General

  • Target

    e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00

  • Size

    140KB

  • Sample

    221120-h2tf8scc48

  • MD5

    23e665295ad093def96352d1588c685e

  • SHA1

    c3f5ff02d708279a535f5d3182fdd9955a416b4b

  • SHA256

    e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00

  • SHA512

    43f079dddd5302e5b4c8bb0b54cb84a973645825fbdbfb976d60d03576f166b8c96a822bba06452ec47dbcdfd6cfa93a69b5063475e50ef4ace693649c7ec823

  • SSDEEP

    3072:Amy36rmOiyMO+3hKRY2fbU2SEi/neBZBp4DaSd49hO:APKrmJywhKy2fb8EknFTO

Malware Config

Extracted

Family

pony

C2

http://thesavvyplayer.com/images/view.php

http://trueyogateacherblog.com/resp.php

Targets

    • Target

      e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00

    • Size

      140KB

    • MD5

      23e665295ad093def96352d1588c685e

    • SHA1

      c3f5ff02d708279a535f5d3182fdd9955a416b4b

    • SHA256

      e7af4fdafe5f10b873d62f4dda8e59897eed1c4aa7cd8e892a07263b497ebf00

    • SHA512

      43f079dddd5302e5b4c8bb0b54cb84a973645825fbdbfb976d60d03576f166b8c96a822bba06452ec47dbcdfd6cfa93a69b5063475e50ef4ace693649c7ec823

    • SSDEEP

      3072:Amy36rmOiyMO+3hKRY2fbU2SEi/neBZBp4DaSd49hO:APKrmJywhKy2fb8EknFTO

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks