Overview

overview

10

Static

static

21f55203cd...ab.exe

windows7-x64

10

21f55203cd...ab.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab

  • Size

    1.5MB

  • Sample

    221126-kkanxafa68

  • MD5

    40570856df7efebd7ebda05408224e1b

  • SHA1

    47cc7a0b90c6b79c4416476e5b5ced7422ea6247

  • SHA256

    21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab

  • SHA512

    449fcab507e352bcb736bf03292b269afdc3ae3b8382bfbf19d82f7167951e9bf66fdf2997dc7b625d47162a9fff1a4996a4b2dd380a170f06767e61455cc417

  • SSDEEP

    24576:wGd3O+nY5gC8WlgzkjD2oSOH+nqUmM31ShHT4TSEoSo/6Z6fgVXmCwIhr:w2LYghcgIvbZ+pj04OEto/s6fYmGh

Score
10/10
hawkeyeimminentponycollectiondiscoverykeyloggerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://newwork.hostoi.com/Panel/gate.php

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    123owerri

Targets

    • Target

      21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab

    • Size

      1.5MB

    • MD5

      40570856df7efebd7ebda05408224e1b

    • SHA1

      47cc7a0b90c6b79c4416476e5b5ced7422ea6247

    • SHA256

      21f55203cdbb98339c575f81328b00bd8397306995a2abd89c8f2c4f195786ab

    • SHA512

      449fcab507e352bcb736bf03292b269afdc3ae3b8382bfbf19d82f7167951e9bf66fdf2997dc7b625d47162a9fff1a4996a4b2dd380a170f06767e61455cc417

    • SSDEEP

      24576:wGd3O+nY5gC8WlgzkjD2oSOH+nqUmM31ShHT4TSEoSo/6Z6fgVXmCwIhr:w2LYghcgIvbZ+pj04OEto/s6fYmGh

    Score
    10/10
    hawkeyeimminentponycollectiondiscoverykeyloggerpersistenceratspywarestealertrojanupx

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks