Overview

overview

10

Static

static

96fe74112c...49.exe

windows7-x64

10

96fe74112c...49.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96fe74112cdd458553cbda099294bc76408005bc1e8442f875580413c9057649

  • Size

    101KB

  • Sample

    221003-cnv51sbhb9

  • MD5

    7b9448a86723aa3c3b23570ae51db699

  • SHA1

    cde86b5b31433a3ad647ef1e95766ff785573227

  • SHA256

    96fe74112cdd458553cbda099294bc76408005bc1e8442f875580413c9057649

  • SHA512

    b3b4ba144c714f39cc0fdf02a741b3bf7e3ed79f7c7ae3fbf91c7270183efb241d8559fc75ffd9aa9a1b2e66435fc45f0611173e508893598d08487989609ea9

  • SSDEEP

    1536:1WNY3a7DkmbPz32kQeVuL2mSqx3Ho7Nzr/QUuhRhfHdIEF31f:YN0r0z3PQ0qHo7dQnRhfn

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://ebecbaltic.org/wp-content/languages/gate.php

http://comedyzone.in/templates/mail/gate.php

http://hokulele.us/gallery/images/gate.php

http://crcm.ca/wp-content/gallery/accueil-pro/gate.php

http://champigny2.ca/includes/domit/gate.php

http://astrosophia.ca/language/en-GB/gate.php

http://niinadilorenzodesigns.ca/wp-includes/js/gate.php
Attributes
  • payload_url

    http://hokulele.us/gallery/images/svchost.exe

    http://crcm.ca/wp-content/gallery/accueil-pro/svchost.exe

    http://champigny2.ca/includes/domit/svchost.exe

    http://astrosophia.ca/language/en-GB/svchost.exe

    http://niinadilorenzodesigns.ca/wp-includes/js/svchost.exe

    http://menupro.com.au/images/products/geo/svchost.exe

    http://amcrs.jp/svchost.exe

    http://bpcn.jp/svchost.exe

Targets

    • Target

      96fe74112cdd458553cbda099294bc76408005bc1e8442f875580413c9057649

    • Size

      101KB

    • MD5

      7b9448a86723aa3c3b23570ae51db699

    • SHA1

      cde86b5b31433a3ad647ef1e95766ff785573227

    • SHA256

      96fe74112cdd458553cbda099294bc76408005bc1e8442f875580413c9057649

    • SHA512

      b3b4ba144c714f39cc0fdf02a741b3bf7e3ed79f7c7ae3fbf91c7270183efb241d8559fc75ffd9aa9a1b2e66435fc45f0611173e508893598d08487989609ea9

    • SSDEEP

      1536:1WNY3a7DkmbPz32kQeVuL2mSqx3Ho7Nzr/QUuhRhfHdIEF31f:YN0r0z3PQ0qHo7dQnRhfn

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks