General
-
Target
204cefcd26564660bf062326f6debc037d6a328089f60b3f06dee088eff67e17
-
Size
131KB
-
Sample
221003-cwgmladgfp
-
MD5
3c729f0528c8fc8a4c5c5b0def04bade
-
SHA1
7ea0389ca1d892fb0ec0c2b6c3e94c3893b25f31
-
SHA256
204cefcd26564660bf062326f6debc037d6a328089f60b3f06dee088eff67e17
-
SHA512
b3f5038ade2ba22dba5b862be0678982574578ff1ee4ff481cb04cd1f08639d54f2ad59bd10c76dcf26d6a1fc69d6dbc4c3421e7f4756ae5146649a993aefc8b
-
SSDEEP
3072:LAsj8MBX8s0oXJcRe3Yvi25TpVAHBb8rUhdiXYv2MOenN:LAsBZyReoRTpcgr6diKlOeN
Malware Config
Extracted
pony
http://shared-30.ccihosting.com/~streamkn/panel/gate.php
Targets
-
-
Target
204cefcd26564660bf062326f6debc037d6a328089f60b3f06dee088eff67e17
-
Size
131KB
-
MD5
3c729f0528c8fc8a4c5c5b0def04bade
-
SHA1
7ea0389ca1d892fb0ec0c2b6c3e94c3893b25f31
-
SHA256
204cefcd26564660bf062326f6debc037d6a328089f60b3f06dee088eff67e17
-
SHA512
b3f5038ade2ba22dba5b862be0678982574578ff1ee4ff481cb04cd1f08639d54f2ad59bd10c76dcf26d6a1fc69d6dbc4c3421e7f4756ae5146649a993aefc8b
-
SSDEEP
3072:LAsj8MBX8s0oXJcRe3Yvi25TpVAHBb8rUhdiXYv2MOenN:LAsBZyReoRTpcgr6diKlOeN
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-