Overview

overview

10

Static

static

3

Chase_Paym...56.exe

windows7-x64

10

Chase_Paym...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d02fee45b089180e51b34c82dc26120_JaffaCakes118

  • Size

    72KB

  • Sample

    241013-blmv7awbmq

  • MD5

    3d02fee45b089180e51b34c82dc26120

  • SHA1

    0263651370a5a7599bea407e090d441f9b57c7ba

  • SHA256

    15813d39e10506909d3bfeeec404f78c8b646c6febdb78abf35c4a7ef733c1b1

  • SHA512

    1f46314bd44e6b48e67453b7ca12f58e343ea0bde969a132451b95f240dc59e7c4f3319dc1bd8e08f8799fb1fbb4228c0b0cc33fa2f087f4f06883a9e0c3acd9

  • SSDEEP

    1536:+f+j3UWPzHEFuPfs3mn29S4sBpTn98+DCMC0oFOyauBKPTaD:+YbHZnQ62996zmMCXOyaMKLaD

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://2.sardiniaexport.com/forum/viewtopic.php

http://2.enzofavata.com/forum/viewtopic.php
Attributes
  • payload_url

    http://mjorart.com/jTc.exe

    http://bestinsighttours.com/bZ6.exe

    http://rdquark.com/cAB.exe

    http://quranaqiq.com/1kH.exe

    http://www.westquimica.com/AuNP5.exe

    http://reymontstore.com/jJW5.exe

    http://powergames.com.pt/KVG.exe

    http://www.rcrender.com/47NK.exe

    http://staugustineblues.com/n8cZZi.exe

Targets

    • Target

      Chase_Paymentech_Billing_Statement_ID000000000004473943654792369639465234597263453457864935678326456394234652363271564353495151784651682348235486521368452134521345796314561439561349765974365763485.pdf.exe

    • Size

      128KB

    • MD5

      ea6f4a915330e4509c244b0c794882aa

    • SHA1

      11bf6c9f31fb08efd56d82c8cd8c9330b10c16a1

    • SHA256

      0cf273e746816f28e655132d85dd3e0abb7d767a570166161b33cb9ff890ee5c

    • SHA512

      d1c839178dc6b050c7bd2c7b979dfc0f3ad9e33eed4c4517c50f59649dad1b4a30279796c284b4117e03f9f3b10016bafc23dc08fc34e1481333cb48cbc0cfa2

    • SSDEEP

      1536:5Q3eUyeDzzaZtx8521zewKQ/ewQMN160EAGpQP8pJt/K5sEt1:RzICxptRKQ/ewQM60EA7PCtcsEt1

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks