Overview

overview

10

Static

static

f7ea603361...ec.exe

windows7-x64

10

f7ea603361...ec.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec

  • Size

    251KB

  • Sample

    221128-m2wntadc7s

  • MD5

    002b4e3fc895582b5efed565ca1ffd2f

  • SHA1

    dc4c15eea157364faa550d10696f2e9c7d475ebc

  • SHA256

    f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec

  • SHA512

    30f59b4d31166cd94e7d841f60fb090315aa9926d4bbf57b7f0f2383ef78d3fe6affd6240b6177963a4a124bfc502c16a5d673e79f1b5bc6fabec16eda79c3e5

  • SSDEEP

    3072:WqAHdiwrVn0+uyoWthZWNwhjKf1CIIjlWmyZa1ZOWTFS4xj3u4NGIkdJ4dDmSt0:WtdY9EWNAjHZxZZOWDxje4E0e

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://moskalskiybodun.com/gate.php

http://funnyinvoiceorg.com/gate.php

http://formaterdocstras.com/gate.php
Attributes
  • payload_url

    http://dkpconsulting.com/wp-content/plugins/cached_data/bb.exe

    http://doc.giovanniborsi.it/wp-content/plugins/cached_data/bb.exe

    http://dom660000.ru/wp-content/plugins/cached_data/bb.exe

    http://domdobleska.ru/wp-content/plugins/cached_data/bb.exe

Targets

    • Target

      f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec

    • Size

      251KB

    • MD5

      002b4e3fc895582b5efed565ca1ffd2f

    • SHA1

      dc4c15eea157364faa550d10696f2e9c7d475ebc

    • SHA256

      f7ea603361599bed0b24f771da5b1b01126423d438dab2a1bfc7c7e4f6a1abec

    • SHA512

      30f59b4d31166cd94e7d841f60fb090315aa9926d4bbf57b7f0f2383ef78d3fe6affd6240b6177963a4a124bfc502c16a5d673e79f1b5bc6fabec16eda79c3e5

    • SSDEEP

      3072:WqAHdiwrVn0+uyoWthZWNwhjKf1CIIjlWmyZa1ZOWTFS4xj3u4NGIkdJ4dDmSt0:WtdY9EWNAjHZxZZOWDxje4E0e

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks