General

  • Target

    b304455ccacad4311f34136a3a2534ee5f26c0ba147e840cea01d6b4f8dfee92

  • Size

    290KB

  • Sample

    221108-1wx7cacddn

  • MD5

    03216ac79bcf1b2827c264068c1bea40

  • SHA1

    bdf45919077f4173725f07c7505ea682ff68e4e2

  • SHA256

    b304455ccacad4311f34136a3a2534ee5f26c0ba147e840cea01d6b4f8dfee92

  • SHA512

    78518aa12ce37d626fa3937346f926f19782b4c274b0d0d3762e9932a9bbc76ab4e7acee1fe83f6ca688de5827ac9b9b69e888b071fbf0431b3775b4167dcaac

  • SSDEEP

    6144:tufBlxbZtkW7Oktr9Q6skojoHgQBSFccvmtk5LZjsHFY:UfBlxbFOkPQP2HqccO0aY

Malware Config

Extracted

Family

pony

C2

http://www.retetethermomix.ro/wp-includes/fonts/fonts.php

http://www.sumterswebdesign.com/wp-content/themes/throttle.php

http://www.schenkdirgesundheit.com/wp-content/plugins/plugins.php

http://youngswanky.com/wp-includes/pomo/com_jumi.php

http://www.savingmummy.com.au/wp-content/upgrade/upgrade.php

http://alejandropawliszyn.com//apweb/wp-adminshortcut.php

http://ankaraotodoseme.org/wp-includes/fonts/fonts.php

http://arabicgermany.com/wp-includes/certificates/88nicholasroberts.php

http://artemis.isolutiontank.com/wp-includes/pomo/i.php

http://beatcancerinms.com//yahoo_site_admin/credentialspierwsza-pomoc.php

http://canyonsdelmaresme.cat/wp-content/languages/languages.php

http://campoflor.com/wp-includes/pomo/Circolari.php

http://cekharga.ariefew.com/wp-includes/certificates/boredbreak.php

http://cekharga.ariefew.com/wp-admin/js/arealsoft2.0.php

http://castleconifer.com/wp-admin/includes/payment.php

http://christcommunitycogic.org/pwksfmaw/klsjdvbss/th-TH.php

http://cinema175.com/ecupidthemovie/contact/contact.php

Targets

    • Target

      b304455ccacad4311f34136a3a2534ee5f26c0ba147e840cea01d6b4f8dfee92

    • Size

      290KB

    • MD5

      03216ac79bcf1b2827c264068c1bea40

    • SHA1

      bdf45919077f4173725f07c7505ea682ff68e4e2

    • SHA256

      b304455ccacad4311f34136a3a2534ee5f26c0ba147e840cea01d6b4f8dfee92

    • SHA512

      78518aa12ce37d626fa3937346f926f19782b4c274b0d0d3762e9932a9bbc76ab4e7acee1fe83f6ca688de5827ac9b9b69e888b071fbf0431b3775b4167dcaac

    • SSDEEP

      6144:tufBlxbZtkW7Oktr9Q6skojoHgQBSFccvmtk5LZjsHFY:UfBlxbFOkPQP2HqccO0aY

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks