pony | b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf

General

Target

b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf.exe
Size

790KB
Sample

220521-jl51rseagr
MD5

c767466a3e546cf4c3f4c7d06674f649
SHA1

86fd75f689e1cdae1ebe04e75cb8c41007d58f8a
SHA256

b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf
SHA512

455df92cf93a0d78022275230f095c8ff502bfb046b407262c0043159d198294c95c32821b284f72e868983d62077e9a8a99ded02f5c4d18ef40ee2e97c9ea06

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://serniorduncan30.host56.com/html/gate.php

Targets

- Target
  
  b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf.exe
- Size
  
  790KB
- MD5
  
  c767466a3e546cf4c3f4c7d06674f649
- SHA1
  
  86fd75f689e1cdae1ebe04e75cb8c41007d58f8a
- SHA256
  
  b9abb9034a6e25c416c3031b9dbfd566b3d7b39dfb1fc9229095f22ee8c6a9bf
- SHA512
  
  455df92cf93a0d78022275230f095c8ff502bfb046b407262c0043159d198294c95c32821b284f72e868983d62077e9a8a99ded02f5c4d18ef40ee2e97c9ea06
Score

10^/10

pony collection discovery evasion persistence rat spyware stealer suricata
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
  suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
  suricata
- suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
  suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
  suricata
- suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
  suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
  suricata
- suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
  suricata
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2