General

  • Target

    94d4a6254deb2682a900f05d6fe81284750882bd3e68a1ca09f346ad86d994ce

  • Size

    241KB

  • Sample

    221120-enjhbsad3t

  • MD5

    02af096d6c0cba4819acca17991657c0

  • SHA1

    e1c5b90e0343ba9ef514ff87b18cc4e4a17d95ad

  • SHA256

    94d4a6254deb2682a900f05d6fe81284750882bd3e68a1ca09f346ad86d994ce

  • SHA512

    73ca6ad8d0585327cab2ae8d8f6d35157fe7f00b6db8b81f1d67dffb54048f584ff8622cbd6c7e38419e8a6e8af653b3b03fee04ba8a47792c3eeaccc2b1269d

  • SSDEEP

    3072:Ey1ic1SdQkWGuZSpsMJF0DqdNRLjYb7Zq87vXu3apAfZ9FVkMnVSRNCmxJCd/OuD:bidN73IZDDUaYIZ3kbr3mp

Malware Config

Extracted

Family

pony

C2

http://westuae.com/csc/update/kudi/gate.php

Attributes
  • payload_url

    http://westuae.com/csc/update/kudi/micro.exe

Targets

    • Target

      94d4a6254deb2682a900f05d6fe81284750882bd3e68a1ca09f346ad86d994ce

    • Size

      241KB

    • MD5

      02af096d6c0cba4819acca17991657c0

    • SHA1

      e1c5b90e0343ba9ef514ff87b18cc4e4a17d95ad

    • SHA256

      94d4a6254deb2682a900f05d6fe81284750882bd3e68a1ca09f346ad86d994ce

    • SHA512

      73ca6ad8d0585327cab2ae8d8f6d35157fe7f00b6db8b81f1d67dffb54048f584ff8622cbd6c7e38419e8a6e8af653b3b03fee04ba8a47792c3eeaccc2b1269d

    • SSDEEP

      3072:Ey1ic1SdQkWGuZSpsMJF0DqdNRLjYb7Zq87vXu3apAfZ9FVkMnVSRNCmxJCd/OuD:bidN73IZDDUaYIZ3kbr3mp

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks