Overview

overview

10

Static

static

3

d992052bc0...35.exe

windows7-x64

10

d992052bc0...35.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d992052bc0a17cdc11548f5e9a3cac35

  • Size

    148KB

  • Sample

    240320-xpbszsgb62

  • MD5

    d992052bc0a17cdc11548f5e9a3cac35

  • SHA1

    aba1c8dd6b8b779181877e425dc0e1c0521164ad

  • SHA256

    40e16c956395384ab16a69cfb3301b1243e74296ce7fc470452b638237f84c79

  • SHA512

    1edcc4279e7e45730f4e0ec621fd3fc54f124e8d5ece5d7380cb2daf910aa4ce64d29fbb55d191ffb36468a1a1617644f25647f46c866680bb79039913cbb5a4

  • SSDEEP

    3072:TRGhteI4uTJNGeGbsh5a03zwn9XqSnNZ/8mL2FbMM:TRGhyuDGe33zU9XqSNeG2IM

Score
10/10
ponycollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://199.71.212.114/forum/viewtopic.php

http://198.74.51.164/forum/viewtopic.php
Attributes
  • payload_url

    http://3073.a.hostable.me/Z2U.exe

    http://85.18.21.252/PNV3Hbi.exe

Targets

    • Target

      d992052bc0a17cdc11548f5e9a3cac35

    • Size

      148KB

    • MD5

      d992052bc0a17cdc11548f5e9a3cac35

    • SHA1

      aba1c8dd6b8b779181877e425dc0e1c0521164ad

    • SHA256

      40e16c956395384ab16a69cfb3301b1243e74296ce7fc470452b638237f84c79

    • SHA512

      1edcc4279e7e45730f4e0ec621fd3fc54f124e8d5ece5d7380cb2daf910aa4ce64d29fbb55d191ffb36468a1a1617644f25647f46c866680bb79039913cbb5a4

    • SSDEEP

      3072:TRGhteI4uTJNGeGbsh5a03zwn9XqSnNZ/8mL2FbMM:TRGhyuDGe33zU9XqSNeG2IM

    Score
    10/10
    ponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks