General

  • Target

    702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a

  • Size

    172KB

  • Sample

    240420-28m3ksce37

  • MD5

    022735f30eca92db0eb6af97093a148b

  • SHA1

    3708b43536fc0cfaa5e9970909fa2b9d2367beb5

  • SHA256

    702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a

  • SHA512

    841192dde7a9dd9898d2b983d39a0248a2e504a5a89ef9a0493f69d8abd94daaae6ce25a837ad60f9f7536788c234cba626f0cded78aa763eb61810d211fbacb

  • SSDEEP

    3072:ylRWMa328PS8P7zi+I0dtpFBFa6pB0Kca00CKBPlYmja:ylRWMaVPhP7O+ZDpFq6pB0Kcl

Malware Config

Extracted

Family

pony

C2

http://45.58.116.102/~admin/maindomainkid009_net/ajuk/fire/gate.php

Attributes
  • payload_url

    http://45.58.116.102/~admin/maindomainkid009_net/ajuk/fire/micro.exe

Targets

    • Target

      702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a

    • Size

      172KB

    • MD5

      022735f30eca92db0eb6af97093a148b

    • SHA1

      3708b43536fc0cfaa5e9970909fa2b9d2367beb5

    • SHA256

      702e6b398def88f7e473b2d1fc10bc1529f6186a53a40c3a9ee0cba8b422372a

    • SHA512

      841192dde7a9dd9898d2b983d39a0248a2e504a5a89ef9a0493f69d8abd94daaae6ce25a837ad60f9f7536788c234cba626f0cded78aa763eb61810d211fbacb

    • SSDEEP

      3072:ylRWMa328PS8P7zi+I0dtpFBFa6pB0Kca00CKBPlYmja:ylRWMaVPhP7O+ZDpFq6pB0Kcl

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many file transfer clients. Observed in information stealers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks