Overview

overview

10

Static

static

3

WU_changes...66.exe

windows7-x64

10

WU_changes...66.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_77503c891fec014651eb783d30a111f0

  • Size

    64KB

  • Sample

    250104-dv86wsylhw

  • MD5

    77503c891fec014651eb783d30a111f0

  • SHA1

    76f5d5d7f35d6db4f39765c52c31ecd98eda5223

  • SHA256

    11ab6bda2e9c86e6c65853b689c92c90b93c50b3c7f2849943df379d31714041

  • SHA512

    0dd54083b3031e52e762f0b7b284f96847e7b7559ccd039a185cfa1af4448ee254e9aff5be418ae2c6dc6adf74995d81462c70cce511be20264da486cb7e1de3

  • SSDEEP

    1536:8N2DNkl91Imw+EvoRKcWFCED0L61d57ZjU2h4GJ:QKmix+EvAKTRDZd5R8A

Score
10/10
ponycollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://5.eventiduepuntozero.com/forum/viewtopic.php

http://5.finesettimana.com/forum/viewtopic.php
Attributes
  • payload_url

    http://sivascom.de/PRLDhH.exe

    http://dynamotouren.de/4XM2f.exe

    http://app.bi.com.tr/fPFa.exe

    http://72.32.185.12/rd7nr.exe

    http://208.116.13.164/b6dK7rwV.exe

    http://romans.com.vn/BN42.exe

    http://www.jagatoko.com/W14C.exe

    http://www.seigner-art.at/fPsx8i.exe

    http://www.aboessen24.de/WWkULwkq.exe

Targets

    • Target

      WU_changes_ID_56508578723485690902345926345796290236767936592352345-345324523452436546756845432567667678476-4356657867864574357568458674-786775645673657.pdf.exe

    • Size

      100KB

    • MD5

      5e62fb48183df3890767c6b2f5d51059

    • SHA1

      3e4e525ae1ad8370283bdebb5b472abb69fae309

    • SHA256

      a188fe002d443c561621f4fec72a4a1916da007bc8717040d61076b86807ca58

    • SHA512

      69777b604c50038a6ebc3563e88ae245a6ee97258b91d5c2fbfe215229f81b43c9b290d616272ebf7f8ef154ee75f89fa0f4f90bb85c7153d26c1a8ec92f6510

    • SSDEEP

      3072:Onocf7MAGFvTIqX0pYqzLfPR3vfdHldhwP3:Onocf7MdL0dk

    Score
    10/10
    ponycollectioncredential_accessdiscoveryratspywarestealer

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks