General

  • Target

    d7fc0dddf324798e8a41466c6518b3d82acff8a72ee3b0a83cd893a19bf74bae

  • Size

    130KB

  • Sample

    221119-g6hd4acg7y

  • MD5

    0015330391a97cc20659ef5c82f2f6e1

  • SHA1

    862b678b4b6076e66db04875832e138f0f505727

  • SHA256

    d7fc0dddf324798e8a41466c6518b3d82acff8a72ee3b0a83cd893a19bf74bae

  • SHA512

    45e0af42da640a55d201a61ce13d565699271b296e72cbcc7aee35cc936f82dff2c83612137653554f205d888cd1aa8f461845da2167a846288b7f592d7305b7

  • SSDEEP

    3072:xKNDp1vsRM6VVIvSEYu2Zalh8PRzGTCZowbF9Jtr:ENF1Zq4j2Aj8ZaCZowZX

Malware Config

Extracted

Family

pony

C2

http://stareanatiunii.com:8080/pony/gate.php

http://173.83.251.73:8080/pony/gate.php

Attributes
  • payload_url

    http://umitayna.com/U3iKpN.exe

Targets

    • Target

      d7fc0dddf324798e8a41466c6518b3d82acff8a72ee3b0a83cd893a19bf74bae

    • Size

      130KB

    • MD5

      0015330391a97cc20659ef5c82f2f6e1

    • SHA1

      862b678b4b6076e66db04875832e138f0f505727

    • SHA256

      d7fc0dddf324798e8a41466c6518b3d82acff8a72ee3b0a83cd893a19bf74bae

    • SHA512

      45e0af42da640a55d201a61ce13d565699271b296e72cbcc7aee35cc936f82dff2c83612137653554f205d888cd1aa8f461845da2167a846288b7f592d7305b7

    • SSDEEP

      3072:xKNDp1vsRM6VVIvSEYu2Zalh8PRzGTCZowbF9Jtr:ENF1Zq4j2Aj8ZaCZowZX

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks