pony | 8503d3958b3fea8458d56767d345676bf139b58e6e06465116a174a5ae4c3600

General

Target

8503d3958b3fea8458d56767d345676bf139b58e6e06465116a174a5ae4c3600
Size

128KB
Sample

221129-hb3bfsdh65
MD5

e7ffeedc0165d078b6310a9fdac71b4b
SHA1

f238e508da117ab21f1b9d41d029275d6ea313d5
SHA256

8503d3958b3fea8458d56767d345676bf139b58e6e06465116a174a5ae4c3600
SHA512

2ae8c603ededdd0824fcd9b761c184a6b8b054cb76a3cf6f0b72ea555d6cf2d4ae660326d49767f9cbdcad7a6e149d630d65e2879a374ae11d1626bbbd21bfb1
SSDEEP

3072:fLv7mogmPz1VZWIU0iuRlB0qKaxbo5FzMlpaJ9OiNOis52I:jvHz1bWB8RrKsbmiamiNI

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/forum/viewtopic.php

http://122.201.102.69:8080/forum/viewtopic.php

Attributes

payload_url
http://birdofparadisepub.com/poQYPP.exe

http://www.kenji-calypso.com/ehKxq9y.exe

Targets

- Target
  
  8503d3958b3fea8458d56767d345676bf139b58e6e06465116a174a5ae4c3600
- Size
  
  128KB
- MD5
  
  e7ffeedc0165d078b6310a9fdac71b4b
- SHA1
  
  f238e508da117ab21f1b9d41d029275d6ea313d5
- SHA256
  
  8503d3958b3fea8458d56767d345676bf139b58e6e06465116a174a5ae4c3600
- SHA512
  
  2ae8c603ededdd0824fcd9b761c184a6b8b054cb76a3cf6f0b72ea555d6cf2d4ae660326d49767f9cbdcad7a6e149d630d65e2879a374ae11d1626bbbd21bfb1
- SSDEEP
  
  3072:fLv7mogmPz1VZWIU0iuRlB0qKaxbo5FzMlpaJ9OiNOis52I:jvHz1bWB8RrKsbmiamiNI
Score

10^/10

pony collection discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Pony,Fareit

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2