General
-
Target
2ffacefb2dec0f3bb11d9626c5ea375421b7e433118a5172b799e0a07e5adb4b
-
Size
175KB
-
Sample
221002-2xa9msece3
-
MD5
0768790d110d3d495036e1e900a3bc66
-
SHA1
61164ea1ee7e11f09989ba374558317b67d71ca6
-
SHA256
2ffacefb2dec0f3bb11d9626c5ea375421b7e433118a5172b799e0a07e5adb4b
-
SHA512
770e250fd18c0287d3fd179dba5ad63c90551ef8f1f125f70c1616b9e16bc59cd54c99a47a6346472f603bd49319a33cfb69c7eea0b41106710c0bed1951d46f
-
SSDEEP
3072:vQwoNnidcKdSJWZAUz6r5blAUFsq7eJRWTPoszTkXKWe:IwoNQBd6Wyvr5b/Fb7uWTw5Xbe
Malware Config
Extracted
pony
http://94.102.50.60/fuck.php
-
payload_url
http://curlfairbanks.org/betzi.exe
http://curlfairbanks.org/ppi.exe
http://curlfairbanks.org/ppi2.exe
http://curlfairbanks.org/ppi3.exe
http://curlfairbanks.org/boom.exe
Targets
-
-
Target
2ffacefb2dec0f3bb11d9626c5ea375421b7e433118a5172b799e0a07e5adb4b
-
Size
175KB
-
MD5
0768790d110d3d495036e1e900a3bc66
-
SHA1
61164ea1ee7e11f09989ba374558317b67d71ca6
-
SHA256
2ffacefb2dec0f3bb11d9626c5ea375421b7e433118a5172b799e0a07e5adb4b
-
SHA512
770e250fd18c0287d3fd179dba5ad63c90551ef8f1f125f70c1616b9e16bc59cd54c99a47a6346472f603bd49319a33cfb69c7eea0b41106710c0bed1951d46f
-
SSDEEP
3072:vQwoNnidcKdSJWZAUz6r5blAUFsq7eJRWTPoszTkXKWe:IwoNQBd6Wyvr5b/Fb7uWTw5Xbe
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-