General

  • Target

    a95f0d60655dafec873557ff84f211eebea9c0a79db61db3e83e50bb24e6e244

  • Size

    128KB

  • Sample

    221120-jq7p6adc72

  • MD5

    3241ea69df9807a5962a3947ee29bffc

  • SHA1

    ac7d9428bbacaca3c15bdadfb6277e652438f14a

  • SHA256

    a95f0d60655dafec873557ff84f211eebea9c0a79db61db3e83e50bb24e6e244

  • SHA512

    2b48fbac80bc36bb56a5e778cb679102dfdf9ddc2ac6006e1ea49758ddab165e1fe278ba80ff924b869bb34b444e0b29a8b9ebb0f3a8faac9637f3855be8ed34

  • SSDEEP

    3072:g+BPUmdGEuel/LoAewkPG03L9ez2KkLD:aWG8MyC1Bg0

Malware Config

Extracted

Family

pony

C2

http://forum-voip.net:8080/ponyb/gate.php

http://paralysiesfaciale.com:8080/ponyb/gate.php

http://paralysiesfaciales.com:8080/ponyb/gate.php

http://shop.smsmpi.com:8080/ponyb/gate.php

Attributes
  • payload_url

    http://www.institutoargentinoliverpool.com/0kUrUUfS.exe

    http://www.absolution.hu/bLnstUD.exe

    http://labs-srl.it/enTyvkm0.exe

    http://treslok.com/ixq.exe

    http://develop.itarhelp.com/jv5e5.exe

    http://betulerisgen.com/i5tAJk.exe

    http://komalwedsjayesh.com/ny0yYH39.exe

    http://mygamingwear.com/TKuJj.exe

    http://aduro.si/x8ak.exe

    http://maxtron-servicecenter.com/XJ0R.exe

Targets

    • Target

      a95f0d60655dafec873557ff84f211eebea9c0a79db61db3e83e50bb24e6e244

    • Size

      128KB

    • MD5

      3241ea69df9807a5962a3947ee29bffc

    • SHA1

      ac7d9428bbacaca3c15bdadfb6277e652438f14a

    • SHA256

      a95f0d60655dafec873557ff84f211eebea9c0a79db61db3e83e50bb24e6e244

    • SHA512

      2b48fbac80bc36bb56a5e778cb679102dfdf9ddc2ac6006e1ea49758ddab165e1fe278ba80ff924b869bb34b444e0b29a8b9ebb0f3a8faac9637f3855be8ed34

    • SSDEEP

      3072:g+BPUmdGEuel/LoAewkPG03L9ez2KkLD:aWG8MyC1Bg0

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks