General

  • Target

    466f4fc20529fe44f51712ab3e240fb6eea8364f9681b9401fe1a2a6143a3670

  • Size

    96KB

  • Sample

    221120-kvyhqaab9z

  • MD5

    1a815033c5585d52ceba699e97322091

  • SHA1

    9baa5ed9cc804c11ebc75149bba4f26470a1f9d6

  • SHA256

    466f4fc20529fe44f51712ab3e240fb6eea8364f9681b9401fe1a2a6143a3670

  • SHA512

    42616111974ff5eddd2c91b0c75ab76ef69a709053d8c8d03b9d0132f0d177e1374cadd32ef237bd11313d8f572a335111f05b5315a98a7cae9898dd8a9b4251

  • SSDEEP

    1536:DiyeavfWjVejG2BRGgfG4iKBNJzmcgnPKlok7QQEeV1nnXw4EQktN+2TQNt3kO5k:DxXaVsPfvuBImXKdpEeV1XwNjxO55+sY

Malware Config

Extracted

Family

pony

C2

http://sidoshka.pw:571/fix/update.php

http://noopparty.pw:571/fix/update.php

http://aa.shell.la/rapid/poh/689

Targets

    • Target

      466f4fc20529fe44f51712ab3e240fb6eea8364f9681b9401fe1a2a6143a3670

    • Size

      96KB

    • MD5

      1a815033c5585d52ceba699e97322091

    • SHA1

      9baa5ed9cc804c11ebc75149bba4f26470a1f9d6

    • SHA256

      466f4fc20529fe44f51712ab3e240fb6eea8364f9681b9401fe1a2a6143a3670

    • SHA512

      42616111974ff5eddd2c91b0c75ab76ef69a709053d8c8d03b9d0132f0d177e1374cadd32ef237bd11313d8f572a335111f05b5315a98a7cae9898dd8a9b4251

    • SSDEEP

      1536:DiyeavfWjVejG2BRGgfG4iKBNJzmcgnPKlok7QQEeV1nnXw4EQktN+2TQNt3kO5k:DxXaVsPfvuBImXKdpEeV1XwNjxO55+sY

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks