General

  • Target

    bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb

  • Size

    744KB

  • Sample

    220701-htwlmaafc5

  • MD5

    a3fc29c6698ca5989e265daec8747bcb

  • SHA1

    dfa0fa264b796d564406f21af73cb77e2f5fe22d

  • SHA256

    bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb

  • SHA512

    3e0e79fa91b7a3b8fffd59763ce39203c8e88bceed64cb4964592738546fc2050210cf76df591cfe4badbf76bba9c781518102cc53836e6df09a77497d7e246e

Malware Config

Extracted

Family

pony

C2

http://kahramanlarotolastik.com/w/terry/panel/gate.php

Attributes
  • payload_url

    http://myp0nysite.ru/shit.exe

Targets

    • Target

      bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb

    • Size

      744KB

    • MD5

      a3fc29c6698ca5989e265daec8747bcb

    • SHA1

      dfa0fa264b796d564406f21af73cb77e2f5fe22d

    • SHA256

      bc2f593e8245d9295aa8fc8329e2e740709f517ecce2647869b110f272de28bb

    • SHA512

      3e0e79fa91b7a3b8fffd59763ce39203c8e88bceed64cb4964592738546fc2050210cf76df591cfe4badbf76bba9c781518102cc53836e6df09a77497d7e246e

    • Detect Neshta Payload

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks