General

  • Target

    f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236.exe

  • Size

    706KB

  • Sample

    210712-wec17evy26

  • MD5

    3a990e8b280a4398f8f34c2bc06220a0

  • SHA1

    5eb88cd730a0c2c69a3ff7e7876817b9d57aa0ab

  • SHA256

    f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236

  • SHA512

    31841a48301b63486e9cb1e4b2c649a462772545f0c9f821d2ac28aed5e240d5ce65a51db43a8ef452201db5563e0acea799e8753d4998407de41032c2e2e5fd

Malware Config

Extracted

Family

pony

C2

https://gulshanti.com/hybrid/panel/gate.php

Attributes
  • payload_url

    https://gulshanti.com/shit.exe

Targets

    • Target

      f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236.exe

    • Size

      706KB

    • MD5

      3a990e8b280a4398f8f34c2bc06220a0

    • SHA1

      5eb88cd730a0c2c69a3ff7e7876817b9d57aa0ab

    • SHA256

      f7354cf388d41e31f397e2aa0f40546ddd0b929a8aaf5ced7af3288aec34f236

    • SHA512

      31841a48301b63486e9cb1e4b2c649a462772545f0c9f821d2ac28aed5e240d5ce65a51db43a8ef452201db5563e0acea799e8753d4998407de41032c2e2e5fd

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Tasks