General
-
Target
060020c74b852fed7ba3a081e281afcc9a7fa3a5b5ff62f412f40c70bc05549d
-
Size
114KB
-
Sample
221125-z4sq6aae9t
-
MD5
9b394662bddadd2bce1fb38551f541ce
-
SHA1
e3722135e737d3e3d9ad41c967f63ab87e6dfcc8
-
SHA256
060020c74b852fed7ba3a081e281afcc9a7fa3a5b5ff62f412f40c70bc05549d
-
SHA512
5a800c19f0002c430c5b25d8512e6df5573457c23fcdb856921894d38d247c68a673bb5c0d89f76f52f26450ecc9b08e6e3bf85e0c3e18719930a075beb91807
-
SSDEEP
1536:Ibi4bOn/DeP6Hi7qPKuZAOSoDhFaLOzBjnYAZOnoFxfqU32e5T1Lp7YN0Wd:tDeiHwkKuOOSoDhFdFYAUnoffoUfYN
Malware Config
Extracted
pony
http://golklopro.com/bitrix/modules.php
http://cosjesgame.su/bitrix/modules.php
http://mlsellier.com/333
http://famdebaere.eu/333
http://originalceylontea.co.uk/333
http://www.101club.org/333
http://help4pcs.com/333
Targets
-
-
Target
060020c74b852fed7ba3a081e281afcc9a7fa3a5b5ff62f412f40c70bc05549d
-
Size
114KB
-
MD5
9b394662bddadd2bce1fb38551f541ce
-
SHA1
e3722135e737d3e3d9ad41c967f63ab87e6dfcc8
-
SHA256
060020c74b852fed7ba3a081e281afcc9a7fa3a5b5ff62f412f40c70bc05549d
-
SHA512
5a800c19f0002c430c5b25d8512e6df5573457c23fcdb856921894d38d247c68a673bb5c0d89f76f52f26450ecc9b08e6e3bf85e0c3e18719930a075beb91807
-
SSDEEP
1536:Ibi4bOn/DeP6Hi7qPKuZAOSoDhFaLOzBjnYAZOnoFxfqU32e5T1Lp7YN0Wd:tDeiHwkKuOOSoDhFdFYAUnoffoUfYN
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-