Analysis Overview
SHA256
fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb
Threat Level: Known bad
The file fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb was found to be: Known bad.
Malicious Activity Summary
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-20 05:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-20 05:43
Reported
2022-11-20 05:46
Platform
win7-20221111-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe
"C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp |
Files
memory/1284-54-0x0000000075F01000-0x0000000075F03000-memory.dmp
memory/1284-55-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1284-56-0x00000000003E0000-0x00000000003F7000-memory.dmp
memory/1284-57-0x00000000005B0000-0x00000000005CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-20 05:43
Reported
2022-11-20 05:47
Platform
win10v2004-20221111-en
Max time kernel
193s
Max time network
203s
Command Line
Signatures
Pony,Fareit
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe
"C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.189.173.12:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp | |
| N/A | 91.121.84.204:8080 | tcp |
Files
memory/3544-133-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3544-134-0x0000000002040000-0x0000000002057000-memory.dmp
memory/3544-135-0x0000000002060000-0x000000000207E000-memory.dmp
memory/3544-136-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3544-137-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3544-138-0x0000000000400000-0x000000000041E000-memory.dmp