cobaltstrike | e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75

Analysis

max time kernel
256s
max time network
372s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 02:47

Target

e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
Size

146KB
MD5

99f5b94c1d1d31a82134b49237e5a92c
SHA1

9bdfc09ce414e8c266424621b3e9c264addecdab
SHA256

e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75
SHA512

138fe77c17f25249c2a326c99f5756ade3218466ebe30cca0df496e4b51b8f5dd60a7760e11580aab750ea1e2d358dd0c7d63486ba9b3e1afcd42b509a6255c7
SSDEEP

3072:xDDyMnV59baBA5ZjjYrx0Z01FAbZ3eAIplpaJgnGPeg9guc:ByWABAvjjY9JbAb0naePyguc

Score

10^/10

Family

pony

http://66.55.89.150:8080/forum/viewtopic.php

http://66.55.89.151:8080/forum/viewtopic.php

Attributes

payload_url
http://boletin.puntoimpresion.com/Qnrnh53B.exe
http://www.vivaidiportanova.it/55V7.exe
http://www.urbyagri.es/s56k5.exe
http://etradi.webgenshop.nl/xWP.exe

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe

description	pid	process	target process
PID 2132 wrote to memory of 3672	2132	e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe	e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
PID 2132 wrote to memory of 3672	2132	e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe	e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
PID 2132 wrote to memory of 3672	2132	e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe	e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe

C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
"C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe
"C:\Users\Admin\AppData\Local\Temp\e8c74307732c397fe2ea5c4dd32637a574457e7c79c73a653d3b187f0159cf75.exe"
2⤵
PID:3672

memory/2132-132-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/2132-133-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/2132-135-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/3672-134-0x0000000000000000-mapping.dmp

Download