General

  • Target

    66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c

  • Size

    81KB

  • Sample

    221120-kgjseahf8x

  • MD5

    1535bd3f07b9163e3f8c1105318e4fa0

  • SHA1

    bd6a3c48c57af869ab047d677b2e12623da2b2cf

  • SHA256

    66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c

  • SHA512

    d7388ec2678bc18ba54b580611898d7d7f433c7396d6bd81f51aeabfc53e530b1826593554204def38f1242c301badc5d064d9e61451d1b52fffe48572b7c5d5

  • SSDEEP

    1536:BpAe/akMDYbcHmCPEY1Bh6OGYtl2ajXLB0M/3kIhG496yUBx7Vx1Q:BpAe/akMlmXYfgXYtxDmk3dhp2x7zy

Malware Config

Extracted

Family

pony

C2

http://voladex.pw:36/fix/mark.php

http://bolakes.pw:36/fix/refer.php

http://camtest33.pw:36/fix/symbols.php

Attributes
  • payload_url

    http://camtest3.pw:36/fix/Sonar.exe

Targets

    • Target

      66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c

    • Size

      81KB

    • MD5

      1535bd3f07b9163e3f8c1105318e4fa0

    • SHA1

      bd6a3c48c57af869ab047d677b2e12623da2b2cf

    • SHA256

      66bbb2e124048686d43b228b95f972bb760eb04c44bde9f43234f47152673d4c

    • SHA512

      d7388ec2678bc18ba54b580611898d7d7f433c7396d6bd81f51aeabfc53e530b1826593554204def38f1242c301badc5d064d9e61451d1b52fffe48572b7c5d5

    • SSDEEP

      1536:BpAe/akMDYbcHmCPEY1Bh6OGYtl2ajXLB0M/3kIhG496yUBx7Vx1Q:BpAe/akMlmXYfgXYtxDmk3dhp2x7zy

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks