General
-
Target
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5
-
Size
168KB
-
Sample
221126-kk4a8aaa9w
-
MD5
81d77c62cc4f4d3e5891fe39d4748935
-
SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6
-
SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5
-
SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739
-
SSDEEP
3072:XFHNDtQwr6iCkVBfx/+dAbTUvQyoqdvvuA7NhswmX7bWljZK:XBXr6rkzAd4U5vvuAUwmeO
Malware Config
Extracted
pony
http://www.skshospitality.in/js/admin/Panel/gate.php
-
payload_url
http://www.skshospitality.in/js/admin/Panel/invoice.exe
Targets
-
-
Target
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5
-
Size
168KB
-
MD5
81d77c62cc4f4d3e5891fe39d4748935
-
SHA1
6544ee27b7a2618504f0a8521462dc5eb5a7baa6
-
SHA256
26eabc0421a96de6cce085fa771d4f419876664f1e14978bb6f5b01bd9c3bcb5
-
SHA512
700a1d2bbbeedd20a867de7ef5c316383f502e657aeb9b2a3fcf0624d3d42e466836672501de604ac17f51e562452de88a44dcf1f6ffae7d892c0429d9f60739
-
SSDEEP
3072:XFHNDtQwr6iCkVBfx/+dAbTUvQyoqdvvuA7NhswmX7bWljZK:XBXr6rkzAd4U5vvuAUwmeO
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-