General

  • Target

    bb43be925a1ec51a3bdf5d092e708b363ab115cc3154c6dde3d1680b189d1194

  • Size

    295KB

  • Sample

    221120-e3pynaba5w

  • MD5

    3613a871fcf5487c4e5ff61f36428df0

  • SHA1

    f01fa5ad2522379f175e2d1ee85a5720ba9daf63

  • SHA256

    bb43be925a1ec51a3bdf5d092e708b363ab115cc3154c6dde3d1680b189d1194

  • SHA512

    2b2b30121cb33a3b544553421896095eebb6b0c07a9640ffedc69020b7d2c84feba59aa6bc41639d6b0015645a367e92b0453435a7ca3d9871e722e2e1b58a00

  • SSDEEP

    3072:JM7Avbd58YOtl6S+JwszGd6NSq1/JAQ1+vuMlyruMHSVlp9jlCgptKgPz2x2AoUv:sqzvz7UmvrRsj95CYPz2xPfAOwbZGA

Malware Config

Extracted

Family

pony

C2

http://cyberial-team.xyz/pharell/gate.php

Targets

    • Target

      bb43be925a1ec51a3bdf5d092e708b363ab115cc3154c6dde3d1680b189d1194

    • Size

      295KB

    • MD5

      3613a871fcf5487c4e5ff61f36428df0

    • SHA1

      f01fa5ad2522379f175e2d1ee85a5720ba9daf63

    • SHA256

      bb43be925a1ec51a3bdf5d092e708b363ab115cc3154c6dde3d1680b189d1194

    • SHA512

      2b2b30121cb33a3b544553421896095eebb6b0c07a9640ffedc69020b7d2c84feba59aa6bc41639d6b0015645a367e92b0453435a7ca3d9871e722e2e1b58a00

    • SSDEEP

      3072:JM7Avbd58YOtl6S+JwszGd6NSq1/JAQ1+vuMlyruMHSVlp9jlCgptKgPz2x2AoUv:sqzvz7UmvrRsj95CYPz2xPfAOwbZGA

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks