pony | 3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98 | Triage

Submit
Reports

Overview

overview

Static

static

3b21c9b770...98.exe

windows7-x64

3b21c9b770...98.exe

windows10-2004-x64

Sharing

General

Target

3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
Size

468KB
Sample

221128-mvndvscg7t
MD5

b6843f93ba472e9a18bacead1573596f
SHA1

cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
SHA256

3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
SHA512

b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
SSDEEP

3072:ENZGGl2ccmCiL35QksWmZ/Dkw1itSqEKRVDOcgiFg72xaWF:ENZG5ccm9HmxDNW3Kcba

Score

10^/10

pony collection discovery rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe

Resource

win7-20220812-en

pony collection discovery rat spyware stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98.exe

Resource

win10v2004-20220812-en

pony collection discovery rat spyware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

pony

C2

http://hytlfe.com/me/mf/shit.php

Attributes

payload_url
http://hytlfe.com/me/mf/zcong.exe

Targets

- Target
  
  3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
- Size
  
  468KB
- MD5
  
  b6843f93ba472e9a18bacead1573596f
- SHA1
  
  cbe1a3ce097bdb4b25f647ccccb891ffb3c6e529
- SHA256
  
  3b21c9b770bdfe16ab50c88a4d0daf10cbc90efc9d0a4e4e7bd6cf07104c6c98
- SHA512
  
  b6657df6478e1e4b607e15a1b5f6aa93a2a08caa6c1ea70fa13529a02c60fed3406433c91c475c512de7d19ff1586c96d2d3a311562ed6f8ba400da6100b040c
- SSDEEP
  
  3072:ENZGGl2ccmCiL35QksWmZ/Dkw1itSqEKRVDOcgiFg72xaWF:ENZG5ccm9HmxDNW3Kcba
Score

10^/10

pony collection discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

ponycollectiondiscoveryratspywarestealer

behavioral2

ponycollectiondiscoveryratspywarestealer

© 2018-2024

Terms | Privacy