pony | 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170 | Triage

Submit
Reports

Overview

overview

Static

static

2587f394c4...70.exe

windows7-x64

2587f394c4...70.exe

windows10-2004-x64

Sharing

General

Target

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
Size

88KB
Sample

221002-lrg71ahgh9
MD5

65cac1988793cbffda3ad67b065cade0
SHA1

b5711cad13bd7d22444a74e78ff5d05d363d2d97
SHA256

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
SHA512

7172495113c311a55cae793de701baa345d627705db9a797fbb576b05cbb519d368413d65a8220aea6fc536a7f3315c48b39b746e707f97d69339f812d9f3797
SSDEEP

1536:29aTff+Vt58Nir18lhGm8BuMyZTPjvcVuL1AzrSMVx55ZS+G8USRlE4O3zzmOEC1:2gf+8iZCGWMejLcVmYrSexTjr1RK3nmy

Score

10^/10

pony collection persistence rat spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe

Resource

win7-20220812-en

pony collection persistence rat spyware stealer upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe

Resource

win10v2004-20220812-en

pony collection persistence rat spyware stealer upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

pony

C2

http://podaro-vk.esy.es/gate.php

Targets

- Target
  
  2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
- Size
  
  88KB
- MD5
  
  65cac1988793cbffda3ad67b065cade0
- SHA1
  
  b5711cad13bd7d22444a74e78ff5d05d363d2d97
- SHA256
  
  2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
- SHA512
  
  7172495113c311a55cae793de701baa345d627705db9a797fbb576b05cbb519d368413d65a8220aea6fc536a7f3315c48b39b746e707f97d69339f812d9f3797
- SSDEEP
  
  1536:29aTff+Vt58Nir18lhGm8BuMyZTPjvcVuL1AzrSMVx55ZS+G8USRlE4O3zzmOEC1:2gf+8iZCGWMejLcVmYrSexTjr1RK3nmy
Score

10^/10

pony collection persistence rat spyware stealer upx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ponycollectionpersistenceratspywarestealerupx

behavioral2

ponycollectionpersistenceratspywarestealerupx

© 2018-2024

Terms | Privacy