ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool pngdowner

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: pngdowner

Namespngdowner
CategoryMalware
TypeBackdoor, Credential stealer
Description(CrowdStrike) he pngdowner malware is a simple tool constructed using Microsoft Visual studio and implemented via single C++ source code file.

Initially, the malware will perform a connectivity check to a hard-coded URL (http://www.microsoft.com), using a constant user agent Mozilla/4.0 (Compatible; MsIE 6.0;). If this request fails, the malware will attempt to extract proxy details and credentials from Windows Protected storage, and from the IE Credentials store using publicly known methods, using the proxy credentials for subsequent requests if they enable outbound HTTP access. An initial request is then made to the hard-coded C2 server and initial URI – forming a URL of the form (in this sample) http://login.stream-media.net/files/xx11/index.asp?95027775, where the numerical parameter represents a random integer. A hard-coded user agent of myagent is used for this request, and subsequent communication with the C2 server.
Information<https://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf>
<https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31>
MITRE ATT&CK<https://attack.mitre.org/software/S0067/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner>

Last change to this tool card: 13 May 2020

Download this tool card in JSON format

All groups using tool pngdowner

ChangedNameCountryObserved

APT groups

 Putter Panda, APT 2China2007 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key