pony | 87e1073b2784387112b20462c966c352a67dccab9b16cad4b3b9f792f565f87d | Triage

Sharing

General

Target

2626edb77950ab6d0a9ec0c2eb584946_JaffaCakes118
Size

128KB
Sample

240704-zj95pszgka
MD5

2626edb77950ab6d0a9ec0c2eb584946
SHA1

8d53bc051b9569c15d6682a6c20b71953bd36306
SHA256

87e1073b2784387112b20462c966c352a67dccab9b16cad4b3b9f792f565f87d
SHA512

8d2bebfff27060b6b0f98045d07ff9c53325a6de4a8cded870a4da109edbd979eecc3a0f35f9dc75786f4614c8ab1237461577dc728f6912dc6056241f913fd3
SSDEEP

3072:uGHi6mwNZwZeqj1z5bMRTUXk9mFfVb28pi1p0Sg:+6ZRqj1z5CmkE328pi7

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/forum/viewtopic.php

http://50.116.13.230/forum/viewtopic.php

Attributes

payload_url
http://mega105fm.com/bb7tBrft.exe

http://cpps.or.id/KwV8AXN.exe

http://citleg.org/UptP.exe

Targets

- Target
  
  2626edb77950ab6d0a9ec0c2eb584946_JaffaCakes118
- Size
  
  128KB
- MD5
  
  2626edb77950ab6d0a9ec0c2eb584946
- SHA1
  
  8d53bc051b9569c15d6682a6c20b71953bd36306
- SHA256
  
  87e1073b2784387112b20462c966c352a67dccab9b16cad4b3b9f792f565f87d
- SHA512
  
  8d2bebfff27060b6b0f98045d07ff9c53325a6de4a8cded870a4da109edbd979eecc3a0f35f9dc75786f4614c8ab1237461577dc728f6912dc6056241f913fd3
- SSDEEP
  
  3072:uGHi6mwNZwZeqj1z5bMRTUXk9mFfVb28pi1p0Sg:+6ZRqj1z5CmkE328pi7
Score

10^/10

pony collection discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycollectiondiscoveryratspywarestealer

behavioral2

ponyratspywarestealer