Overview

overview

10

Static

static

ea4d6b0692...a3.exe

windows7-x64

10

ea4d6b0692...a3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3

  • Size

    269KB

  • Sample

    221128-mvlv2acg7s

  • MD5

    ee53bca111c76cfff04f9427b235abf9

  • SHA1

    af4bb468413a569297dcc4aedba6c123b07ce804

  • SHA256

    ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3

  • SHA512

    9f903eb4dcf83321ccd38430da5b8fa59c9b30a69ced72c94aacb2509244f0676d912d7f8325a9414defa05da4aa38d517eeaafe9169e1e6a4cb96f9c7d96fef

  • SSDEEP

    3072:8bmQz/jd0wQ02CfzKvXfB34zQZ7VPmHYfvJ47zxVJCqNC0zRCP:bcVzOBIzyJuHYfvJ4fH3cP

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://fastssamplestrash.com/gate.php

http://funnyinvoiceorg.com/gate.php

http://formaterdocstras.com/gate.php
Attributes
  • payload_url

    http://manusanz.com/wp-content/plugins/cached_data/b1.exe

    http://www.marad.it/wp-content/plugins/cached_data/b1.exe

    http://marciapimentelbuffet.com.br/wp-content/plugins/cached_data/b1.exe

    http://marketplaceaa.com/wp-content/plugins/cached_data/b1.exe

    http://martinapeit.com.ar/wp-content/plugins/cached_data/b1.exe

    http://matchstickstudios.co.uk/wp-content/plugins/cached_data/b1.exe

Targets

    • Target

      ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3

    • Size

      269KB

    • MD5

      ee53bca111c76cfff04f9427b235abf9

    • SHA1

      af4bb468413a569297dcc4aedba6c123b07ce804

    • SHA256

      ea4d6b06920a2b27ec6817065154cc8df386ced2f86cea8e2abc249dc543f9a3

    • SHA512

      9f903eb4dcf83321ccd38430da5b8fa59c9b30a69ced72c94aacb2509244f0676d912d7f8325a9414defa05da4aa38d517eeaafe9169e1e6a4cb96f9c7d96fef

    • SSDEEP

      3072:8bmQz/jd0wQ02CfzKvXfB34zQZ7VPmHYfvJ47zxVJCqNC0zRCP:bcVzOBIzyJuHYfvJ4fH3cP

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks