General

  • Target

    fe6151600f1a12d2d48ed26e24ebd704bf42902eb9dbcda8a39f2ffd2ba72e1e

  • Size

    66KB

  • Sample

    221120-hraalsfb5t

  • MD5

    2fcc0c2c0e104475700580e913133a48

  • SHA1

    930bae36f572962604386b9a08a97e6f1fd89af9

  • SHA256

    fe6151600f1a12d2d48ed26e24ebd704bf42902eb9dbcda8a39f2ffd2ba72e1e

  • SHA512

    afb3327dd2676bd1b945b9f7955c27d5b6d6739c3dafd5388a7314cbc124b93c5799e6b8a2dd7b43edb4d8592469393e1ed42ffb40c8a39b6fe0a30831cb28d2

  • SSDEEP

    768:ZP60Z4VLiWjC9Iot1c5nZfHMY5/scnpWoDhTab0AC1qh+6Zvtid6U:YVL/Bote5dP3hTVA95tmd

Malware Config

Extracted

Family

pony

C2

http://fzqan.ru/

http://omkaa.su/

Targets

    • Target

      fe6151600f1a12d2d48ed26e24ebd704bf42902eb9dbcda8a39f2ffd2ba72e1e

    • Size

      66KB

    • MD5

      2fcc0c2c0e104475700580e913133a48

    • SHA1

      930bae36f572962604386b9a08a97e6f1fd89af9

    • SHA256

      fe6151600f1a12d2d48ed26e24ebd704bf42902eb9dbcda8a39f2ffd2ba72e1e

    • SHA512

      afb3327dd2676bd1b945b9f7955c27d5b6d6739c3dafd5388a7314cbc124b93c5799e6b8a2dd7b43edb4d8592469393e1ed42ffb40c8a39b6fe0a30831cb28d2

    • SSDEEP

      768:ZP60Z4VLiWjC9Iot1c5nZfHMY5/scnpWoDhTab0AC1qh+6Zvtid6U:YVL/Bote5dP3hTVA95tmd

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks