Overview

overview

10

Static

static

ec82fb31b8...11.exe

windows7-x64

10

ec82fb31b8...11.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec82fb31b8872c55a0ee6dca3c897cda6151793609d80a61f3129d70a2d59d11.exe

  • Size

    122KB

  • MD5

    646bf00bee15a54e780b8513fe8cabc0

  • SHA1

    0a82a43ba5ebf9c44068616d0ffc3212a14d05a2

  • SHA256

    ec82fb31b8872c55a0ee6dca3c897cda6151793609d80a61f3129d70a2d59d11

  • SHA512

    fb266f5ec9bba0dd67ca226d25bda09ef0bcac4a703c11f56676363080cb7b0c02819c2d307ef0c2d8c23a6c663e494164ebac094d5c04dc46a101d9ade09aac

  • SSDEEP

    3072:6Ipj3bcgZz+0Qut+Lou7uLkjkb+c8DJDPZBcI8Q6MxMFt1:tjYbcuuLKBZiI8Q1xML1

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://talentos.clicken1.com:81/ponyz/gate.php

http://panama.clicken1.com:81/ponyz/gate.php

http://monteazul.clicken1.com:81/ponyz/gate.php

http://199.168.184.198:81/ponyz/gate.php
Attributes
  • payload_url

    http://1494ccc706155932.lolipop.jp/fA1nv43e.exe

    http://dreamworldhospitality.com/eVTUs0.exe

    http://preventchildabuse.childrensociety.org.sg/yA9ipF.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec82fb31b8872c55a0ee6dca3c897cda6151793609d80a61f3129d70a2d59d11.exe
    "C:\Users\Admin\AppData\Local\Temp\ec82fb31b8872c55a0ee6dca3c897cda6151793609d80a61f3129d70a2d59d11.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:1660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1660-56-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1660-55-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download