Overview

overview

10

Static

static

521c1b5c39...7b.exe

windows7-x64

10

521c1b5c39...7b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    521c1b5c39bb8860f2b65a432774afa5f28b25a58346f9a7a78689c1394b3a7b

  • Size

    164KB

  • Sample

    221003-cxe56acca8

  • MD5

    0ef6ea056a8a3dbba9114e622a05a7eb

  • SHA1

    e30e6f1502d82eae64b0e3080221759fed74707b

  • SHA256

    521c1b5c39bb8860f2b65a432774afa5f28b25a58346f9a7a78689c1394b3a7b

  • SHA512

    e0699bde9c5f9fb9c6be3e56e5a1c4ea70f1271f1bd93bc46b3032f0619091e1aa120e5b3112be29c42fb832b92546bb9126fbd8f7baa07cf8e3385da492837d

  • SSDEEP

    3072:uki8B7MWh6SNSpHswjSQ5X+YOroJW/4jZ4VEMGgj0R:m8B7uDM6SQikW/Ojgw

Score
10/10
ponycollectionratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://www.youngworldplc.com/img/gate.php

Attributes
  • payload_url

    http://www.youngworldplc.com/img/file.exe

Targets

    • Target

      521c1b5c39bb8860f2b65a432774afa5f28b25a58346f9a7a78689c1394b3a7b

    • Size

      164KB

    • MD5

      0ef6ea056a8a3dbba9114e622a05a7eb

    • SHA1

      e30e6f1502d82eae64b0e3080221759fed74707b

    • SHA256

      521c1b5c39bb8860f2b65a432774afa5f28b25a58346f9a7a78689c1394b3a7b

    • SHA512

      e0699bde9c5f9fb9c6be3e56e5a1c4ea70f1271f1bd93bc46b3032f0619091e1aa120e5b3112be29c42fb832b92546bb9126fbd8f7baa07cf8e3385da492837d

    • SSDEEP

      3072:uki8B7MWh6SNSpHswjSQ5X+YOroJW/4jZ4VEMGgj0R:m8B7uDM6SQikW/Ojgw

    Score
    10/10
    ponycollectionratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Email Collection

2
T1114

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks