General
-
Target
794ff495e4754c70b71182011fefffc67c8bc25694f46d3912444127d1870155
-
Size
143KB
-
Sample
221203-epxrcagd41
-
MD5
e5394b52e97873cac4c9df8cc543ef57
-
SHA1
424dc323639f1fd6ba798f6f16dbe46261b9c041
-
SHA256
794ff495e4754c70b71182011fefffc67c8bc25694f46d3912444127d1870155
-
SHA512
ef4c77ca4f7235d0e28d9fbe8b5101f89ff76fef7b11e757ebc46ec45e25f3e7c0991b92be528b6ac592f8a583e4652549c8c9c44089a8fbc795478943777020
-
SSDEEP
3072:XjlKZelTDxfra36ZbYNgLV3XJBbKuMHiJOpaJtK0rvox2qUQ:Jwelxa3UbYuFPbUPatrE
Malware Config
Extracted
pony
http://66.55.89.150:8080/forum/viewtopic.php
http://66.55.89.151:8080/forum/viewtopic.php
-
payload_url
http://www.impresabonincontro.it/5vEv8Q.exe
http://ftp.groar.com.br/KUTS0Kc.exe
http://www.astrologiamilano.it/R8sY.exe
Targets
-
-
Target
794ff495e4754c70b71182011fefffc67c8bc25694f46d3912444127d1870155
-
Size
143KB
-
MD5
e5394b52e97873cac4c9df8cc543ef57
-
SHA1
424dc323639f1fd6ba798f6f16dbe46261b9c041
-
SHA256
794ff495e4754c70b71182011fefffc67c8bc25694f46d3912444127d1870155
-
SHA512
ef4c77ca4f7235d0e28d9fbe8b5101f89ff76fef7b11e757ebc46ec45e25f3e7c0991b92be528b6ac592f8a583e4652549c8c9c44089a8fbc795478943777020
-
SSDEEP
3072:XjlKZelTDxfra36ZbYNgLV3XJBbKuMHiJOpaJtK0rvox2qUQ:Jwelxa3UbYuFPbUPatrE
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-