Overview

overview

10

Static

static

1

1c011c2bdd...ff.exe

windows7-x64

10

1c011c2bdd...ff.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c011c2bdd55b37606417469f394c476e9564ae39517a712bdd36bebffffefff

  • Size

    107KB

  • Sample

    221127-jqqfwaba27

  • MD5

    49b40f453419bdac5b94b40588d9956a

  • SHA1

    76cc3c5c549ebbcc99de2127e8f37e53376b3c4b

  • SHA256

    1c011c2bdd55b37606417469f394c476e9564ae39517a712bdd36bebffffefff

  • SHA512

    0e6c3ea8f7e5366a1948318c3d54dfb02ed1ef136e41cbcd8ccb97a463ee2ae07897aff9a28d001c839d97a4a192dafa08b007a1e79282a88b73dbb8e4372297

  • SSDEEP

    3072:JAsj8MBX8s0oXJ245zC6tTp/ibKQzAA0ijJub6Od:JAsBZAcptg/IijJK6c

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://gdfsgvcx342234fdsf.com/dffgbDFGvf465/YYf.php

http://gbvfdewquyt432.com/dffgbDFGvf465/YYf.php

http://pooikjlmfsdf.com/dffgbDFGvf465/YYf.php

http://qwesaddgdf456ret34.com/dffgbDFGvf465/YYf.php

http://xcvgfduytasdewr.com/dffgbDFGvf465/YYf.php

http://po34234jjjjj.com/dffgbDFGvf465/YYf.php

http://234rwrtret5345534.com/dffgbDFGvf465/YYf.php

Targets

    • Target

      1c011c2bdd55b37606417469f394c476e9564ae39517a712bdd36bebffffefff

    • Size

      107KB

    • MD5

      49b40f453419bdac5b94b40588d9956a

    • SHA1

      76cc3c5c549ebbcc99de2127e8f37e53376b3c4b

    • SHA256

      1c011c2bdd55b37606417469f394c476e9564ae39517a712bdd36bebffffefff

    • SHA512

      0e6c3ea8f7e5366a1948318c3d54dfb02ed1ef136e41cbcd8ccb97a463ee2ae07897aff9a28d001c839d97a4a192dafa08b007a1e79282a88b73dbb8e4372297

    • SSDEEP

      3072:JAsj8MBX8s0oXJ245zC6tTp/ibKQzAA0ijJub6Od:JAsBZAcptg/IijJK6c

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks