General
-
Target
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e
-
Size
106KB
-
Sample
221003-a5m5mahec2
-
MD5
34edb846d0d38edd94dfc20caad8bdb6
-
SHA1
09d3e2adc6d084bccad6471e5f31d619f1b1f364
-
SHA256
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e
-
SHA512
40f54840015434dde4a8e74294871de80f293b78dfcfff06bc821224f6f3a8fc76fc3934813890b6ce2fd8351f51e1efdd7892d46c0686a9a99ffe86adba52db
-
SSDEEP
1536:nHNyobUKPbS8tEMdZqC4L8zCSI97QUDq4ldsVpSzCzGwt57VJnb:nH0obUkS8tEMdZqCU+Cf97/zsjS+trnb
Malware Config
Extracted
pony
http://ledosadik.pw:719/way/open.php
http://virmataje.pw:719/way/open.php
Targets
-
-
Target
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e
-
Size
106KB
-
MD5
34edb846d0d38edd94dfc20caad8bdb6
-
SHA1
09d3e2adc6d084bccad6471e5f31d619f1b1f364
-
SHA256
b350e381f7e0f41b2d941a9d59096b769ff1a46067fcfa5fcc3577026a0a8c9e
-
SHA512
40f54840015434dde4a8e74294871de80f293b78dfcfff06bc821224f6f3a8fc76fc3934813890b6ce2fd8351f51e1efdd7892d46c0686a9a99ffe86adba52db
-
SSDEEP
1536:nHNyobUKPbS8tEMdZqC4L8zCSI97QUDq4ldsVpSzCzGwt57VJnb:nH0obUkS8tEMdZqCU+Cf97/zsjS+trnb
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Drops file in Drivers directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-