Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b5d4330129d989156cb6df8fc.exe

  • Size

    702KB

  • Sample

    230709-t3nsxsfc7v

  • MD5

    b85a427b9c8d95d8d7387ca53abc45f0

  • SHA1

    f2653fe0c33d2704647c30e1ffe285c67ecd6e66

  • SHA256

    b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f

  • SHA512

    da053213da2b5e19788ee7a46cb3256482d965dc8523e3ffd757ea182482e57390a9922cb78f5a05defd2b1e3e0e7fb90a465818763351a7898f1a50ec3a45ff

  • SSDEEP

    12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHi:Url6kD68JmloO5TYI1lOq6sb8hTHAi

Malware Config

Extracted

Family

pony

C2

http://185.79.156.18/bit/03/gate.php

Targets

    • Target

      b5d4330129d989156cb6df8fc.exe

    • Size

      702KB

    • MD5

      b85a427b9c8d95d8d7387ca53abc45f0

    • SHA1

      f2653fe0c33d2704647c30e1ffe285c67ecd6e66

    • SHA256

      b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f

    • SHA512

      da053213da2b5e19788ee7a46cb3256482d965dc8523e3ffd757ea182482e57390a9922cb78f5a05defd2b1e3e0e7fb90a465818763351a7898f1a50ec3a45ff

    • SSDEEP

      12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHi:Url6kD68JmloO5TYI1lOq6sb8hTHAi

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks