General

  • Target

    f88f088215b87dfe96013d8bce800c70d698b4050e2eff4b8033103bc1b6f2d6

  • Size

    283KB

  • Sample

    221003-aqpd5sghc8

  • MD5

    0676d0466ee5cc5d937a7704830c7401

  • SHA1

    18bae5cf5c40e53e1fd71a899047110d641616eb

  • SHA256

    f88f088215b87dfe96013d8bce800c70d698b4050e2eff4b8033103bc1b6f2d6

  • SHA512

    b0883ec39b9e4494d4042ed08619aae6e0806a63f26f810f0075ab765b3f6b9e1aa5c11bd1d6ee5a1f91346cc9e385e679537b8898d4cfe1e35f5a62fe9ed800

  • SSDEEP

    3072:VNJAOXTBxdiKcnAiABApAHY1A6AlA7AUGn/Xmona8eAnuTCt2xbzmyoaq6rcYsck:VN3RnjxyB8EBUQ2a8Ldx

Malware Config

Extracted

Family

pony

C2

http://saharaspamx.favcc1.com/gate.php

Targets

    • Target

      f88f088215b87dfe96013d8bce800c70d698b4050e2eff4b8033103bc1b6f2d6

    • Size

      283KB

    • MD5

      0676d0466ee5cc5d937a7704830c7401

    • SHA1

      18bae5cf5c40e53e1fd71a899047110d641616eb

    • SHA256

      f88f088215b87dfe96013d8bce800c70d698b4050e2eff4b8033103bc1b6f2d6

    • SHA512

      b0883ec39b9e4494d4042ed08619aae6e0806a63f26f810f0075ab765b3f6b9e1aa5c11bd1d6ee5a1f91346cc9e385e679537b8898d4cfe1e35f5a62fe9ed800

    • SSDEEP

      3072:VNJAOXTBxdiKcnAiABApAHY1A6AlA7AUGn/Xmona8eAnuTCt2xbzmyoaq6rcYsck:VN3RnjxyB8EBUQ2a8Ldx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Tasks