Overview

overview

10

Static

static

115f9bbe6e...04.exe

windows7-x64

10

115f9bbe6e...04.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

  • Size

    136KB

  • Sample

    221127-ry9tgshh5w

  • MD5

    3276ed4c930c7f3f20e6492199139ea9

  • SHA1

    d0837fc9960823be07f44439aa439018d974454f

  • SHA256

    115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

  • SHA512

    10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

  • SSDEEP

    3072:zstGUIKGNj4y6tgdYCVmRL4sjDfdTs3oRlqhdd:zstGyYsyTv8+s/fdTq

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://www.bigdaddygroup.in/wp-admin/images/panel/gate.php

Targets

    • Target

      115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

    • Size

      136KB

    • MD5

      3276ed4c930c7f3f20e6492199139ea9

    • SHA1

      d0837fc9960823be07f44439aa439018d974454f

    • SHA256

      115f9bbe6e9a20136607c220737194e7ded5be49b56a0f279e0082c8977a9304

    • SHA512

      10018be30db6cacf6584eadcb8d0822a36b70356fc64a52c9243245ae7a15149dd9f7c65aac7c83d22a1102a62f8ae847d051966c31c85c2bf81c4af95109703

    • SSDEEP

      3072:zstGUIKGNj4y6tgdYCVmRL4sjDfdTs3oRlqhdd:zstGyYsyTv8+s/fdTq

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks