General

  • Target

    6eda4ea2aa80583fee205dd4fbe964b44799c018ded9013770dddae5f6793482

  • Size

    91KB

  • Sample

    221120-e3vtxafg28

  • MD5

    2e9c5e9d5c339eed7c7b3dcd29355f10

  • SHA1

    e6ca4658d49e22d783b3c03b1d17b636eea8f1d8

  • SHA256

    6eda4ea2aa80583fee205dd4fbe964b44799c018ded9013770dddae5f6793482

  • SHA512

    49166ca40d0f60ae642725d3c73551c5231c785c4fda0e4fb177333c4222728eb2741b127b4d5dad4a3f2955e3e03d2bf9580eee0263230f156e0995c4bab318

  • SSDEEP

    1536:D/2wfYp5g1ich3s4c7S7XnHUcd19kTZ6rWYZm5fKylYeeeeeeMeeeeeeH/C:D/0g1iijcQkc39k96rRZUnf

Malware Config

Extracted

Family

pony

C2

http://leksto.info:1757/pic/fly.php

http://yoples.info:1757/pic/fly.php

Targets

    • Target

      6eda4ea2aa80583fee205dd4fbe964b44799c018ded9013770dddae5f6793482

    • Size

      91KB

    • MD5

      2e9c5e9d5c339eed7c7b3dcd29355f10

    • SHA1

      e6ca4658d49e22d783b3c03b1d17b636eea8f1d8

    • SHA256

      6eda4ea2aa80583fee205dd4fbe964b44799c018ded9013770dddae5f6793482

    • SHA512

      49166ca40d0f60ae642725d3c73551c5231c785c4fda0e4fb177333c4222728eb2741b127b4d5dad4a3f2955e3e03d2bf9580eee0263230f156e0995c4bab318

    • SSDEEP

      1536:D/2wfYp5g1ich3s4c7S7XnHUcd19kTZ6rWYZm5fKylYeeeeeeMeeeeeeH/C:D/0g1iijcQkc39k96rRZUnf

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Drops file in Drivers directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks