General
-
Target
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
-
Size
1.7MB
-
Sample
221125-31qdeagc32
-
MD5
fd860b8c9003b60b1e1d4cf5a81171a2
-
SHA1
0d96bf07de613c46920d99282408421024472d11
-
SHA256
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
-
SHA512
cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
-
SSDEEP
24576:h1TGH/LFxCGGmZu5P9dZd+R30w43EsNHM2GpZNqfTY0TDjm0jRbm:hUH/nCG52PDZd+iw43Emz2ZNiYqiu1
Malware Config
Extracted
pony
http://www.estateboulv.com/html/nza/html/gate.php
Targets
-
-
Target
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
-
Size
1.7MB
-
MD5
fd860b8c9003b60b1e1d4cf5a81171a2
-
SHA1
0d96bf07de613c46920d99282408421024472d11
-
SHA256
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
-
SHA512
cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
-
SSDEEP
24576:h1TGH/LFxCGGmZu5P9dZd+R30w43EsNHM2GpZNqfTY0TDjm0jRbm:hUH/nCG52PDZd+iw43Emz2ZNiYqiu1
Score10/10-
Modifies WinLogon for persistence
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-