Overview

overview

10

Static

static

7

f0e1f5564e...JC.exe

windows7-x64

10

f0e1f5564e...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f0e1f5564e137ae9948a3d0eba3f1881_JC.exe

  • Size

    698KB

  • Sample

    230917-xbvnyacc6v

  • MD5

    f0e1f5564e137ae9948a3d0eba3f1881

  • SHA1

    dfad3247c1a04b5c7ebc76786e44b52748a4d683

  • SHA256

    7c8f2fbbb8634201f8fe4a7591e6057f741303674a0a18440c0a359709396f5e

  • SHA512

    784c962775da59b9bfebeb591c0b13a067b60588b7b3c38539046cffe83174f102961007937ac0c851e343dd8b6954f69330ec35afb10d89e0d492f4fc5eda99

  • SSDEEP

    12288:UquErHF6xC9D6DmR1J98w4oknqOKwiitHj/6s38WIkyb7DuRLEDu9l:1rl6kD68JmloOZphTyXDIKu9l

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://185.79.156.18/40t/4/gate.php

Targets

    • Target

      f0e1f5564e137ae9948a3d0eba3f1881_JC.exe

    • Size

      698KB

    • MD5

      f0e1f5564e137ae9948a3d0eba3f1881

    • SHA1

      dfad3247c1a04b5c7ebc76786e44b52748a4d683

    • SHA256

      7c8f2fbbb8634201f8fe4a7591e6057f741303674a0a18440c0a359709396f5e

    • SHA512

      784c962775da59b9bfebeb591c0b13a067b60588b7b3c38539046cffe83174f102961007937ac0c851e343dd8b6954f69330ec35afb10d89e0d492f4fc5eda99

    • SSDEEP

      12288:UquErHF6xC9D6DmR1J98w4oknqOKwiitHj/6s38WIkyb7DuRLEDu9l:1rl6kD68JmloOZphTyXDIKu9l

    Score
    10/10
    ponycollectiondiscoveryratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks