General

  • Target

    d87eb569d15328e9ebc48109ed9ce0956b7e6dceaa963c964647213ee9826d2e

  • Size

    231KB

  • Sample

    221119-g6d2nsgf68

  • MD5

    2a6999c8be836daa0fcc52937dcc7330

  • SHA1

    e04829653c3670017c52db367cb696598381a0ab

  • SHA256

    d87eb569d15328e9ebc48109ed9ce0956b7e6dceaa963c964647213ee9826d2e

  • SHA512

    0676fd15619af1e0e9b8c3982f383455558c6fedb03291c8966916c094a2e7e7a2a24aec1f439cef26cc541cb97bdf892ecce2fad94b88170e47f6a58cb6e090

  • SSDEEP

    6144:YC3l1rxIxl+cE5x6+4ElQMkJeR4fkJFqcZ5KKLGO:YCXrxICcG6ZRKQirgs

Malware Config

Extracted

Family

pony

C2

http://prestigecarstorage.com.au/wp-includes/Text/Text.php

http://mcmamina.cz/media/plg_quickicon_joomlaupdate/plg_quickicon_joomlaupdate.php

http://buyseoplan.com/wp-admin/includes/includes.php

http://letssaidiana.com/wp-admin/user/user.php

http://kenyadivas.com/media/editors/editors.php

http://keithgerchak.com/wp-admin/css/css.php

http://binarycashbackdaily.com/wp-admin/maint/maint.php

http://apexsitesolutions.com/main/wp-admin/mod_html.php

http://employerservice.net/wp-includes/theme-compat/theme-compat.php

http://hmb.com.au/wp-admin/images/images.php

http://denver-computer-repairs.com/wordpress2/wp-includes/fckeditor.php

http://hatmandoo.co.uk/cache/mod_menu/mod_menu.php

http://wizjafotografii.pl/wp-content/languages/languages.php

http://steve1der.com/wp-includes/css/css.php

http://elicense.studio98test.com/wp-content/themes/Action.php

http://resiteing.com/wp-content/ID3.php

http://mimembership.com/plugins/authentication/authentication.php

http://stephenvrichardson.com/wp-includes/css/css.php

http://mycasablancaflowers.com/wp-includes/js/js.php

http://staciriordan.com/wp-includes/images/images.php

Targets

    • Target

      d87eb569d15328e9ebc48109ed9ce0956b7e6dceaa963c964647213ee9826d2e

    • Size

      231KB

    • MD5

      2a6999c8be836daa0fcc52937dcc7330

    • SHA1

      e04829653c3670017c52db367cb696598381a0ab

    • SHA256

      d87eb569d15328e9ebc48109ed9ce0956b7e6dceaa963c964647213ee9826d2e

    • SHA512

      0676fd15619af1e0e9b8c3982f383455558c6fedb03291c8966916c094a2e7e7a2a24aec1f439cef26cc541cb97bdf892ecce2fad94b88170e47f6a58cb6e090

    • SSDEEP

      6144:YC3l1rxIxl+cE5x6+4ElQMkJeR4fkJFqcZ5KKLGO:YCXrxICcG6ZRKQirgs

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks