General
-
Target
6614a8bfc14cc73b930dfaaa3ad6515357d907ef4be5183b0abdcb291a64989d
-
Size
416KB
-
Sample
221128-e53mjaeg93
-
MD5
a3073d66ce1b0dc498a56387ac3c1620
-
SHA1
b7508f3e4cbd5d15ef9c839839e7cf0641aab29d
-
SHA256
6614a8bfc14cc73b930dfaaa3ad6515357d907ef4be5183b0abdcb291a64989d
-
SHA512
baf8abf5a6ec4603e7445aef19ef16b67d68548b2f21445e69949e6076b519f6694474e9ed2e65aab66a28825cd1f72d4ba192ef6946ece5b9027989c8f43162
-
SSDEEP
3072:uUQhNEwptv72GwXRtemS1K7X7iwWOl8vfTXkXoAc5w8ISg9qC9eUIp:uUYNEwpZ7218mWY4bsWU9qV
Malware Config
Extracted
pony
http://gogod.no-ip.biz/loaded/gate.php
Targets
-
-
Target
6614a8bfc14cc73b930dfaaa3ad6515357d907ef4be5183b0abdcb291a64989d
-
Size
416KB
-
MD5
a3073d66ce1b0dc498a56387ac3c1620
-
SHA1
b7508f3e4cbd5d15ef9c839839e7cf0641aab29d
-
SHA256
6614a8bfc14cc73b930dfaaa3ad6515357d907ef4be5183b0abdcb291a64989d
-
SHA512
baf8abf5a6ec4603e7445aef19ef16b67d68548b2f21445e69949e6076b519f6694474e9ed2e65aab66a28825cd1f72d4ba192ef6946ece5b9027989c8f43162
-
SSDEEP
3072:uUQhNEwptv72GwXRtemS1K7X7iwWOl8vfTXkXoAc5w8ISg9qC9eUIp:uUYNEwpZ7218mWY4bsWU9qV
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-