General
-
Target
b9816e5fc0f9c5b014545e2c2e5acaa39b1d1097c05336f87d251abf0e212eaf
-
Size
143KB
-
Sample
221203-epvxrada67
-
MD5
5134ac2a3c49756e99fb381919dbe191
-
SHA1
279ccf520fb1384b45c10c72f2b4f6b039f860aa
-
SHA256
b9816e5fc0f9c5b014545e2c2e5acaa39b1d1097c05336f87d251abf0e212eaf
-
SHA512
35cc5313b1daf427ef14b6c99acf146f1a4d0f483a64400251f60d2ca5fbd97efdc9537ef3f99251737b154436d98b3171ce4e5cb6f378df4da43cbf4d5cc40e
-
SSDEEP
3072:XjlKZelTDRbaBA5ZjjYrx0Z01FAbZ3eAIplpaJgnGPeg9:Jwel8BAvjjY9JbAb0naePy
Malware Config
Extracted
pony
http://66.55.89.150:8080/forum/viewtopic.php
http://66.55.89.151:8080/forum/viewtopic.php
-
payload_url
http://boletin.puntoimpresion.com/Qnrnh53B.exe
http://www.vivaidiportanova.it/55V7.exe
http://www.urbyagri.es/s56k5.exe
http://etradi.webgenshop.nl/xWP.exe
Targets
-
-
Target
b9816e5fc0f9c5b014545e2c2e5acaa39b1d1097c05336f87d251abf0e212eaf
-
Size
143KB
-
MD5
5134ac2a3c49756e99fb381919dbe191
-
SHA1
279ccf520fb1384b45c10c72f2b4f6b039f860aa
-
SHA256
b9816e5fc0f9c5b014545e2c2e5acaa39b1d1097c05336f87d251abf0e212eaf
-
SHA512
35cc5313b1daf427ef14b6c99acf146f1a4d0f483a64400251f60d2ca5fbd97efdc9537ef3f99251737b154436d98b3171ce4e5cb6f378df4da43cbf4d5cc40e
-
SSDEEP
3072:XjlKZelTDRbaBA5ZjjYrx0Z01FAbZ3eAIplpaJgnGPeg9:Jwel8BAvjjY9JbAb0naePy
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-