Overview

overview

10

Static

static

e0dbbce3b9...a5.exe

windows7-x64

10

e0dbbce3b9...a5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e0dbbce3b993e5d2ba90ab13bbe2607e531a424bebba9b6cadcd840efb9c62a5

  • Size

    194KB

  • Sample

    221124-wmmxssag86

  • MD5

    3488f48b13ce7dfb429dc985783ec432

  • SHA1

    a9d2426102ab7264cdf22e0a22b453e979196919

  • SHA256

    e0dbbce3b993e5d2ba90ab13bbe2607e531a424bebba9b6cadcd840efb9c62a5

  • SHA512

    a58aa9be539c16e64dbd26db4fddc8f2411707a4c19ebc3c1e11619ff52e9310d3bea5cf01e0377e1c9ea3de2062f6b5612e8b61781ecc586c6dd7808dc9f41b

  • SSDEEP

    3072:uAFrJ+2f9rAQj16WKkDxyndO62xLtc7AfOGC1K5RB2tHsT:uYd+AAQj0WKkDknwPLJmGCs5HqsT

Score
10/10
ponycollectiondiscoverypersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://saraconnor4you.com/gate.php

Attributes
  • payload_url

    http://www.gt-moebel.de/administrator/templates/system/images/png.exe

    http://fenster-metallbau-lahntal.de/um-formmailer/templates/png.exe

Targets

    • Target

      e0dbbce3b993e5d2ba90ab13bbe2607e531a424bebba9b6cadcd840efb9c62a5

    • Size

      194KB

    • MD5

      3488f48b13ce7dfb429dc985783ec432

    • SHA1

      a9d2426102ab7264cdf22e0a22b453e979196919

    • SHA256

      e0dbbce3b993e5d2ba90ab13bbe2607e531a424bebba9b6cadcd840efb9c62a5

    • SHA512

      a58aa9be539c16e64dbd26db4fddc8f2411707a4c19ebc3c1e11619ff52e9310d3bea5cf01e0377e1c9ea3de2062f6b5612e8b61781ecc586c6dd7808dc9f41b

    • SSDEEP

      3072:uAFrJ+2f9rAQj16WKkDxyndO62xLtc7AfOGC1K5RB2tHsT:uYd+AAQj0WKkDknwPLJmGCs5HqsT

    Score
    10/10
    ponycollectiondiscoverypersistenceratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks