General

  • Target

    1cece2cb2a8b05a561c5a5f4d032892f6cc82317a769b84a48a98930ecc2703b

  • Size

    88KB

  • Sample

    221120-k98l8sah2s

  • MD5

    13d89810cfb3010ce0af42aac50a8350

  • SHA1

    df28bc2634335b22fb1f82a9f09af5da8e930c7b

  • SHA256

    1cece2cb2a8b05a561c5a5f4d032892f6cc82317a769b84a48a98930ecc2703b

  • SHA512

    ed566cb116fb6e823bba684f443ba37de0c6e3db69108bcbe6544479152fcf986e821da92f3ebee553e712e2ea7ea018dfa9b4e55faca2fc8e4fa9ffdf8487ec

  • SSDEEP

    1536:eyjkpv27h+gFDAxJssDw4M7/U2UyGg6y4lHNzDYFmyG07xOkI6aN6/S:exZYDAxJXsdU2ZG/tLgFmKNo6K

Malware Config

Extracted

Family

pony

C2

http://voladex.pw:36/fix/mark.php

http://bolakes.pw:36/fix/refer.php

http://camtest33.pw:36/fix/symbols.php

Attributes
  • payload_url

    http://camtest3.pw:36/fix/Sonar.exe

Targets

    • Target

      1cece2cb2a8b05a561c5a5f4d032892f6cc82317a769b84a48a98930ecc2703b

    • Size

      88KB

    • MD5

      13d89810cfb3010ce0af42aac50a8350

    • SHA1

      df28bc2634335b22fb1f82a9f09af5da8e930c7b

    • SHA256

      1cece2cb2a8b05a561c5a5f4d032892f6cc82317a769b84a48a98930ecc2703b

    • SHA512

      ed566cb116fb6e823bba684f443ba37de0c6e3db69108bcbe6544479152fcf986e821da92f3ebee553e712e2ea7ea018dfa9b4e55faca2fc8e4fa9ffdf8487ec

    • SSDEEP

      1536:eyjkpv27h+gFDAxJssDw4M7/U2UyGg6y4lHNzDYFmyG07xOkI6aN6/S:exZYDAxJXsdU2ZG/tLgFmKNo6K

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks