General
-
Target
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f
-
Size
564KB
-
Sample
221125-z5d96aff78
-
MD5
a1d3624a30411262cfe25674dbd05051
-
SHA1
3d2c681609f5213a680955573e26f4e3a52025a9
-
SHA256
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f
-
SHA512
59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5
-
SSDEEP
6144:6pX2i9HjHIDeRzKPCqIlKqX6ehf1gOGqHCibZwSDqMPoyoMGGGGGGGGGGbGGGGG4:Q20zyeRWtI9qGu6HCWZwMqoKHjl
Malware Config
Extracted
pony
http://www.powerturk.rocks/web/gate.php
http://www.powerturk.rocks/webd/gate.php
Targets
-
-
Target
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f
-
Size
564KB
-
MD5
a1d3624a30411262cfe25674dbd05051
-
SHA1
3d2c681609f5213a680955573e26f4e3a52025a9
-
SHA256
172316f80cc2a5ce9e4bcd5e53a99682440a8954a79b27636a7d82295e99495f
-
SHA512
59bc2190ff355409ac2d9d3fd197c6c6cddb89f25990b4cb2614a3cb6b8ca5a6cde931807290366cd203fdadb48e5a0977606f06231233d6a7be62d88af033d5
-
SSDEEP
6144:6pX2i9HjHIDeRzKPCqIlKqX6ehf1gOGqHCibZwSDqMPoyoMGGGGGGGGGGbGGGGG4:Q20zyeRWtI9qGu6HCWZwMqoKHjl
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-