Overview

overview

10

Static

static

10

14c5e39cdf...4b.exe

windows7-x64

10

14c5e39cdf...4b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14c5e39cdfe5fe3f294ee3be73360d57f79df4df1a438a941f716c106942884b.exe

  • Size

    88KB

  • Sample

    240903-bmgesssgjp

  • MD5

    ca79dce34a00690503571881438882d0

  • SHA1

    6b2a573b5a3e6d9c8d84cd76f3bb734133675f71

  • SHA256

    14c5e39cdfe5fe3f294ee3be73360d57f79df4df1a438a941f716c106942884b

  • SHA512

    29c4fe53efe2e9359bdd7d09f77b29a7013d09abbcceafd9bad4d91fb9a0352102ea2f23ae691259971019f3855182e3b30dd48f48e9f31e5666d333eee944e4

  • SSDEEP

    1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIekzZ3:9dOy+ubiDBzv+1H4OgYEIR3

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://gw-sinzheim.de/default.php?fgzCouc8tZywYucMWBLpLEImFjOkL7IkWOXRp

http://poppahomes.com/default.php?SEzwHAuBSfwXW26KYDDuoglCrwM37cK27LrdE

http://illinoisrates.com/default.php?AqRWt74mlAiZ3q97bitMRAXqT6iWPzF4LR

http://sriroyalfoundation.com/default.php?Hc3ZZJrTY4b6hJZWa68n5BmiWdLNN

http://museconcrete.com/default.php?4Y7O916LouI3Sznnsoszz5mSKp8SNaIYOkk

Targets

    • Target

      14c5e39cdfe5fe3f294ee3be73360d57f79df4df1a438a941f716c106942884b.exe

    • Size

      88KB

    • MD5

      ca79dce34a00690503571881438882d0

    • SHA1

      6b2a573b5a3e6d9c8d84cd76f3bb734133675f71

    • SHA256

      14c5e39cdfe5fe3f294ee3be73360d57f79df4df1a438a941f716c106942884b

    • SHA512

      29c4fe53efe2e9359bdd7d09f77b29a7013d09abbcceafd9bad4d91fb9a0352102ea2f23ae691259971019f3855182e3b30dd48f48e9f31e5666d333eee944e4

    • SSDEEP

      1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEIekzZ3:9dOy+ubiDBzv+1H4OgYEIR3

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks