General

  • Target

    2a1bf6841df23bce75019f018e98defcaed6b2a3ccd9bcf02ddf789d07bdcb84

  • Size

    908KB

  • Sample

    221120-e9mrwabc9t

  • MD5

    14f9fa25b71804de4dfaf92bcadb43a0

  • SHA1

    396f14d8cc047fd197e7bc295f692d6f3367129a

  • SHA256

    2a1bf6841df23bce75019f018e98defcaed6b2a3ccd9bcf02ddf789d07bdcb84

  • SHA512

    0f19058f736e2f049f4e3aefe5f5b76021a294c90c29aed8988307a6ce70049b9f21cf42e4d02af741c1c351d192da3335d867e1c1ee88a7852ff6bac72f589b

  • SSDEEP

    12288:ghkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aLspi8jmZGR6AnSk:oRmJkcoQricOIQxiZY1iaii86m6Xk

Malware Config

Extracted

Family

pony

C2

http://bubzie404.coolpage.biz/gate.php

Targets

    • Target

      2a1bf6841df23bce75019f018e98defcaed6b2a3ccd9bcf02ddf789d07bdcb84

    • Size

      908KB

    • MD5

      14f9fa25b71804de4dfaf92bcadb43a0

    • SHA1

      396f14d8cc047fd197e7bc295f692d6f3367129a

    • SHA256

      2a1bf6841df23bce75019f018e98defcaed6b2a3ccd9bcf02ddf789d07bdcb84

    • SHA512

      0f19058f736e2f049f4e3aefe5f5b76021a294c90c29aed8988307a6ce70049b9f21cf42e4d02af741c1c351d192da3335d867e1c1ee88a7852ff6bac72f589b

    • SSDEEP

      12288:ghkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aLspi8jmZGR6AnSk:oRmJkcoQricOIQxiZY1iaii86m6Xk

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks