharga.ariefew.com/wp-admin/js/arealsoft2.0.php

http://castleconifer.com/wp-admin/includes/payment.php

http://christcommunitycogic.org/pwksfmaw/klsjdvbss/th-TH.php

http://cinema175.com/ecupidthemovie/contact/contact.php

Targets

    • Target

      c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910

    • Size

      235KB

    • MD5

      782bf83934e23b701fe82e2758bd3270

    • SHA1

      a12f64aef769958101bda0370a8fb7065ee46a06

    • SHA256

      c5a48a8322d05e088c6f64872d87a02108e739497dd70176ab2fc4e894842910

    • SHA512

      3524622fe8e7ee606d7638efdfc6b8d9ffce3c56d16fafb84586fe710a52f2ed99b06d8e360d1bd1222489a18e991f0528fb5e6409a1bb5c9d279f15604d76d0

    • SSDEEP

      3072:CeNVOhiPoML3O07vuzaeVYPQaXhQB07Uxri+4/7u5BChYiABdVLZrWMXDDu5ofKj:nOhWLluOeweBxW+4/7uyhYpXp3hK

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks