General
-
Target
c88aaf1a164ace5cb1df81ae00029703.exe
-
Size
702KB
-
Sample
230601-gjpjwscg94
-
MD5
c88aaf1a164ace5cb1df81ae00029703
-
SHA1
448bb044a37ac53d7f2a7c8b278748fa8cfac908
-
SHA256
399ff9fc9b00cd465bf4ebe51c05b2252efd5631afa01d90543aa3ee68e48832
-
SHA512
6348db010ddd2bf135ef9831f8803564454c734abdb39b4d9fa2e4606d32e325d411369bd3632ef14ae871e2eb5fc09ead3b7f97ef36519b8b26e3d36c7b88fb
-
SSDEEP
12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHv:Url6kD68JmloO5TYI1lOq6sb8hTHAv
Malware Config
Extracted
pony
http://185.79.156.18/bit/03/gate.php
Targets
-
-
Target
c88aaf1a164ace5cb1df81ae00029703.exe
-
Size
702KB
-
MD5
c88aaf1a164ace5cb1df81ae00029703
-
SHA1
448bb044a37ac53d7f2a7c8b278748fa8cfac908
-
SHA256
399ff9fc9b00cd465bf4ebe51c05b2252efd5631afa01d90543aa3ee68e48832
-
SHA512
6348db010ddd2bf135ef9831f8803564454c734abdb39b4d9fa2e4606d32e325d411369bd3632ef14ae871e2eb5fc09ead3b7f97ef36519b8b26e3d36c7b88fb
-
SSDEEP
12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHv:Url6kD68JmloO5TYI1lOq6sb8hTHAv
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-