General
-
Target
04d13378d882a455b608c24e8cd39b2cb012067028d3be9a686bd1d9ca026193
-
Size
236KB
-
Sample
221128-mrm9pace6v
-
MD5
b02e9f04340c4859ae94cbe4ad593a36
-
SHA1
05d65b274877fad4ac3a2e794f5dd121397db336
-
SHA256
04d13378d882a455b608c24e8cd39b2cb012067028d3be9a686bd1d9ca026193
-
SHA512
6c3a8acf4f9f240d09e1ea5c40e760383b3540e3a0ec761b04e3c378f6aeaba87c1c9c1f58f55cbd571fed344f5ca5872090062ca87a77aa63d0ccd173d5067a
-
SSDEEP
3072:m+Rj6SlhkgQqkP3A/01fluSC0/0IvmULf3df6lEJGz/JnnAO/4:m+bhEqCBm20Yb2w
Malware Config
Extracted
pony
http://192.254.67.81/~mentor/endy/contact.php
Targets
-
-
Target
04d13378d882a455b608c24e8cd39b2cb012067028d3be9a686bd1d9ca026193
-
Size
236KB
-
MD5
b02e9f04340c4859ae94cbe4ad593a36
-
SHA1
05d65b274877fad4ac3a2e794f5dd121397db336
-
SHA256
04d13378d882a455b608c24e8cd39b2cb012067028d3be9a686bd1d9ca026193
-
SHA512
6c3a8acf4f9f240d09e1ea5c40e760383b3540e3a0ec761b04e3c378f6aeaba87c1c9c1f58f55cbd571fed344f5ca5872090062ca87a77aa63d0ccd173d5067a
-
SSDEEP
3072:m+Rj6SlhkgQqkP3A/01fluSC0/0IvmULf3df6lEJGz/JnnAO/4:m+bhEqCBm20Yb2w
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-