Overview

overview

10

Static

static

8

182d2592a4...66.doc

windows7-x64

10

182d2592a4...66.doc

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    182d2592a4494ed0a0f74e970f525ffc6787178e272501f3fee5446fe614ba66

  • Size

    504KB

  • Sample

    241214-zxgqbawlgn

  • MD5

    c06e0e42743427499e9805b2ec87874e

  • SHA1

    72d687cc1d7d290d2a274144265e103bff26ee51

  • SHA256

    182d2592a4494ed0a0f74e970f525ffc6787178e272501f3fee5446fe614ba66

  • SHA512

    f66295438ecf3adb9776a062d65ab9a509820c58c97e644ba74a93a6bf5bc2a25b32d8f96bbdd189adbe5655c6052c5f6ece287b2028798db9208974bdfaee49

  • SSDEEP

    6144:l6Y22x6WkRP/Pgi8tds1dQm/EOLBQWhCVzVxbLueU8oCLDpKh:92rWuYiQdsEm8+hh2/bKUo9

Score
10/10
ponycollectioncredential_accessdiscoverymacroratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://tittertte.ru/sliva/gate.php

http://tythetru.ru/sliva/gate.php

http://rulahat.ru/sliva/gate.php
Attributes
  • payload_url

    http://awc.asia/wp-content/themes/twentytwelve/hsg.exe

    http://teatromanzonicassino.it/wp-content/themes/twentythirteen/hsg.exe

    http://www.bisaim.com/wp-content/themes/twentythirteen/hsg.exe

Targets

    • Target

      182d2592a4494ed0a0f74e970f525ffc6787178e272501f3fee5446fe614ba66

    • Size

      504KB

    • MD5

      c06e0e42743427499e9805b2ec87874e

    • SHA1

      72d687cc1d7d290d2a274144265e103bff26ee51

    • SHA256

      182d2592a4494ed0a0f74e970f525ffc6787178e272501f3fee5446fe614ba66

    • SHA512

      f66295438ecf3adb9776a062d65ab9a509820c58c97e644ba74a93a6bf5bc2a25b32d8f96bbdd189adbe5655c6052c5f6ece287b2028798db9208974bdfaee49

    • SSDEEP

      6144:l6Y22x6WkRP/Pgi8tds1dQm/EOLBQWhCVzVxbLueU8oCLDpKh:92rWuYiQdsEm8+hh2/bKUo9

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks