General
-
Target
395c6151624f73b39fdfd282534279878b433efb964bcc15cad2e4f818d89eb8.exe
-
Size
702KB
-
Sample
230707-m7y15ahe6x
-
MD5
eff961cad9e82ec0bc3766e45e6df319
-
SHA1
c3f1c5ec3f7c0c9060f2b15f274fcdb0c7c2d918
-
SHA256
395c6151624f73b39fdfd282534279878b433efb964bcc15cad2e4f818d89eb8
-
SHA512
aafd6ce975e6a90f173392d25dc859e61d32676d20835eac77569c360ee63474b90b66c5054803866080bb97ad8e3d2c238ea6e1af645bdb3786f88b28c2042e
-
SSDEEP
12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHM:Url6kD68JmloO5TYI1lOq6sb8hTHAM
Malware Config
Extracted
pony
http://185.79.156.18/bit/03/gate.php
Targets
-
-
Target
395c6151624f73b39fdfd282534279878b433efb964bcc15cad2e4f818d89eb8.exe
-
Size
702KB
-
MD5
eff961cad9e82ec0bc3766e45e6df319
-
SHA1
c3f1c5ec3f7c0c9060f2b15f274fcdb0c7c2d918
-
SHA256
395c6151624f73b39fdfd282534279878b433efb964bcc15cad2e4f818d89eb8
-
SHA512
aafd6ce975e6a90f173392d25dc859e61d32676d20835eac77569c360ee63474b90b66c5054803866080bb97ad8e3d2c238ea6e1af645bdb3786f88b28c2042e
-
SSDEEP
12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHM:Url6kD68JmloO5TYI1lOq6sb8hTHAM
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-