Overview

overview

10

Static

static

d428d885c0...98.exe

windows7-x64

10

d428d885c0...98.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98

  • Size

    124KB

  • Sample

    221126-f6xckshf8w

  • MD5

    c9069b4eaed3b8e321f6b1ff19938e44

  • SHA1

    5564bf3fe5eee93db82852f8a1c04bf8938d6bc6

  • SHA256

    d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98

  • SHA512

    5e933b19c94efb7fc6caf9c46f78f7a332debe1cfb3bc95d2c5bc1a390fcd0f074f95cb2efd38b6d8c6b896346327d32d6a78161510017659571076530999505

  • SSDEEP

    1536:XeqRQxvfZvIQ1/beoDTEeno0x5mgHAiBG3nCiCQVeYuWdvBz2umSohogDrIqsL:XkXF/c0nmggiBGSife1W5l23FfIJL

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://194.1.184.65/internet_gas.php

http://194.1.184.77/internet_gas.php

http://94.23.26.38/jvoie898a/vijasopew83279

http://94.23.26.38/jvoie898a/2ay798faovaaeq

http://94.23.26.38/jvoie898a/ivmtuc432iwqer

http://91.220.35.48/fb/internet.php

Targets

    • Target

      d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98

    • Size

      124KB

    • MD5

      c9069b4eaed3b8e321f6b1ff19938e44

    • SHA1

      5564bf3fe5eee93db82852f8a1c04bf8938d6bc6

    • SHA256

      d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98

    • SHA512

      5e933b19c94efb7fc6caf9c46f78f7a332debe1cfb3bc95d2c5bc1a390fcd0f074f95cb2efd38b6d8c6b896346327d32d6a78161510017659571076530999505

    • SSDEEP

      1536:XeqRQxvfZvIQ1/beoDTEeno0x5mgHAiBG3nCiCQVeYuWdvBz2umSohogDrIqsL:XkXF/c0nmggiBGSife1W5l23FfIJL

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks