General

  • Target

    5e6207cf1bf0fbe1fc7e9ce929a87be740998704539a3450dc5da76298bac2b2

  • Size

    134KB

  • Sample

    221120-kkr8yshh2t

  • MD5

    03d80087b2482eeddcca6d6500e70663

  • SHA1

    e83e0d5482c80fcac66f2fb0f5fb7f84132456e3

  • SHA256

    5e6207cf1bf0fbe1fc7e9ce929a87be740998704539a3450dc5da76298bac2b2

  • SHA512

    1a7ab05e7129c0245f508aead14b2f1bfc537d896ce2b4b9a2426986a0ff98c2911b13e3ed7243bea176c2adad1f9e6a79c7630b5c8190a1b4f6fa573ecf8e9a

  • SSDEEP

    3072:RPY1lfhVh2eewf2CaY1qPR9k5c5Jdd/jCi:GCebaRhjn

Malware Config

Extracted

Family

pony

C2

http://212.58.20.11:8080/pony/gate.php

http://66.175.220.109/pony/gate.php

Attributes
  • payload_url

    http://fatihfiliz.com.tr/HjcqX.exe

    http://www.admirals.ae/j3fwjN.exe

Targets

    • Target

      5e6207cf1bf0fbe1fc7e9ce929a87be740998704539a3450dc5da76298bac2b2

    • Size

      134KB

    • MD5

      03d80087b2482eeddcca6d6500e70663

    • SHA1

      e83e0d5482c80fcac66f2fb0f5fb7f84132456e3

    • SHA256

      5e6207cf1bf0fbe1fc7e9ce929a87be740998704539a3450dc5da76298bac2b2

    • SHA512

      1a7ab05e7129c0245f508aead14b2f1bfc537d896ce2b4b9a2426986a0ff98c2911b13e3ed7243bea176c2adad1f9e6a79c7630b5c8190a1b4f6fa573ecf8e9a

    • SSDEEP

      3072:RPY1lfhVh2eewf2CaY1qPR9k5c5Jdd/jCi:GCebaRhjn

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks