General
-
Target
551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320
-
Size
956KB
-
Sample
221106-ktap9scfc7
-
MD5
23917db901c6f4fe26b881f826c795ae
-
SHA1
77685090030ccf8f6b1a507efa4b44b9a96aee41
-
SHA256
551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320
-
SHA512
66d13cbf5f051c824323d03471fe1d965b844d549cf836782af71587016ea2133e3a6bc083eb77b81b9ada5eb7ef19aa6392b7444b7eb15a84124b03c4c28523
-
SSDEEP
24576:ZZN1jV7yjsjHkEPnJG09PwuecT8atiCtiXl1ryyW:Z3JV70sbm09PwyiaiXex
Malware Config
Targets
-
-
Target
551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320
-
Size
956KB
-
MD5
23917db901c6f4fe26b881f826c795ae
-
SHA1
77685090030ccf8f6b1a507efa4b44b9a96aee41
-
SHA256
551d998878f975d5076d699415c567422671a4183540a5efe1c6d0226fc59320
-
SHA512
66d13cbf5f051c824323d03471fe1d965b844d549cf836782af71587016ea2133e3a6bc083eb77b81b9ada5eb7ef19aa6392b7444b7eb15a84124b03c4c28523
-
SSDEEP
24576:ZZN1jV7yjsjHkEPnJG09PwuecT8atiCtiXl1ryyW:Z3JV70sbm09PwyiaiXex
Score10/10-
Modifies security service
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Disables taskbar notifications via registry modification
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-