Overview

overview

10

Static

static

42f87570f9...90.exe

windows7-x64

10

42f87570f9...90.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

  • Size

    1.9MB

  • Sample

    221126-kj3y3afa65

  • MD5

    15a9103d4b99fcd908c1048b02aeb8f8

  • SHA1

    f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

  • SHA256

    42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

  • SHA512

    b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

  • SSDEEP

    49152:2rzKZmTHjNLbRAGWe4cqPLylFyaJcrRUQ:UKZmTDNLbRAGocqPLylFyaJcrRUQ

Score
10/10
ponycollectiondiscoverypersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://usgroupe.ma/wp-admin/reet/gate.php

Targets

    • Target

      42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

    • Size

      1.9MB

    • MD5

      15a9103d4b99fcd908c1048b02aeb8f8

    • SHA1

      f7df8f1f0e1c5a2183f4e2d705e25588e63f67e0

    • SHA256

      42f87570f9be56966cef8d3aca72509d14125d3ecb5504b2f7ec7bdf54118a90

    • SHA512

      b50e6237942aee5f40dc27dc69361ad468c689ce48e4703f0386f001da767794c29ba35fadf0bcb899c42778906021bb17b12f93ec218acfff9ee0d3de48c55a

    • SSDEEP

      49152:2rzKZmTHjNLbRAGWe4cqPLylFyaJcrRUQ:UKZmTDNLbRAGocqPLylFyaJcrRUQ

    Score
    10/10
    ponycollectiondiscoverypersistenceratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks