pony | acdc87381a6782f5c23afc0eb76ece013baa0b10357e5d003af3468fdd3af3c3

General

Target

5e4ade4705a4d9740ab401dd57a2481a_JaffaCakes118
Size

164KB
Sample

240729-y992ystcnc
MD5

5e4ade4705a4d9740ab401dd57a2481a
SHA1

b45dd4f3c4a93b7bccf0662e471326fc93012fc9
SHA256

acdc87381a6782f5c23afc0eb76ece013baa0b10357e5d003af3468fdd3af3c3
SHA512

d97ed5c221913310b0bb9f19b62e8eca22ca854c0ef7f05fab6312b76bab61b103abea0434ec4db5851fc71ab37f794e63a588278e24997fa393ed8cd27593ea
SSDEEP

3072:QfaTgpRM+TqOsz+a98A+c1cbaIB8gJfdMNvsbRTg+n:Wvwts/JFi0bRTg+n

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://travisok.mcdir.ru/images/redirect.php

http://www.sm-tecnology.com/style/images/redirect.php

http://asgardtattoo.eu/css/redirect.php

http://vanhoye.com/flash/com/greensock/redirect.php

http://alzamilco.com/ar/style/redirect.php

http://e-harel.info/images/style/redirect.php

http://posaliege.be/message/images/redirect.php

http://billfinnell.com/inc/redirect.php

http://www.loisirsetculture.com/sites/default/1213.dat

http://e-harel.info/images/style/1213.dat

http://posaliege.be/message/images/1213.dat

http://www.tdgd.eu/test/php/1213.dat

http://billfinnell.com/inc/1213.dat

Attributes

payload_url
http://asgardtattoo.eu/css/1213.exe

http://vanhoye.com/flash/com/greensock/1213.exe

Targets

- Target
  
  0day warez.url
- Size
  
  117B
- MD5
  
  8cbd314b2ad010d3d98b491bf43e17e5
- SHA1
  
  a2c325f51fbca539ba4257aeb28c7a3f5b7c2c55
- SHA256
  
  74487459b955a2a5c2139979109005bd2fb1a4c5ba00c6b66e8b09788a32c404
- SHA512
  
  d3544903e08be65288e6ee057bf98df9646d93381136d8c34df74c99d7c28933f1321bc3575d3a70878cbcb0bfc72f0a0fdc6eea8f4972e4a5af61afee3dae1c
Score

1^/10
behavioral1 behavioral2
- Target
  
  CPLApp.cpl
- Size
  
  71KB
- MD5
  
  6e6ff1275216a0c31bbb792b53f47083
- SHA1
  
  5da5d675ab6873993bdfcc871e2cb08701453fc3
- SHA256
  
  700573ca11f25afd36f7efaf8309d0eed89dd687e966563ef8faab715666506d
- SHA512
  
  5856a28b0dd3f3fceeaaba852aef0ccbed1bb8595249fdc83d4b76e9d83aa7bb9c7fd557346b5302ee5ffec979aa8561afa71bae126bf46e3dc16425d51e089a
- SSDEEP
  
  768:uoeZZay22YPfYl+hZYhTjRFcK9601g6vuoMRhil2rQAbTfSOsMY9cmIILX:5eQ/PfEhTjTgpRMSbTqOsz9c6b
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  patch.exe
- Size
  
  189KB
- MD5
  
  b9f4a8d7ed01fc2b82f54625ff1b7e07
- SHA1
  
  0c5fb471eb643d61560cb9d3ba747e12d40fff4b
- SHA256
  
  7697d25b5b0795bd209223971c51a65b89843837c90341d5842e70178a36fa85
- SHA512
  
  c71fa8ffcb7e89386c59293b629acb382458c22e34b54d9d084bd5b9dddac23c8d141cacd945c72c73e99783449a3ab6952f0b8b30853fe45bf6d27deab71587
- SSDEEP
  
  3072:QJIRo4OilJA4hOfEo8mSkqu3HSWaxXpX0wWd2QDyIlBnU:QJ8ol8AGOXSkpXdY0ld2odU
Score

10^/10

pony collection credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5 behavioral6