General

  • Target

    8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0

  • Size

    129KB

  • Sample

    221120-j16wlsha6z

  • MD5

    334bbeb43873d5464982389df3821094

  • SHA1

    61a8696cd2d12fe9f7e2eebb9726a168523fcf60

  • SHA256

    8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0

  • SHA512

    fba22afcfc3cae551c883746ba7a507c909d4d4a3a99c0267470bb5ba9638b61bf40129944e6463bdb996d7e89d0868c692ac55820d3fe9c53aaadb9f8522d83

  • SSDEEP

    3072:Klgw177mTmSMyyhOYOfSh2wnebvS8wTyoaii:KdwknZq82+/hyH

Malware Config

Extracted

Family

pony

C2

http://62.173.139.212/forum/gate.php

Targets

    • Target

      8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0

    • Size

      129KB

    • MD5

      334bbeb43873d5464982389df3821094

    • SHA1

      61a8696cd2d12fe9f7e2eebb9726a168523fcf60

    • SHA256

      8ece18d9b60d85a02aadadcaa170ad92457fcd735cd69059ef685c3de8c387d0

    • SHA512

      fba22afcfc3cae551c883746ba7a507c909d4d4a3a99c0267470bb5ba9638b61bf40129944e6463bdb996d7e89d0868c692ac55820d3fe9c53aaadb9f8522d83

    • SSDEEP

      3072:Klgw177mTmSMyyhOYOfSh2wnebvS8wTyoaii:KdwknZq82+/hyH

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks