Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2022, 07:03

General

  • Target

    f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe

  • Size

    114KB

  • MD5

    5ffcfd97b9ec7376434768edb2914a69

  • SHA1

    47aa9e31ee3d94aff9416fedadd39c895fd61ffa

  • SHA256

    f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec

  • SHA512

    b6915fdac708f4dd69e437b174afb0d78008c71f01abb2f51647fb813572f7a504425a930e3a72bcb2dd6066b7480f6fefeb553158124332e00f526229859fb7

  • SSDEEP

    3072:oLg0wcuDOLBfD9T5O2c0PWVz+y/Z4F+X:IuDCZI2cAWDZ4o

Malware Config

Extracted

Family

pony

C2

http://checkpointluggage.com/ponyb/gate.php

http://clotheswalla.com/ponyb/gate.php

http://consumerluggage.com/ponyb/gate.php

http://coolstowage.com/ponyb/gate.php

Attributes
  • payload_url

    http://ebaa.daa.jp/A8HFWqy.exe

    http://www.ekko-snakker.de/n9m.exe

    http://fanpageserver.info/PhFJ.exe

    http://hakata-ekimae.biz/YyJYqg.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe
    "C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:2032

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

          Filesize

          8KB

        • memory/2032-56-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

        • memory/2032-55-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB