Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ff84eb53e135cfab83b5ed2354f30f26b7d8f31c3160d7e01b7bb3050820d109

  • Size

    656KB

  • Sample

    221205-kfr3dsga5s

  • MD5

    2af9f1c1d68514c377a324c19861bcc8

  • SHA1

    225741ab919153238a03a6b4daa42fe29709b6b5

  • SHA256

    ff84eb53e135cfab83b5ed2354f30f26b7d8f31c3160d7e01b7bb3050820d109

  • SHA512

    28b0a0ec3dac69a5c87180b169d2f5109d9ea6c4c80158158e7e841f85c61254e0da90f132e38b54771eb0ce6cf24b51daeb5622a55f702835ec757067edb0df

  • SSDEEP

    6144:NUEjebs98Z4NBBGDWMKvS8GYFBSAjT1TkmltGGGhC2:uPQ6QvS8TKyr

Malware Config

Extracted

Family

pony

C2

http://204.188.238.141/~paulcomp/js/paul2.php

Targets

    • Target

      ff84eb53e135cfab83b5ed2354f30f26b7d8f31c3160d7e01b7bb3050820d109

    • Size

      656KB

    • MD5

      2af9f1c1d68514c377a324c19861bcc8

    • SHA1

      225741ab919153238a03a6b4daa42fe29709b6b5

    • SHA256

      ff84eb53e135cfab83b5ed2354f30f26b7d8f31c3160d7e01b7bb3050820d109

    • SHA512

      28b0a0ec3dac69a5c87180b169d2f5109d9ea6c4c80158158e7e841f85c61254e0da90f132e38b54771eb0ce6cf24b51daeb5622a55f702835ec757067edb0df

    • SSDEEP

      6144:NUEjebs98Z4NBBGDWMKvS8GYFBSAjT1TkmltGGGhC2:uPQ6QvS8TKyr

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks