General
-
Target
2164e2c2bb01cb3904b15be48f250941546db82186725b5fb11c6c40b2ca927f
-
Size
560KB
-
Sample
221206-sav6vsgf26
-
MD5
9ec81fb8d72e879b7514cd64242ab627
-
SHA1
04f52bab94da5b821c7cc32cd5becbb05434b60c
-
SHA256
2164e2c2bb01cb3904b15be48f250941546db82186725b5fb11c6c40b2ca927f
-
SHA512
3f7071be8ae9388f9093fcb299a3afa2c5b006c71c7b68b0aa902c8527a4f3261bf5da836ee52d1bcc4dda5bfbfd84edc8b8a8f9a67253308b869cafc7e5baf0
-
SSDEEP
12288:D1c454DlLBfWba90SQ5OQn2MlC6AvwX1cJ:D1c454BLobq0nOQn2Ml3Avo1cJ
Malware Config
Extracted
pony
http://82.145.57.116/~sample/beconek/contact.php
Targets
-
-
Target
2164e2c2bb01cb3904b15be48f250941546db82186725b5fb11c6c40b2ca927f
-
Size
560KB
-
MD5
9ec81fb8d72e879b7514cd64242ab627
-
SHA1
04f52bab94da5b821c7cc32cd5becbb05434b60c
-
SHA256
2164e2c2bb01cb3904b15be48f250941546db82186725b5fb11c6c40b2ca927f
-
SHA512
3f7071be8ae9388f9093fcb299a3afa2c5b006c71c7b68b0aa902c8527a4f3261bf5da836ee52d1bcc4dda5bfbfd84edc8b8a8f9a67253308b869cafc7e5baf0
-
SSDEEP
12288:D1c454DlLBfWba90SQ5OQn2MlC6AvwX1cJ:D1c454BLobq0nOQn2Ml3Avo1cJ
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-