Overview

overview

10

Static

static

2bbb6cf389...e6.exe

windows7-x64

10

2bbb6cf389...e6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2bbb6cf3893979eb0975a77435deae8c284daf889648a3cee78b086535f67ce6

  • Size

    96KB

  • Sample

    221128-g64bkagc7t

  • MD5

    349f4acb47e9ab81a7ebf2bfdd0f4554

  • SHA1

    91c44f795a16d5c736b157e2e1708f4629fa036b

  • SHA256

    2bbb6cf3893979eb0975a77435deae8c284daf889648a3cee78b086535f67ce6

  • SHA512

    ece211dc7adfbabc45637f890ff8b4f68d7dee045c76caf4343332089cdcfd9f8f0d6248ac1b1cc474857058d2c2804d5b7c5b08c3d7d7a9dca37be2361b82bb

  • SSDEEP

    1536:fFkpW/MdanFqrE85DnHY8omqIujEQxlqFoqJf0BqV2vppkbayS87IezU:f2wn4/D4nI4251nV2vhypzU

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://ocvitcamap.com/administrator/lib/cheapoakley.php

http://spark-leds.com/upload/images/images.php

http://sapacmold.com/img/t/t.php

http://www.ubikate.mx/wp-includes/images/images.php

http://www.ebouw.nl/wp-includes/pomo/pomo.php

http://www.getserved.nl/wp-content/themes/themes.php

http://www.multiposting.nl/wp-includes/theme-compat/ips_kernel.php

Targets

    • Target

      2bbb6cf3893979eb0975a77435deae8c284daf889648a3cee78b086535f67ce6

    • Size

      96KB

    • MD5

      349f4acb47e9ab81a7ebf2bfdd0f4554

    • SHA1

      91c44f795a16d5c736b157e2e1708f4629fa036b

    • SHA256

      2bbb6cf3893979eb0975a77435deae8c284daf889648a3cee78b086535f67ce6

    • SHA512

      ece211dc7adfbabc45637f890ff8b4f68d7dee045c76caf4343332089cdcfd9f8f0d6248ac1b1cc474857058d2c2804d5b7c5b08c3d7d7a9dca37be2361b82bb

    • SSDEEP

      1536:fFkpW/MdanFqrE85DnHY8omqIujEQxlqFoqJf0BqV2vppkbayS87IezU:f2wn4/D4nI4251nV2vhypzU

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks