pony | fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581 | Triage

Submit
Reports

Overview

overview

Static

static

fb63754cca...81.jar

windows7-x64

fb63754cca...81.jar

windows10-2004-x64

Sharing

General

Target

fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581
Size

104KB
Sample

221128-k7xf7agc3w
MD5

ff0d8ad4cd0d46e890e4a5d6486b617f
SHA1

4dd9e804409df66e5f2e46804635387663e7b711
SHA256

fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581
SHA512

67089d7f139a37cf41702f05170517580dcf9ea1b272b7f4f4ea9c50bd1c87c83a207aca26e7d5e8d29c9e09015ee283049910510ff8f845baf97990c55d34f9
SSDEEP

3072:HzcyPlJWHMCt+EW2WMFVjSuqRhupfh4urRxeCrUH:H44Jgb4GVjSu1p7p4H

Score

10^/10

pony collection rat spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581.jar

Resource

win7-20221111-en

pony collection rat spyware stealer upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581.jar

Resource

win10v2004-20221111-en

pony collection rat spyware stealer upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

pony

C2

http://sweet0rium.com/dd/Panel/gate.php

http://www.sweet0rium.com/dd/Panel/gate.php

Targets

- Target
  
  fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581
- Size
  
  104KB
- MD5
  
  ff0d8ad4cd0d46e890e4a5d6486b617f
- SHA1
  
  4dd9e804409df66e5f2e46804635387663e7b711
- SHA256
  
  fb63754ccae114c1f56a9fcf6190cba0b7d7eca93c7124129194252976426581
- SHA512
  
  67089d7f139a37cf41702f05170517580dcf9ea1b272b7f4f4ea9c50bd1c87c83a207aca26e7d5e8d29c9e09015ee283049910510ff8f845baf97990c55d34f9
- SSDEEP
  
  3072:HzcyPlJWHMCt+EW2WMFVjSuqRhupfh4urRxeCrUH:H44Jgb4GVjSu1p7p4H
Score

10^/10

pony collection rat spyware stealer upx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ponycollectionratspywarestealerupx

behavioral2

ponycollectionratspywarestealerupx

© 2018-2024

Terms | Privacy