Overview

overview

10

Static

static

6965f10e12...8f.exe

windows7-x64

10

6965f10e12...8f.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6965f10e12ad7779847e9aa75faa2f9b967e9ff71709a7c3c0733ef3d299bd8f

  • Size

    305KB

  • Sample

    221126-rw1sssdh6t

  • MD5

    2c62199a2ae1feeaf3a2142f907e48d6

  • SHA1

    fb80ff63ca73ed7cbc88bccbcda782e4e7f7cef1

  • SHA256

    6965f10e12ad7779847e9aa75faa2f9b967e9ff71709a7c3c0733ef3d299bd8f

  • SHA512

    4e34fb4d4495cc3eba646fb10fb49911f1b0b6893de6033e1ae9b7e2ffcfd0b530afaf09228b886d028f753c41418813a23b5250bbf9dfc5e57a2f5a38f7f90e

  • SSDEEP

    6144:Li9xBUhInhV8dI9oibf+beynQpFhfx3+D4I1ncrsUD+cCWyM/TnxeVUv:LmsKnhV8u35yncxuD4I1ncrsUD+cCWXt

Score
10/10
ponysalitybackdoorcollectionevasionpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

pony

C2

http://kalakwaoo.in/moto/Panel/gate.php

Attributes
  • payload_url

    http://www.celitel-rf.ru/moto.exe

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      6965f10e12ad7779847e9aa75faa2f9b967e9ff71709a7c3c0733ef3d299bd8f

    • Size

      305KB

    • MD5

      2c62199a2ae1feeaf3a2142f907e48d6

    • SHA1

      fb80ff63ca73ed7cbc88bccbcda782e4e7f7cef1

    • SHA256

      6965f10e12ad7779847e9aa75faa2f9b967e9ff71709a7c3c0733ef3d299bd8f

    • SHA512

      4e34fb4d4495cc3eba646fb10fb49911f1b0b6893de6033e1ae9b7e2ffcfd0b530afaf09228b886d028f753c41418813a23b5250bbf9dfc5e57a2f5a38f7f90e

    • SSDEEP

      6144:Li9xBUhInhV8dI9oibf+beynQpFhfx3+D4I1ncrsUD+cCWyM/TnxeVUv:LmsKnhV8u35yncxuD4I1ncrsUD+cCWXt

    Score
    10/10
    ponysalitybackdoorcollectionevasionpersistenceratspywarestealertrojanupx

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks