General
-
Target
4aceb5a4dc7a4826f6167ba548de47a2bf1c2869edde551f53ceef13649ea02c
-
Size
536KB
-
Sample
221126-k4j2pafh47
-
MD5
943b7d1f31a9c27e6373e882540d5679
-
SHA1
253b16ffeac084841944403e9ca3e6d9ab59dce3
-
SHA256
4aceb5a4dc7a4826f6167ba548de47a2bf1c2869edde551f53ceef13649ea02c
-
SHA512
9dba418e98e5931913c4609a3b28a1e96f1c0fe5ffd298ae5a73646eb08bdf5088f289bec9037a927207d429800b05e65f2c9142fcc22990bb31ece5590cfcbf
-
SSDEEP
12288:Orr2iNZJymklR+um4cXwxHr7ypW4eSs1k2s5YqK7:W1dERbdcXg7aeSsQY9
Malware Config
Extracted
pony
http://shuaacapitalae.com/js/gate.php
Targets
-
-
Target
4aceb5a4dc7a4826f6167ba548de47a2bf1c2869edde551f53ceef13649ea02c
-
Size
536KB
-
MD5
943b7d1f31a9c27e6373e882540d5679
-
SHA1
253b16ffeac084841944403e9ca3e6d9ab59dce3
-
SHA256
4aceb5a4dc7a4826f6167ba548de47a2bf1c2869edde551f53ceef13649ea02c
-
SHA512
9dba418e98e5931913c4609a3b28a1e96f1c0fe5ffd298ae5a73646eb08bdf5088f289bec9037a927207d429800b05e65f2c9142fcc22990bb31ece5590cfcbf
-
SSDEEP
12288:Orr2iNZJymklR+um4cXwxHr7ypW4eSs1k2s5YqK7:W1dERbdcXg7aeSsQY9
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-