Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1aebbb422db0bd827c25bef6d426ae748c69b421d91a914f90be48b39c01c660

  • Size

    149KB

  • Sample

    221128-g8s9dagd9t

  • MD5

    13e1538d403a3618db92ad0700f08b5f

  • SHA1

    1587263acf5a662d8f2f202c36bedec0cbf02b2e

  • SHA256

    1aebbb422db0bd827c25bef6d426ae748c69b421d91a914f90be48b39c01c660

  • SHA512

    5b895dbcba1a1fc98e849b1dbb5f9b0842577fe1e1fa827c61d428d75e5c03f039479be77ffc5eee83e520ff9f7d6843aa5020cae902e4e84c1c505c67ce9014

  • SSDEEP

    3072:3VhJZAxYQRZEPtEhdny8G3j28ffU1xZfVZFcmIdkbsuPXMbGNonigN:3VhJ+O8YtEhAw8XU1DPVQu02Ui

Malware Config

Extracted

Family

pony

C2

http://ocvitcamap.com/administrator/lib/cheapoakley.php

http://spark-leds.com/upload/images/images.php

http://sapacmold.com/img/t/t.php

http://www.ubikate.mx/wp-includes/images/images.php

http://www.ebouw.nl/wp-includes/pomo/pomo.php

http://www.getserved.nl/wp-content/themes/themes.php

http://www.multiposting.nl/wp-includes/theme-compat/ips_kernel.php

Targets

    • Target

      1aebbb422db0bd827c25bef6d426ae748c69b421d91a914f90be48b39c01c660

    • Size

      149KB

    • MD5

      13e1538d403a3618db92ad0700f08b5f

    • SHA1

      1587263acf5a662d8f2f202c36bedec0cbf02b2e

    • SHA256

      1aebbb422db0bd827c25bef6d426ae748c69b421d91a914f90be48b39c01c660

    • SHA512

      5b895dbcba1a1fc98e849b1dbb5f9b0842577fe1e1fa827c61d428d75e5c03f039479be77ffc5eee83e520ff9f7d6843aa5020cae902e4e84c1c505c67ce9014

    • SSDEEP

      3072:3VhJZAxYQRZEPtEhdny8G3j28ffU1xZfVZFcmIdkbsuPXMbGNonigN:3VhJ+O8YtEhAw8XU1DPVQu02Ui

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks