Overview

overview

10

Static

static

3

IRS_Paymen...24.exe

windows7-x64

10

IRS_Paymen...24.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ec68305257d5f90029f22321db4a5939_JaffaCakes118

  • Size

    69KB

  • Sample

    241213-t338lstrgt

  • MD5

    ec68305257d5f90029f22321db4a5939

  • SHA1

    0d0c9ce689a04c8e43aadd32d7117c99f37b8fb5

  • SHA256

    ad4c557e8d3d8b26349d397c92a1f3c4d05761dfff7af9b8dcc9aa9d85d9bdf8

  • SHA512

    95dd0e78a7ea5e0211203ff0336170549d16a341dfcc632fb301e53a280fdd2bf6ff60a908bc495dea12c51a403ce5909c71a44c27faa09c0d727246b9bd727a

  • SSDEEP

    1536:3rDrusZHRoowd9YPANRk4LtDF+ENB2HPMdy7Tq2RbOQfJ2+UGhOLY5B:bD/H/P6k4LVhoM4TbB2ZGl7

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://2.marcomeloni.biz/forum/viewtopic.php

http://2.porti.com/forum/viewtopic.php
Attributes
  • payload_url

    http://mjorart.com/jTc.exe

    http://bestinsighttours.com/bZ6.exe

    http://rdquark.com/cAB.exe

    http://quranaqiq.com/1kH.exe

    http://www.westquimica.com/AuNP5.exe

    http://reymontstore.com/jJW5.exe

    http://powergames.com.pt/KVG.exe

    http://www.rcrender.com/47NK.exe

    http://staugustineblues.com/n8cZZi.exe

Targets

    • Target

      IRS_Payment_Details_Id_857603874028370283740827587376208472836586286208347230847203470293480273457248578236084623846263479623974697325423974613048638462304638406230560826350823605862308562805.doc.exe

    • Size

      94KB

    • MD5

      855e878c3dffea7fcac37eea6b640885

    • SHA1

      66d497b603bcdf188147aca6a079f6a9f6b7e468

    • SHA256

      3980f1a8cfa87ce74dba899328635fc655bdc4efbe734b99a693537b650d47ff

    • SHA512

      5d46da46ca85d4466a5a3a842b4fc79aa48de2780157a90ba43b833c5e6dac86fd5bae7fcecaf19fe7be03f62991b693a8f418ecf80b79842f016217b57fdf6c

    • SSDEEP

      1536:3/9K4dfmVJT7rE2gdFGZHP0dPXyYA+2HIRu/re+zx+gKo:3Sd3E2eAJ8xygRu/rh0gK

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks