General

  • Target

    5d283f48cda7d39c9c1e82dd9b07945c6422accb618ea6c9a3c0ea7c7403f328

  • Size

    220KB

  • Sample

    240417-r74zlach77

  • MD5

    e34a39adbc6e14570228240a5d189306

  • SHA1

    ee2bceae0235e958cc8e6fc7c19d24c544fb9f6a

  • SHA256

    5d283f48cda7d39c9c1e82dd9b07945c6422accb618ea6c9a3c0ea7c7403f328

  • SHA512

    ab16cdc34f60758aaa95236735c7d7ec9971c398e1dbc22e121d1bbb670146d28704f0aa7ffa34a2ff5e5b809070dfdc35b34d49b01579a864d18ab0db889ac3

  • SSDEEP

    6144:xmlCy+WiekNk0xDVccKcVncGoTDGubfBzFL4gqegFv:Uldieek0xDV5cGAzrAFFv

Malware Config

Extracted

Family

pony

C2

http://212.192.241.203/sor/gate.php

Attributes
  • payload_url

    http://212.192.241.203/sor/shit.exe

Targets

    • Target

      e89ac7128c7460388550f814595e09ab596db0f6f6c0588eb6efdac0e3302637.exe

    • Size

      307KB

    • MD5

      9634a80228a6d385b70c74db6f22118e

    • SHA1

      9efdd367643baa158e5d51ca26553313bc6dcd27

    • SHA256

      e89ac7128c7460388550f814595e09ab596db0f6f6c0588eb6efdac0e3302637

    • SHA512

      ff30e23851da20b2e410db540a975c667beea73320e9465cf29c3ba2726eabe0d3a6aa6ff07e5388f44741eebee5dea2e6ee9fc81055c6c332ed7619b45499ba

    • SSDEEP

      6144:HuNt3ej7WrLJ0z3j5KnUxtVYg9Gl6EYKjL8DPP:Hu3evWLJ6jYnM9GE9KjL8DP

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks