Overview

overview

10

Static

static

7

c109062985...52.exe

windows7-x64

10

c109062985...52.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c1090629855ae54545498aaa7738e352.exe

  • Size

    702KB

  • Sample

    230531-284qbsbh8w

  • MD5

    c1090629855ae54545498aaa7738e352

  • SHA1

    b768286921741aa0ce47c6485a922dc76f4d732f

  • SHA256

    71e95791dbf20e5b43bb75b1d40de9fe8cc56db5c08f8933f8bc7033765bcb33

  • SHA512

    39817b1283b86f8435da7c2f633d130ae2046a45c21360bff803f4130a1f035a601f25bd65acedc84aa6b46adf4b0a09713195de648cbcfe79047dd2a86c7f59

  • SSDEEP

    12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHl:Url6kD68JmloO5TYI1lOq6sb8hTHAl

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://185.79.156.18/bit/03/gate.php

Targets

    • Target

      c1090629855ae54545498aaa7738e352.exe

    • Size

      702KB

    • MD5

      c1090629855ae54545498aaa7738e352

    • SHA1

      b768286921741aa0ce47c6485a922dc76f4d732f

    • SHA256

      71e95791dbf20e5b43bb75b1d40de9fe8cc56db5c08f8933f8bc7033765bcb33

    • SHA512

      39817b1283b86f8435da7c2f633d130ae2046a45c21360bff803f4130a1f035a601f25bd65acedc84aa6b46adf4b0a09713195de648cbcfe79047dd2a86c7f59

    • SSDEEP

      12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHl:Url6kD68JmloO5TYI1lOq6sb8hTHAl

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks