General
-
Target
d3034beda76933b176e26591b73c55eb6b982bbaa2ca10a0a55b403256f1e95a
-
Size
223KB
-
Sample
221123-p9ndhsgd7w
-
MD5
ae7b4777e8306d40e52dfcee7bce7173
-
SHA1
b366701a42238b38a1374dbedae1880653ec94d6
-
SHA256
d3034beda76933b176e26591b73c55eb6b982bbaa2ca10a0a55b403256f1e95a
-
SHA512
30f10da0fa90929ad9d6ec8817aa94d3925e50b4b6de7e03bc23ec362eba060d0f93529a2b90d2428f76ebce91dff46f80719896caa2236a652e172b0aa3e869
-
SSDEEP
3072:mqI/6p3N6hbyhcuJlb4+FTLlF+mFXvsNoMVSUxUGVJZaGCt7+N7:mqR3NxP4+FTLWAfs1+VTFo
Malware Config
Extracted
pony
http://109.120.177.164/p/gate.php
Targets
-
-
Target
d3034beda76933b176e26591b73c55eb6b982bbaa2ca10a0a55b403256f1e95a
-
Size
223KB
-
MD5
ae7b4777e8306d40e52dfcee7bce7173
-
SHA1
b366701a42238b38a1374dbedae1880653ec94d6
-
SHA256
d3034beda76933b176e26591b73c55eb6b982bbaa2ca10a0a55b403256f1e95a
-
SHA512
30f10da0fa90929ad9d6ec8817aa94d3925e50b4b6de7e03bc23ec362eba060d0f93529a2b90d2428f76ebce91dff46f80719896caa2236a652e172b0aa3e869
-
SSDEEP
3072:mqI/6p3N6hbyhcuJlb4+FTLlF+mFXvsNoMVSUxUGVJZaGCt7+N7:mqR3NxP4+FTLWAfs1+VTFo
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-