General
-
Target
59493695d80f5530ed1c197ea836d3dbJaffaCakes118
-
Size
161KB
-
Sample
240529-2wfsqsda2z
-
MD5
59493695d80f5530ed1c197ea836d3db
-
SHA1
60efde08501ff3cbeb8f3ac8914d7a1e9502a8bc
-
SHA256
1d7bc20321433b66baaa9e8ad78ff3e11a9e8814775dbcaec89fcac1f253035a
-
SHA512
5057645e78c70dfcbc6b8872a51f7e0323255bc6c000b56d9d51fded746387dd6dd134bd18f4d1c30d3595fa146d251b40185db76f4a1b16a3b65e300207c24f
-
SSDEEP
3072:cTLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndI:cTLFuD6fOXlql/GLJrqqndtndhndKndI
Malware Config
Extracted
pony
http://butterchoco.net/admin/bull/gate.php
Targets
-
-
Target
59493695d80f5530ed1c197ea836d3dbJaffaCakes118
-
Size
161KB
-
MD5
59493695d80f5530ed1c197ea836d3db
-
SHA1
60efde08501ff3cbeb8f3ac8914d7a1e9502a8bc
-
SHA256
1d7bc20321433b66baaa9e8ad78ff3e11a9e8814775dbcaec89fcac1f253035a
-
SHA512
5057645e78c70dfcbc6b8872a51f7e0323255bc6c000b56d9d51fded746387dd6dd134bd18f4d1c30d3595fa146d251b40185db76f4a1b16a3b65e300207c24f
-
SSDEEP
3072:cTLZhs0uDI0rAfOXl+y+uql/GOtsrVrqhTqndtndhndKndI:cTLFuD6fOXlql/GLJrqqndtndhndKndI
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-