Overview

overview

10

Static

static

866d920b32...69.exe

windows7-x64

10

866d920b32...69.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    866d920b3267ebb22bcc149e05c00c67e69a2ccb38322a2cda6f5cf1e558ac69

  • Size

    479KB

  • Sample

    221122-w5hqssch46

  • MD5

    2836a201c24981c9de8bc9d67d6d1f61

  • SHA1

    84f1c4e316268a13b1afe7fa57b36dde30693a97

  • SHA256

    866d920b3267ebb22bcc149e05c00c67e69a2ccb38322a2cda6f5cf1e558ac69

  • SHA512

    4ca2263aff3e8caf34f3535c69842acc37067b61404f847c368b0ebd2c3290cd6c95f4b0c32860eb5f04a287b5c8ef5127a4097e7b8fc7317abd11487dcf6101

  • SSDEEP

    12288:T+zpYmo4xGcwEwcBX9TV021wRjB1whm8U:T+zpy+GcBwUX9TwrSm8U

Score
10/10
hawkeyeponycollectiondiscoverykeyloggerratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://eileen.3eeweb.com/1/1/gate.php

Targets

    • Target

      866d920b3267ebb22bcc149e05c00c67e69a2ccb38322a2cda6f5cf1e558ac69

    • Size

      479KB

    • MD5

      2836a201c24981c9de8bc9d67d6d1f61

    • SHA1

      84f1c4e316268a13b1afe7fa57b36dde30693a97

    • SHA256

      866d920b3267ebb22bcc149e05c00c67e69a2ccb38322a2cda6f5cf1e558ac69

    • SHA512

      4ca2263aff3e8caf34f3535c69842acc37067b61404f847c368b0ebd2c3290cd6c95f4b0c32860eb5f04a287b5c8ef5127a4097e7b8fc7317abd11487dcf6101

    • SSDEEP

      12288:T+zpYmo4xGcwEwcBX9TV021wRjB1whm8U:T+zpy+GcBwUX9TwrSm8U

    Score
    10/10
    hawkeyeponycollectiondiscoverykeyloggerratspywarestealertrojanupx

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks