Overview

overview

10

Static

static

5

493239f65d...e8.exe

windows7-x64

8

493239f65d...e8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pony.zip

  • Size

    606KB

  • Sample

    230202-k8fj3ahe9w

  • MD5

    fc262c4f2c7e3c97ea54499377950a05

  • SHA1

    89b1504fe77c09e56e9d8388123e94bc6b1bc500

  • SHA256

    4855a2496144db71904b47ce43318455a1748e7d68826796b93c0bc08b80d67f

  • SHA512

    95fd7c026af9e8ed3f2e8c8d567576e552f5ae1a2814612560db5fc49ba3db45fc852abc55843f1d5bcbd6d96b3fe010f90f9ee93ff5a42e78e6e460ff45ebc7

  • SSDEEP

    12288:b689+1mfP1w4RyDTaFZ7d5jyI37cN+2lFald+neTOERB8IKlbPi9s:b689+ww4wXoVH77cjaueTr/HGriC

Score
10/10
ponycollectiondiscoveryratspywarestealerupx

Malware Config

Extracted

Family

pony

C2

http://ibeji.freeiz.com/ibeji/gate.php

Targets

    • Target

      493239f65d67f05cfa86644937ace5a0ba83fb316babf3d1d66d21674eae78e8.exe

    • Size

      1.0MB

    • MD5

      b337aef2e21d2113969f421d307a0bfc

    • SHA1

      7df37e41ac16b47449ebf8a978616781dfc53445

    • SHA256

      493239f65d67f05cfa86644937ace5a0ba83fb316babf3d1d66d21674eae78e8

    • SHA512

      1fd001c0a47fd9de65582e561e89397c755c5c60088131b35b6c8b3cb21f25dab25ebdfccbdeb98f28c366efc0b1aa90b308f004024ec6ea6b62e495c589b908

    • SSDEEP

      24576:btb20pkaCqT5TBWgNjVYMerbvM3wbOG16A:YVg5tjVYMerbvewv5

    Score
    10/10
    upxponycollectiondiscoveryratspywarestealer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks