Overview

overview

10

Static

static

a894c9771d...9f.exe

windows7-x64

10

a894c9771d...9f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

  • Size

    624KB

  • Sample

    221126-cqa8maec43

  • MD5

    fff4955ffce3b5e5260408e7fef6872d

  • SHA1

    78b85c6cb35cb007882ecce9602b60cd6c5bae97

  • SHA256

    a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

  • SHA512

    e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

  • SSDEEP

    12288:mcER/WFqpOCIYqv2/eso4QDiWVpDiKiS9BYM1efta7iXS6GnEv0CNisXoNBW9x:mcER/WFqpOCIYqv2/eso4QDiW3DiKiSM

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://190.14.37.80/akpos/Panel/Panelz/gate.php

Targets

    • Target

      a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

    • Size

      624KB

    • MD5

      fff4955ffce3b5e5260408e7fef6872d

    • SHA1

      78b85c6cb35cb007882ecce9602b60cd6c5bae97

    • SHA256

      a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

    • SHA512

      e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

    • SSDEEP

      12288:mcER/WFqpOCIYqv2/eso4QDiWVpDiKiS9BYM1efta7iXS6GnEv0CNisXoNBW9x:mcER/WFqpOCIYqv2/eso4QDiW3DiKiSM

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks