General
-
Target
a4a91717ba29abd06e177a2ee56cecb9de3a829a679dee5603f74255581a093e
-
Size
424KB
-
Sample
221128-txsjxsce8y
-
MD5
66c36414d91954561ffa71d653e6c824
-
SHA1
54c63816ee6354513774b19e8fd98304ed286284
-
SHA256
a4a91717ba29abd06e177a2ee56cecb9de3a829a679dee5603f74255581a093e
-
SHA512
8a715cc92bffc2fad8e2e5f93169195cd8fdd2f304dc6a6efc4a645c9d03a1a66b34e5f88b5862da6fcce16323cdc912ddec1a03fa56bea98f1d22a14a7f934d
-
SSDEEP
3072:XENUmdLGYcwYcYOxVTvm+sdtIzNIcNKQVBdSTOAPl6sOB3Chqhyg53iC4lgmofTh:rwLpcivm6zNIABd9APADC3pEsWU9qV
Malware Config
Extracted
pony
http://updat101up.ddns.net/pony/gate.php
Targets
-
-
Target
a4a91717ba29abd06e177a2ee56cecb9de3a829a679dee5603f74255581a093e
-
Size
424KB
-
MD5
66c36414d91954561ffa71d653e6c824
-
SHA1
54c63816ee6354513774b19e8fd98304ed286284
-
SHA256
a4a91717ba29abd06e177a2ee56cecb9de3a829a679dee5603f74255581a093e
-
SHA512
8a715cc92bffc2fad8e2e5f93169195cd8fdd2f304dc6a6efc4a645c9d03a1a66b34e5f88b5862da6fcce16323cdc912ddec1a03fa56bea98f1d22a14a7f934d
-
SSDEEP
3072:XENUmdLGYcwYcYOxVTvm+sdtIzNIcNKQVBdSTOAPl6sOB3Chqhyg53iC4lgmofTh:rwLpcivm6zNIABd9APADC3pEsWU9qV
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-