Overview

overview

10

Static

static

accc8baa3c...ad.exe

windows7-x64

10

accc8baa3c...ad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad

  • Size

    98KB

  • Sample

    221003-a6ws6abagn

  • MD5

    6e45317a01df8ec402c4f7d7567d0882

  • SHA1

    2a0128427684e525847c9a34722811382cddbb21

  • SHA256

    accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad

  • SHA512

    8e3eaa4b3645263a8610dec8e410f20cdcb01401f7b421976329237c117e6c9154bd85ac2cb8a2f02b4c6e8ac547215aa999c275617e190b410c289964aae821

  • SSDEEP

    1536:U8DteyFl41q1dlor984L5028c/GYJ+n6pQjqMgliW92d9veKxjUWoy3JBX7:xDUyF5lor984Lv/XmdgoWsvX13L

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://laketys.pw:719/way/open.php

http://voleddak.pw:719/way/open.php

http://vopedala.pw:719/way/upd

Targets

    • Target

      accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad

    • Size

      98KB

    • MD5

      6e45317a01df8ec402c4f7d7567d0882

    • SHA1

      2a0128427684e525847c9a34722811382cddbb21

    • SHA256

      accc8baa3c71a966f8b597ab43b7968ca8ed85976d963fe6f4cb9bff4e583bad

    • SHA512

      8e3eaa4b3645263a8610dec8e410f20cdcb01401f7b421976329237c117e6c9154bd85ac2cb8a2f02b4c6e8ac547215aa999c275617e190b410c289964aae821

    • SSDEEP

      1536:U8DteyFl41q1dlor984L5028c/GYJ+n6pQjqMgliW92d9veKxjUWoy3JBX7:xDUyF5lor984Lv/XmdgoWsvX13L

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Drops file in Drivers directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks