Overview

overview

10

Static

static

8

pfZVX.doc

windows7-x64

10

pfZVX.doc

windows10-2004-x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pfZVX

  • Size

    221KB

  • Sample

    240915-15a36svele

  • MD5

    28e855032f83adbd2d8499af6d2d0e22

  • SHA1

    6b590325e2e465d9762fa5d1877846667268558a

  • SHA256

    b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

  • SHA512

    e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

  • SSDEEP

    3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

Score
10/10
ponycollectioncredential_accessdefense_evasiondiscoverymacromacro_on_actionratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://fouseevenghedt.ru/gate.php

http://biledroben.ru/gate.php

http://rohironrof.ru/gate.php
Attributes
  • payload_url

    http://eloraestate.com/wp-content/plugins/prism-highlight/opera1.exe

    http://edmontonlimo247.com/wp-content/plugins/prism-highlight/opera1.exe

    http://dgfcomercial.com.br/wp-content/plugins/prism-highlight/opera1.exe

Targets

    • Target

      pfZVX

    • Size

      221KB

    • MD5

      28e855032f83adbd2d8499af6d2d0e22

    • SHA1

      6b590325e2e465d9762fa5d1877846667268558a

    • SHA256

      b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

    • SHA512

      e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

    • SSDEEP

      3072:zVIfFuR6AqFMa2fL3NtkWL90y7K4mlQCww7zDTW6HNRn0nPmaw:zVIf8RsOtZclptz78Pk

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealerupxdefense_evasion

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks