Overview

overview

10

Static

static

be347717ae...e3.exe

windows7-x64

10

be347717ae...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2022 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe

  • Size

    113KB

  • MD5

    2ac2446db59c30a05b32f0677e487ab0

  • SHA1

    5d34a14c6b72fa7c580311b13a9dc5f5f595ee47

  • SHA256

    be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3

  • SHA512

    4f6e57e0f9a22362b965d9311bfb9cac89eade6cfb2ef02a5cced42c0edabcf69f4d8c541a63e305f1c96937991228f0fbe8f2d216910b2357ec2bf8acc34b49

  • SSDEEP

    3072:BbWxwy3FDk3F3g4MOaQFRVfx8p/TmeOjyL:y1Ig4MOR9S/DOjy

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://journeyacrossthesky.org/forum/viewtopic.php

http://luckyemily.com/forum/viewtopic.php

http://oshaughnessyfam.com/forum/viewtopic.php

http://actorbell.com/forum/viewtopic.php
Attributes
  • payload_url

    http://imagesuperspot.com/6ptP.exe

    http://1954f7e942e67bc1.lolipop.jp/d2z.exe

    http://ropapublicitaria.es/5VWumA1.exe

    http://colombiantravelservices.com/ucUMruv.exe

Signatures

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe
    "C:\Users\Admin\AppData\Local\Temp\be347717ae013115cdc31c2418580a5c614e96ac490cd120e580f44daf1c00e3.exe"
    1⤵
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_win_path
    PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3196-132-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/3196-133-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download