Overview

overview

10

Static

static

8c69803f7d...a2.exe

windows7-x64

10

8c69803f7d...a2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8c69803f7d5df4739b070900820265a0251713c6733c3a7979e33b4d424352a2

  • Size

    83KB

  • Sample

    221128-lcz49sgf9w

  • MD5

    8c19e61ff1711a1d7cd1e7a1588fb620

  • SHA1

    ba69f8469d42aff6f392c9684ced29431b7b5309

  • SHA256

    8c69803f7d5df4739b070900820265a0251713c6733c3a7979e33b4d424352a2

  • SHA512

    ddd4904f5e02b125cf5f4467ad3a7e5a2a4ccb05bef553f891916265320f1dbac0d8df181eb669ea541eb9a3248bcf5a875b3a7ac5a1c2c92cf2f38b59a54196

  • SSDEEP

    1536:kYlivyAUtutS9ffp1TERcQdlJh0Ptfk3b4fOgMNo2BdM:kYlivyASvffpCR/qk3b4Gggo2Bd

Score
10/10
ponycollectiondiscoverypersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://sellocalidadtdf.com.ar/psd/gate.php

Targets

    • Target

      8c69803f7d5df4739b070900820265a0251713c6733c3a7979e33b4d424352a2

    • Size

      83KB

    • MD5

      8c19e61ff1711a1d7cd1e7a1588fb620

    • SHA1

      ba69f8469d42aff6f392c9684ced29431b7b5309

    • SHA256

      8c69803f7d5df4739b070900820265a0251713c6733c3a7979e33b4d424352a2

    • SHA512

      ddd4904f5e02b125cf5f4467ad3a7e5a2a4ccb05bef553f891916265320f1dbac0d8df181eb669ea541eb9a3248bcf5a875b3a7ac5a1c2c92cf2f38b59a54196

    • SSDEEP

      1536:kYlivyAUtutS9ffp1TERcQdlJh0Ptfk3b4fOgMNo2BdM:kYlivyASvffpCR/qk3b4Gggo2Bd

    Score
    10/10
    ponycollectiondiscoverypersistenceratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks