General
-
Target
584729a4abb31ff932a0428f909219590db3d0b3a530eeb52f9e5bb02196e542
-
Size
497KB
-
Sample
221127-tgblgaac42
-
MD5
e2ebde92d32ed6611d773db867964671
-
SHA1
e75d1ea17bafef47b5bbbcb983dfbe3ca0bd95f1
-
SHA256
584729a4abb31ff932a0428f909219590db3d0b3a530eeb52f9e5bb02196e542
-
SHA512
3f02696ca793efd1aca61ae6f6c910fc60b1b517f8123aadf4a71f9a0c64efa9a4ff524a09813be2aedb25991d5a46099075c4b499dc3b62b8f2dd1f9cad2b02
-
SSDEEP
12288:QYpCwVA5URb0Hmah3QgKbOmCZJUZboYvwgiRBd6:QOC1+Rb0Hmah6/sUZsYdwS
Malware Config
Extracted
pony
http://johnbrown.hol.es/xmas/gate.php
Targets
-
-
Target
584729a4abb31ff932a0428f909219590db3d0b3a530eeb52f9e5bb02196e542
-
Size
497KB
-
MD5
e2ebde92d32ed6611d773db867964671
-
SHA1
e75d1ea17bafef47b5bbbcb983dfbe3ca0bd95f1
-
SHA256
584729a4abb31ff932a0428f909219590db3d0b3a530eeb52f9e5bb02196e542
-
SHA512
3f02696ca793efd1aca61ae6f6c910fc60b1b517f8123aadf4a71f9a0c64efa9a4ff524a09813be2aedb25991d5a46099075c4b499dc3b62b8f2dd1f9cad2b02
-
SSDEEP
12288:QYpCwVA5URb0Hmah3QgKbOmCZJUZboYvwgiRBd6:QOC1+Rb0Hmah6/sUZsYdwS
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-