General
-
Target
a32d22f89504c7f9a3cc2f430224c960a5aa0c753b489cee5fcd8c154fc5ae15
-
Size
1.2MB
-
Sample
221128-mwb28agf22
-
MD5
b0b79d5e2dd2ce09c9f2655bd71d83ad
-
SHA1
2a774db55ec01dc5ce45ef4aec52866e7f343bd2
-
SHA256
a32d22f89504c7f9a3cc2f430224c960a5aa0c753b489cee5fcd8c154fc5ae15
-
SHA512
ce813cbf7c52c283e49c929c43cb4becf6713f8f0bdd3901aa942d64aca5f9229fc59e6065fade5a6be7a7febf4e4d5ab15d7a6a634f254f76788fdf28dcdde2
-
SSDEEP
12288:XER+26GtTK9bc8XgFCO8h4uG0hMcnfxIQZ+4Ka6x5rh3HU0H:w6q+J/XgFCt4uG0eAWQZ+4h+00H
Static task
static1
Behavioral task
behavioral1
Sample
a32d22f89504c7f9a3cc2f430224c960a5aa0c753b489cee5fcd8c154fc5ae15.exe
Resource
win7-20220812-en
Malware Config
Extracted
pony
http://kalunta.esy.es/pony/gate.php
-
payload_url
http://kalunta.esy.es/pony/kalu.exe
Targets
-
-
Target
a32d22f89504c7f9a3cc2f430224c960a5aa0c753b489cee5fcd8c154fc5ae15
-
Size
1.2MB
-
MD5
b0b79d5e2dd2ce09c9f2655bd71d83ad
-
SHA1
2a774db55ec01dc5ce45ef4aec52866e7f343bd2
-
SHA256
a32d22f89504c7f9a3cc2f430224c960a5aa0c753b489cee5fcd8c154fc5ae15
-
SHA512
ce813cbf7c52c283e49c929c43cb4becf6713f8f0bdd3901aa942d64aca5f9229fc59e6065fade5a6be7a7febf4e4d5ab15d7a6a634f254f76788fdf28dcdde2
-
SSDEEP
12288:XER+26GtTK9bc8XgFCO8h4uG0hMcnfxIQZ+4Ka6x5rh3HU0H:w6q+J/XgFCt4uG0eAWQZ+4h+00H
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload
-
NetWire RAT payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-