Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-05-2023 14:46
General
-
Target
25269F8A930097146C10BD17098A465D07FD0A24277B2.exe
-
Size
132KB
-
MD5
10b93eca8e72ae642e47c944e4a8df01
-
SHA1
d7f1f1525a06f39fb167ee489572d0b6a6defd8a
-
SHA256
25269f8a930097146c10bd17098a465d07fd0a24277b2be13ad1bb2359927e5b
-
SHA512
85f2ccb470cd78c04b41dd35c8e8fc99ed6f348baeef6ba35e8d6d80e42656b66b695e8e1e677b09a347d41dc85553214dad55aac1757c63d6621e9c6b782501
-
SSDEEP
3072:DfbmUkNmOJ0H7NAhB8xYOcwEbLneglIsBP:jb/k7NH8WKEXn/lIsJ
Score
10/10
Malware Config
Extracted
Family
pony
C2
http://67.215.225.205:8080/ponyd/gate.php
http://74.91.117.190/ponyd/gate.php
Attributes
-
payload_url
http://res.streetammo.com/SwoBrJYg/oEbZ.exe
http://abo.gnumerica.org/oSZx1Nko/eZPX.exe
Signatures
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25269F8A930097146C10BD17098A465D07FD0A24277B2.exe"C:\Users\Admin\AppData\Local\Temp\25269F8A930097146C10BD17098A465D07FD0A24277B2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\25269F8A930097146C10BD17098A465D07FD0A24277B2.exe"C:\Users\Admin\AppData\Local\Temp\25269F8A930097146C10BD17098A465D07FD0A24277B2.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4908-133-0x0000000000F80000-0x0000000000FA5000-memory.dmpFilesize
148KB
-
memory/4908-134-0x0000000000F80000-0x0000000000FA5000-memory.dmpFilesize
148KB