pony | 17cc77df1334f8f0df21f79c7aa35bec1e5aaaa7ffa1d5ce84710ec46246c64d

General

Target

MMSSystemVoiceWAV8574589347509823645928634956.exe
Size

91KB
Sample

220927-k3cwzsdag4
MD5

829e0cd608f0fdbf6b8e068dc135f481
SHA1

eb11bd09ae2d0589dbd6e6196c937a911da461ac
SHA256

17cc77df1334f8f0df21f79c7aa35bec1e5aaaa7ffa1d5ce84710ec46246c64d
SHA512

b11895e0e28fb8a8b4bf09d8cf040fa21364e13aa3f8d4841da57e76f64450f07af03a783408baad0fce5c1e3f095f41324a276001eb4f4a81573154b474d4f6
SSDEEP

1536:fES45i5a8pnoVMmSY1OQo/F/SJDhZ2P7cS8YBidxFxB1:MKLnoVMwOQo/F/TgYBoxFxB1

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://62.76.47.5/pnn/ga.php

http://62.76.185.233/pnn/ga.php

Attributes

payload_url
http://62.76.178.192/our1/1.exe

http://62.76.188.38/our1/2.exe

Targets

- Target
  
  MMSSystemVoiceWAV8574589347509823645928634956.exe
- Size
  
  91KB
- MD5
  
  829e0cd608f0fdbf6b8e068dc135f481
- SHA1
  
  eb11bd09ae2d0589dbd6e6196c937a911da461ac
- SHA256
  
  17cc77df1334f8f0df21f79c7aa35bec1e5aaaa7ffa1d5ce84710ec46246c64d
- SHA512
  
  b11895e0e28fb8a8b4bf09d8cf040fa21364e13aa3f8d4841da57e76f64450f07af03a783408baad0fce5c1e3f095f41324a276001eb4f4a81573154b474d4f6
- SSDEEP
  
  1536:fES45i5a8pnoVMmSY1OQo/F/SJDhZ2P7cS8YBidxFxB1:MKLnoVMwOQo/F/TgYBoxFxB1
Score

10^/10

pony discovery rat spyware stealer upx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Pony,Fareit

UPX packed file

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2