Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

64caa8b269...9a.exe

windows7-x64

10

64caa8b269...9a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a

  • Size

    684KB

  • Sample

    240919-xzw7nswaqc

  • MD5

    f30b5469b217401922b630a70c0d6b25

  • SHA1

    8c3f8b0dd9f522265ddebe063a0f03d8ffbd5c06

  • SHA256

    64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a

  • SHA512

    608c86e693c6ec756f3224eba7667fb66b2f78f116c4574647d3a490ee1c95b4fa23e1bf7529a5a8471bc966c909bb43d943cc32da61ce875899300cccf703c5

  • SSDEEP

    12288:+rem0ZUDEB8K1GFvzGJ5AB53hzwGCa4IE7CEB8K1GFvzGJ5AB53hzwGCa4IE7H:0+UYebzGLABTzwDx7RebzGLABTzwDx7H

Score
10/10
ponycollectioncredential_accessdiscoverypersistenceratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://godhelpusthisyear.biz/wordpress/wp-admin/blacker/php/gate.php

Targets

    • Target

      64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a

    • Size

      684KB

    • MD5

      f30b5469b217401922b630a70c0d6b25

    • SHA1

      8c3f8b0dd9f522265ddebe063a0f03d8ffbd5c06

    • SHA256

      64caa8b2692a21bb3a737ac89ff4eab15588e29836a7fd04cf503f01c72d139a

    • SHA512

      608c86e693c6ec756f3224eba7667fb66b2f78f116c4574647d3a490ee1c95b4fa23e1bf7529a5a8471bc966c909bb43d943cc32da61ce875899300cccf703c5

    • SSDEEP

      12288:+rem0ZUDEB8K1GFvzGJ5AB53hzwGCa4IE7CEB8K1GFvzGJ5AB53hzwGCa4IE7H:0+UYebzGLABTzwDx7RebzGLABTzwDx7H

    Score
    10/10
    ponycollectioncredential_accessdiscoverypersistenceratspywarestealerupx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks