General

  • Target

    f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02

  • Size

    43KB

  • Sample

    221120-hw1ncsca78

  • MD5

    463c1c8d7a6cb35dfc809528baab94a6

  • SHA1

    428f4a7974215b2f3a1459789f18b6299e7fb5c5

  • SHA256

    f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02

  • SHA512

    c6e883acb1094480b68296d4d8a5764519c1edf126d0a25fc4784275b965a92098c5ad2f73a41cb5847a7e15a71c518ef989bbdcf1e6ad597b7112c062e4a55d

  • SSDEEP

    768:dX/hVXegqr9jqmDfTPbRdn1PgUrXSobAL8qPP0KOIITYvGwItYdgmDqTCyN:zVXegqr9jqgfTPbR/PgUbSUAZ3LvI0vC

Malware Config

Extracted

Family

pony

C2

http://149.255.99.32:8080/forum/viewtopic.php

http://69.163.40.128/forum/viewtopic.php

Attributes
  • payload_url

    http://atualizacoes.issqn.net/FhPD.exe

    http://rampazzo.com.br/mbhyAkQ.exe

    http://homeringer.com/tWEkgm.exe

Targets

    • Target

      f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02

    • Size

      43KB

    • MD5

      463c1c8d7a6cb35dfc809528baab94a6

    • SHA1

      428f4a7974215b2f3a1459789f18b6299e7fb5c5

    • SHA256

      f33ca29027d6921293a118cab8eec15ba9bad918e568f7f1b01a256036472b02

    • SHA512

      c6e883acb1094480b68296d4d8a5764519c1edf126d0a25fc4784275b965a92098c5ad2f73a41cb5847a7e15a71c518ef989bbdcf1e6ad597b7112c062e4a55d

    • SSDEEP

      768:dX/hVXegqr9jqmDfTPbRdn1PgUrXSobAL8qPP0KOIITYvGwItYdgmDqTCyN:zVXegqr9jqgfTPbR/PgUbSUAZ3LvI0vC

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks