General

  • Target

    512.dll

  • Size

    367KB

  • Sample

    200715-wrfqa4r2zx

  • MD5

    56921bed6e4dd3ba4064557d453e403e

  • SHA1

    9a2ec0abbde02b61d56990882ea6c43d833114b3

  • SHA256

    a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea

  • SHA512

    d27da6d2386185d1ea76a195bee2d72e1ac229b841f4b60eafe0e4055cbaaaeecd99e1d9f0693eab660fa480baa74a00ad9a0ca43b392a83d285ddea4bf8911c

Malware Config

Targets

    • Target

      512.dll

    • Size

      367KB

    • MD5

      56921bed6e4dd3ba4064557d453e403e

    • SHA1

      9a2ec0abbde02b61d56990882ea6c43d833114b3

    • SHA256

      a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea

    • SHA512

      d27da6d2386185d1ea76a195bee2d72e1ac229b841f4b60eafe0e4055cbaaaeecd99e1d9f0693eab660fa480baa74a00ad9a0ca43b392a83d285ddea4bf8911c

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks