General

  • Target

    bcd6d9b065433060c49e75cb9d44665a96274fa16cc91e864a9a635174fe69d4

  • Size

    127KB

  • Sample

    221120-jjdthagc6y

  • MD5

    239dfcb51df859ce1427e24eb20587a0

  • SHA1

    2c6b9210ba7ba0b0087ff5169ef093d9970f7556

  • SHA256

    bcd6d9b065433060c49e75cb9d44665a96274fa16cc91e864a9a635174fe69d4

  • SHA512

    840d18958fded2849ab81456b23add95fd90f317f48673dd00bfce0704a77b90add964e72896f9748fec5d3a747dfe04ce3635f24bacf571f646307d1510f287

  • SSDEEP

    1536:QawJYA/uaIF+ujgHgD2VDkkIFlgwFT5III5F8m3N3Plfxu:mJYwuBXjgIUjsl7FT6VFJ3xu

Malware Config

Extracted

Family

pony

C2

http://rolex211.8s.nl/po/gate.php

http://rolex212.8s.nl/po/gate.php

http://rolex213.8s.nl/po/gate.php

Targets

    • Target

      bcd6d9b065433060c49e75cb9d44665a96274fa16cc91e864a9a635174fe69d4

    • Size

      127KB

    • MD5

      239dfcb51df859ce1427e24eb20587a0

    • SHA1

      2c6b9210ba7ba0b0087ff5169ef093d9970f7556

    • SHA256

      bcd6d9b065433060c49e75cb9d44665a96274fa16cc91e864a9a635174fe69d4

    • SHA512

      840d18958fded2849ab81456b23add95fd90f317f48673dd00bfce0704a77b90add964e72896f9748fec5d3a747dfe04ce3635f24bacf571f646307d1510f287

    • SSDEEP

      1536:QawJYA/uaIF+ujgHgD2VDkkIFlgwFT5III5F8m3N3Plfxu:mJYwuBXjgIUjsl7FT6VFJ3xu

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks