Overview

overview

10

Static

static

c4638f5a0e...a5.exe

windows7-x64

10

c4638f5a0e...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    218s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4638f5a0ebc021bd45d2b102db634605d0ef9781f4fa5de66ab5b599a9357a5.exe

  • Size

    125KB

  • MD5

    ba55da4d42d38a8b7b3057b700174f1b

  • SHA1

    364fbdaeb18e50e20bf2dd0f57f8e55103318151

  • SHA256

    c4638f5a0ebc021bd45d2b102db634605d0ef9781f4fa5de66ab5b599a9357a5

  • SHA512

    db1566e0c01ccf1c2eff9a179b28b84c23d6061fa12c3ee952ddfacacfcd589437573a2df1cfd30345786a1fd00e7a2d7cfaed7e608e8c033feab4aa7a3d773c

  • SSDEEP

    1536:mTEUFCorvLpdNGrh6xeiekYI2Q7QwXBNI94LM14xqJxx/BppmwU3w:mT9d4VZifYIRzBNI94LZxo/BppmwU3

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://175.118.124.53:8080/ponyb/gate.php

http://midwdermatology.com:8080/ponyb/gate.php

http://www.bobadamsinc.com:8080/ponyb/gate.php

http://www.richadamsinc.com:8080/ponyb/gate.php
Attributes
  • payload_url

    http://1729046.sites.myregisteredsite.com/j6H3dZc.exe

    http://kuramochikaikei.net/GPM28H.exe

    http://rapidrebar.com/ATLrRYRx.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4638f5a0ebc021bd45d2b102db634605d0ef9781f4fa5de66ab5b599a9357a5.exe
    "C:\Users\Admin\AppData\Local\Temp\c4638f5a0ebc021bd45d2b102db634605d0ef9781f4fa5de66ab5b599a9357a5.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1224-55-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1224-54-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1224-56-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download