General

  • Target

    1a3b3b2ea3e752d852af77d6fc00a8a240d90b2c4c1ca5cb1311c9cfdd828a19

  • Size

    136KB

  • Sample

    221120-l4pslsgg29

  • MD5

    5f4db3efdbf4fca163d0dcb122ef3fb0

  • SHA1

    79e5bf12126762e6085108ede2a9fd62b53e5a03

  • SHA256

    1a3b3b2ea3e752d852af77d6fc00a8a240d90b2c4c1ca5cb1311c9cfdd828a19

  • SHA512

    89803a5cdb38c7bf5724d1041b356f91e6c22eded0c41289343c5ecbb651aef5a963e3e88fedbc7ef40d5993c7bf1e4eaf94846a840e7f70b01c480d36b9e2cf

  • SSDEEP

    3072:akNkEdAf2o0ro8jOTxeujezYyLaPeUVGZU:1lAf2oWox9eAgYy2WU

Malware Config

Extracted

Family

pony

C2

http://pokontaktu.ru/plugins/system/legacy/id.php

http://www.mosjurkollegia.com/js/update.bin

Targets

    • Target

      1a3b3b2ea3e752d852af77d6fc00a8a240d90b2c4c1ca5cb1311c9cfdd828a19

    • Size

      136KB

    • MD5

      5f4db3efdbf4fca163d0dcb122ef3fb0

    • SHA1

      79e5bf12126762e6085108ede2a9fd62b53e5a03

    • SHA256

      1a3b3b2ea3e752d852af77d6fc00a8a240d90b2c4c1ca5cb1311c9cfdd828a19

    • SHA512

      89803a5cdb38c7bf5724d1041b356f91e6c22eded0c41289343c5ecbb651aef5a963e3e88fedbc7ef40d5993c7bf1e4eaf94846a840e7f70b01c480d36b9e2cf

    • SSDEEP

      3072:akNkEdAf2o0ro8jOTxeujezYyLaPeUVGZU:1lAf2oWox9eAgYy2WU

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v6

Tasks