Overview

overview

10

Static

static

3

36f6c6a5d1...dN.exe

windows7-x64

10

36f6c6a5d1...dN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    36f6c6a5d1facba9fa583d0b847bc64b5e2b1e73dac6f07a80e3da693f078dddN.exe

  • Size

    102KB

  • Sample

    241201-spfpqavkax

  • MD5

    b03fbcc0d0fd744bad0fa82724924300

  • SHA1

    ea6cae33e7fdf0eb74b88046065f47e9dedb171c

  • SHA256

    36f6c6a5d1facba9fa583d0b847bc64b5e2b1e73dac6f07a80e3da693f078ddd

  • SHA512

    a16e2cd594d0b4dc2efbca597a9717fa42ffb41b43c81da2dc203f56bfaee94838fb0adb5b78717ef9be5ed834bdc8c1be69b02bc1077c012eb47c7ffdfd9b65

  • SSDEEP

    1536:zLKgcGTGv3jidXitUkFQIILQODrAppGXQN60GtOA4VxGfoypvcF+fOvka/:XK+lSHFQIIcsA3MOA2GlvN5a/

Score
10/10
ponycollectioncredential_accessdefense_evasiondiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://xhfdrtu.pw:4915/doc/black.php

http://xhfdrtu.pw:888/doc/black.php
Attributes
  • payload_url

    http://mimedyf.pw:888/pic/Flash.exe

Targets

    • Target

      36f6c6a5d1facba9fa583d0b847bc64b5e2b1e73dac6f07a80e3da693f078dddN.exe

    • Size

      102KB

    • MD5

      b03fbcc0d0fd744bad0fa82724924300

    • SHA1

      ea6cae33e7fdf0eb74b88046065f47e9dedb171c

    • SHA256

      36f6c6a5d1facba9fa583d0b847bc64b5e2b1e73dac6f07a80e3da693f078ddd

    • SHA512

      a16e2cd594d0b4dc2efbca597a9717fa42ffb41b43c81da2dc203f56bfaee94838fb0adb5b78717ef9be5ed834bdc8c1be69b02bc1077c012eb47c7ffdfd9b65

    • SSDEEP

      1536:zLKgcGTGv3jidXitUkFQIILQODrAppGXQN60GtOA4VxGfoypvcF+fOvka/:XK+lSHFQIIcsA3MOA2GlvN5a/

    Score
    10/10
    ponycollectioncredential_accessdefense_evasiondiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks