Overview

overview

10

Static

static

a1f12c346b...de.jar

windows7-x64

10

a1f12c346b...de.jar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde

  • Size

    147KB

  • Sample

    221128-pcgjpscb79

  • MD5

    84fb7ae55623298b8e648ff5c7dc2115

  • SHA1

    1af05edd024bf064f1d03c640ab6a09b3a3f0d7c

  • SHA256

    a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde

  • SHA512

    401f0e31489404d494a1a7068866a43fd981a5bbc5698c816d970596d05a8c032c773db8103b63178797dab121b166797e8ca2502bdc72c3e7afcc5a74e9d00e

  • SSDEEP

    3072:ASXpIshi44JexXmSKpPULrtYnqAOUkiQKjh4YmTmLbb58Kdz+CmmCrUk:PIEiPhSUPUqqA9jtSCLbqKRrm94k

Score
10/10
ponycollectionpersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://sweet0rium.com/dd/Panel/gate.php

http://www.sweet0rium.com/dd/Panel/gate.php

Targets

    • Target

      a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde

    • Size

      147KB

    • MD5

      84fb7ae55623298b8e648ff5c7dc2115

    • SHA1

      1af05edd024bf064f1d03c640ab6a09b3a3f0d7c

    • SHA256

      a1f12c346b487f5054ca918323fbada1aad97bd46dedb5ff5ff75d7bb34b0fde

    • SHA512

      401f0e31489404d494a1a7068866a43fd981a5bbc5698c816d970596d05a8c032c773db8103b63178797dab121b166797e8ca2502bdc72c3e7afcc5a74e9d00e

    • SSDEEP

      3072:ASXpIshi44JexXmSKpPULrtYnqAOUkiQKjh4YmTmLbb58Kdz+CmmCrUk:PIEiPhSUPUqqA9jtSCLbqKRrm94k

    Score
    10/10
    ponycollectionpersistenceratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks