General

  • Target

    a88909603282ae6a89cc2fd892877d376e7e5bf68a803bf72c04737cfbc59639

  • Size

    132KB

  • Sample

    221108-142vhabbb7

  • MD5

    0998545bc90bde52893d12dffe7dd424

  • SHA1

    db0fc7f49a33cbc550372cc6b37c418bbfe3f9c4

  • SHA256

    a88909603282ae6a89cc2fd892877d376e7e5bf68a803bf72c04737cfbc59639

  • SHA512

    3ad86dc29b222f3f92fe5d4b411422e83c176f5b1935022e8342800cb3a31f8fd703189580e0173eb6c5a1e589c50f2cc7cfb1477e8490c872364f5ce6a8499d

  • SSDEEP

    3072:DfbmUkNmOJ5Qygjdjop3QQf/WbLnEwVSim0AfBP:jb/k7a5jo17/WXnDSimRJ

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/ponyd/gate.php

http://74.207.232.161/ponyd/gate.php

Attributes
  • payload_url

    http://res.streetammo.com/SwoBrJYg/oEbZ.exe

    http://abo.gnumerica.org/oSZx1Nko/eZPX.exe

Targets

    • Target

      a88909603282ae6a89cc2fd892877d376e7e5bf68a803bf72c04737cfbc59639

    • Size

      132KB

    • MD5

      0998545bc90bde52893d12dffe7dd424

    • SHA1

      db0fc7f49a33cbc550372cc6b37c418bbfe3f9c4

    • SHA256

      a88909603282ae6a89cc2fd892877d376e7e5bf68a803bf72c04737cfbc59639

    • SHA512

      3ad86dc29b222f3f92fe5d4b411422e83c176f5b1935022e8342800cb3a31f8fd703189580e0173eb6c5a1e589c50f2cc7cfb1477e8490c872364f5ce6a8499d

    • SSDEEP

      3072:DfbmUkNmOJ5Qygjdjop3QQf/WbLnEwVSim0AfBP:jb/k7a5jo17/WXnDSimRJ

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks