Overview

overview

10

Static

static

0.9.4/scri...de.pyc

windows7-x64

3

0.9.4/scri...de.pyc

windows10-2004-x64

3

0.9.4/scri...ax.pyc

windows7-x64

3

0.9.4/scri...ax.pyc

windows10-2004-x64

3

0.9.4/scri...__.pyc

windows7-x64

3

0.9.4/scri...__.pyc

windows10-2004-x64

3

0.9.4/scri...ne.pyc

windows7-x64

3

0.9.4/scri...ne.pyc

windows10-2004-x64

3

0.9.4/scri...ot.pyc

windows7-x64

3

0.9.4/scri...ot.pyc

windows10-2004-x64

3

StartVanga.exe

windows7-x64

10

StartVanga.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    653af810e58a75f899673f51607fa6e3377a34cf677ab48a13a54762bbd5f8c4

  • Size

    142KB

  • Sample

    221125-awfzysdb6v

  • MD5

    0031adbe0dfd249e6045deb72c4ba61d

  • SHA1

    db951fa45e6334cd2e0b5f10f784c42a4c3e4036

  • SHA256

    653af810e58a75f899673f51607fa6e3377a34cf677ab48a13a54762bbd5f8c4

  • SHA512

    1277b460e1098ed5eb695b160dc30aced52c67dd5c6d292ae3851384d5a7776a8d2e67148c0def5c22b4aa54ee8571c29ce1c3b4df875e4973399a4a4af48701

  • SSDEEP

    3072:pdAy2JBMnKIhSd84iUtlK2fGueaCyZ+uIuXFORdA1Sko0:cy2nMnKIYC4iUS2OueeZ+u51wiSY

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://comixalex.freeiz.com/alx/gate.php

Targets

    • Target

      0.9.4/scripts/client/CameraNode.pyc

    • Size

      1KB

    • MD5

      9abd6201841976af945d1a8b329b40ee

    • SHA1

      90b66fa4226f8656d27c26043d6889a68477edd1

    • SHA256

      9ce052a6de9ad7acc6a5769610fcf168b667773d9298421ea152ad1600157387

    • SHA512

      08b22e1b308637e55ca40347ab3ea188a7094df62756be1e8ce81207c2c4a0fd385addaefa1513e9e2515d74a581563fee58685f2fe21049e811793a9c30f588

    Score
    3/10
    behavioral1behavioral2

    • Target

      0.9.4/scripts/client/mods/Zaraza_LsdMax.pyc

    • Size

      4KB

    • MD5

      07d08375ed5b7c9d8a9de8a48f69c1c5

    • SHA1

      3e1a2b334839b85fd3705d021ca25ae1644dda33

    • SHA256

      92a586628ab952be3c4d72873f2f28c751710cb9513905ec111e55729b5d3baf

    • SHA512

      99822bae6ed98e6f42487a8b3d71512b19d27742da3eb55bfe2a123c6b08b98185102d9c4dc2516322720432111e4f97c7258f3dbee878f3a3c34476c2fd942d

    • SSDEEP

      96:w/OIL4xgXLUayRAiCsYflhpRFku9ukAM4hz7IjjLsgp7bU:oO44xgUTb7iFkSArhOLnVg

    Score
    3/10
    behavioral3behavioral4

    • Target

      0.9.4/scripts/client/mods/__init__.pyc

    • Size

      98B

    • MD5

      f3641bc6bf6b632f3dba37ac0a4c0dca

    • SHA1

      9fa03902e41a4b1ae3365b36a68cc82252a4d2ac

    • SHA256

      71163b357e3ba8a8ca48888bb2b4ad70c475538f8bd7daa121cdcafe754ad15a

    • SHA512

      8fa3fe27fca3e0e10129a4feb08d5d116cd85cf6a4682ff7e74c3c0b2ca3012b6b4d065bb6036f906867f9a53547b8eedf45d8ab7f7ea07f87f7dd7c3ebd7daf

    Score
    3/10
    behavioral5behavioral6

    • Target

      0.9.4/scripts/client/mods/lsdmax/lsdmaxEngine.pyc

    • Size

      20KB

    • MD5

      5e980c6f1e78cee396a3a0536c9000a9

    • SHA1

      548f5943b8b7ea67c4b6563bdc4190e4bdd94557

    • SHA256

      f9d91637ac93c1e10c5b7a7278c6512e51d8876ccf44a9bf603a127d3c089298

    • SHA512

      c5a16dbabb6b78acb92b999b1f1c59bd2d5c82d08849f616bc02dd0bed3846d4ae96c1ae34ce44db74981b72cef7b16a29d3b6a04bc1387c7fe264a83d897e72

    • SSDEEP

      384:TEZk1NvJorGM1YoA2gkwjyXI80lM86NG47S5CSxzdGNEq2I:TO5rG1ouVjyXIZS8mG470xIEPI

    Score
    3/10
    behavioral7behavioral8

    • Target

      0.9.4/scripts/client/mods/lsdmax/mods/lsdmax_Aimbot.pyc

    • Size

      24KB

    • MD5

      6686d052f11dc00412c1fe246eab4f53

    • SHA1

      23930063dfe7778fd5d8e7c3288e546f9d90066d

    • SHA256

      6bf90f98ca272bb1f7b52b7a42a9eea12fd6a1b7e366ee0b0e99d140e41bede5

    • SHA512

      623ad10c1499453d66fb534c07f96149faf245284e62aef052e972d452d28eadb3a2e5bbc86f353eff3890efd6a7aae8f36afdb1433d8aeb07ca42ebdee39cb4

    • SSDEEP

      384:osAubsmF74P4Fk52+utVQeIekK6Ke2kEn8Hj5ZcC9PsPHnaf4nnwqV7Bl1q2D0+W:Z0ak52jSxeL6Ke2kEiPCnafGFl1nD0j

    Score
    3/10
    behavioral10behavioral9

    • Target

      StartVanga.exe

    • Size

      128KB

    • MD5

      bf3bed02c44f045d89f6cf081d621788

    • SHA1

      b787ae94ee14d72feee21638c88cc400a69b9887

    • SHA256

      f79ee7729c1390ad330d23112d7bebafa1241d966d23d1bf935c0967ab94301d

    • SHA512

      adbec4b8addfff66d0d045aace090b4533bfff38ddf8b3883b5acca35763487a000c866dca19b779a639d7b66d347e7ee26ed96f34e8ab26420651e6a84e4812

    • SSDEEP

      1536:mY46WcKMhgGpsQvGM1BkeLUpDl9oisgi1NQ40Qqh2r24YeYVGsmmyxAnLlUz:D4hahgGpsQ/tLUFtsgiUtlK2TezhJ2+

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

5
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks