Overview

overview

10

Static

static

Dhl-Inform...df.exe

windows7-x64

10

Dhl-Inform...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6a321dac6eb773781972ed74aaaa680cfa3f006934098e3b66cd435c64adc266

  • Size

    130KB

  • Sample

    221126-bfe86abc28

  • MD5

    67ca63eaf4a0cd52e0ba98de94b28020

  • SHA1

    f2a361ad1b4c73dd442e16814768fd0dab3cd198

  • SHA256

    6a321dac6eb773781972ed74aaaa680cfa3f006934098e3b66cd435c64adc266

  • SHA512

    7f8336ec3f3d024b38d3b101f3bdc91ee208558489707d37f33373ed888d5cdc8de65905200a322534b413d93f3f5073b46c8c7fa5fd414b94763f24a31f0c79

  • SSDEEP

    3072:Ph2UmLJ0/31Ny/Uud9T7PxMvk4C21sr7S85GKdMkTtFx0iuFRQnj:Ph2lt0/1Nd69evXCei78TViuaj

Score
10/10
ponycollectionratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://185.7.35.9/~peakedca/home/gate.php

Targets

    • Target

      Dhl-Information.pdf.exe

    • Size

      146KB

    • MD5

      0596c354d3bc4a70f76e86ac44e5179e

    • SHA1

      de5db12f41c299116aeaf27d1d6b66c1649d3890

    • SHA256

      b152f74631608d6c84e7b406121c19d0b4e75993e11ee8e2bddbacfa7942f639

    • SHA512

      424ce957cb7631d632ce5f1cb806f9a67a78f8e43f856b321c1f08270148fc92edf921f59fd58e6c3ee999619fef46c2612e8768ace0dbd422abc804fd15626d

    • SSDEEP

      3072:Ws7dFzS0qcFuKAfCw7ntjPGy/gud9T7Pxgvk4C21sr7c85GKdMkvtFx0iuFRQWHK:Ws7dFzS0I9Kej+r69GvXCei7qTTiuaW

    Score
    10/10
    ponycollectionratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks