pony | 3f0d1a3f474f03f5334e1800b308830eaa302b37d08fd5390176204f49ceae93

Sharing

Copy URL

Twitter E-mail

General

Target

3f0d1a3f474f03f5334e1800b308830eaa302b37d08fd5390176204f49ceae93
Size

1.1MB
Sample

240828-zf5qtavdqb
MD5

c79b33f2c6d15af48a485350904f02dd
SHA1

a2ed08e7648642ab7b4e0ae88438c87259023a55
SHA256

3f0d1a3f474f03f5334e1800b308830eaa302b37d08fd5390176204f49ceae93
SHA512

5dd4b95511cecb473dc5badd6f094241e43ea269596f0c5fda67c7a971e36a4de4c3bbb46effd53087f2031211bae171e6f7fbf82c41329cf14e1f020023d211
SSDEEP

24576:OrSfsyCVp2xfwfOBT4T35Zl66PAaEbV3iCJXgoPchq4K4TIIcz:Jfs/cw2BT8rl3AagFaIIcz

Score

10^/10

Malware Config

Targets

- Target
  
  15540D149889539308135FA12BEDBCBF
- Size
  
  49KB
- MD5
  
  15540d149889539308135fa12bedbcbf
- SHA1
  
  4253b23f8d48dd033f9b614d55dae9f7e68a9716
- SHA256
  
  a8ab526718cc2767ca5f29612a76dc0bc36a9b11542aa3de92e35e41b98d346c
- SHA512
  
  31d23897f54a8120e211b8ff0c7fd38fdb7324c21e5bb50800d9a4055bed4ab72be9e38cb9bc8de8732d5e859291f873fe99e28bf1592eb20c91dc0db5bdf233
- SSDEEP
  
  1536:QpgpHzb9dZVX9fHMvG0D3XJB4Romu/IDf:mgXdZt9P6D3XJB45hDf
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  1D34D800AA3320DC17A5786F8EEC16EE
- Size
  
  69KB
- MD5
  
  1d34d800aa3320dc17a5786f8eec16ee
- SHA1
  
  4bcbded0cb8a68dc6d8141a31e0582e9641fa91e
- SHA256
  
  852a2c4d2bb5e27d75ff76aee3e9d091e1aa67fa372cb2876e690ee32a351442
- SHA512
  
  d28903222a0523ff56d7c63696fd49e5765c9f35cde7d225476a6d6b3e43859aaf15eea2eb0805d019d423282a8ee22e44456e50a6e6a0972b498ec07c7d2976
- SSDEEP
  
  768:WNay907/9WUx4W1X2FB95msu9YW7rSLedQV19a7xMzVoWkV0iQ3Yg5hSqSr:WNZY/b92rnmfHfSLed41EeizV2uFr
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  301210D5557D9BA34F401D3EF7A7276F
- Size
  
  93KB
- MD5
  
  301210d5557d9ba34f401d3ef7a7276f
- SHA1
  
  30ade72660852a21352c61fe18697324c5b53b20
- SHA256
  
  fae44240687fbf163872f27f8a5e1ff5f1f25c0029bc4c02d14581897bd40aec
- SHA512
  
  bee107199e2ed60af274d9a368e3c611e953f51546fc3115a6b0dd21dec6bc66d2e89cfbe5c654a8e660632423adc3193dd379cbcf1c965e195b33b56f7cb0c2
- SSDEEP
  
  1536:rv+bubDjXoVwBdYsCw7/bBtvdTTPUuO0mFMBL7j9Ae4JJbiScul0Qpe:rv7njXoV8dYfardTLUuJmFMdn9AvxL0O
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral5 behavioral6
- Target
  
  60C01A897DD8D60D3FEA002ED3A4B764
- Size
  
  94KB
- MD5
  
  60c01a897dd8d60d3fea002ed3a4b764
- SHA1
  
  d10bfa7cacb52828e26420f83fe1c4f9f6ce3f75
- SHA256
  
  40446dc76753b060a97497cad804f717682f2a88c3e10d3ae2995c099dbcd5f1
- SHA512
  
  54fbc6aea6963fa67a8b093a31afe272dcec7aa44dd4e2857851bdc3b0058d6a499fd5c6ad82ed1b00550e8b2698fc6c619dde9cdae58dbf38cb11642c354e05
- SSDEEP
  
  1536:6+yzIOvHPUcwxKuCx2YLSEVia1h5pGP+Cf2eeRh8mWe5irvjaiGkft9ab5Vpq:6+UMhxI2YLS07h5ps+Cf2/5WemvjaiEs
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7 behavioral8
- Target
  
  67E4F5301851646B10A95F65A0B3BACB
- Size
  
  93KB
- MD5
  
  67e4f5301851646b10a95f65a0b3bacb
- SHA1
  
  952e2240ea0b8e8ed03836d6db351f7688c1f5bf
- SHA256
  
  9867fe9f912b9dcefe36a84b62087e0b7aedc60b769d64ac6b13272f26daa8c5
- SHA512
  
  19dd33da8a0d1aec4e6ca15907c29d56720461956482d3f8e9844c4e863c959be20cbfcc344aed87e3f7ed39a2ea602bfc215fff45b4fc77e40699852bda8dfa
- SSDEEP
  
  1536:jjnDNEQztriSJScSJLyYywG/LwgywD6RpW/9355MfBDqIbtKGp5vVIeDbj/UOKZK:yQzFZJrSJL9G9ARpW/93eNqIbRdDbj/e
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral10 behavioral9
- Target
  
  8953398DE47344E9C2727565AF8D6F31
- Size
  
  93KB
- MD5
  
  8953398de47344e9c2727565af8d6f31
- SHA1
  
  6e2ebfdb6a4d98545faee070f5ba4f825fb774ce
- SHA256
  
  ff3b094d2a71d6e738efaacfde92889c3ba508943a94d0bbad2c99cb932129b3
- SHA512
  
  504ace0acbd420dae6745669da9d385d4555fa53d2d9f42498a2a4a42be785abf28149bad1cec7ad7174becfcd5af94bf01ead759307a578920fa00fa07e9573
- SSDEEP
  
  1536:y0tH1qr9104HEy3MU1vFgA9+xzGnQzDozmHtt/9W/IALa8:y01K91j15t39+9GnQUWth9GLa8
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral11 behavioral12
- Target
  
  D883DC7ACC192019F220409EE2CADD64
- Size
  
  68KB
- MD5
  
  d883dc7acc192019f220409ee2cadd64
- SHA1
  
  2a2cdcb07e97876eef59b03615dbf9b306916b10
- SHA256
  
  e59928937538f6595b0cbf5f76c3a0eec838a0e65c3a82354fb8f92fd75bfa08
- SHA512
  
  538a642250d0bcab886b2528be614f457f8a650aec37083929a79d21d88a04a366054ac2ec186de4a27e64dc226eb587c40ce218f40822e6daf0f1af7b009390
- SSDEEP
  
  768:m8+wYnzswDTVI5bjT7aiFBvqsvvZMvyWWQ6cRkZhR+NRgs6XeBoA3yU1cPXGeSvg:DwDZoNnov7RuRCg1uBj3aebs
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  DF5A394AD60512767D375647DBB82994
- Size
  
  94KB
- MD5
  
  df5a394ad60512767d375647dbb82994
- SHA1
  
  32d3074fdd2b6745c4e03335c49a4ac7c5e072cb
- SHA256
  
  70c2ea2751b524f296bc91d394ee85cbc9bdcea03af6abfecec52f65790227d6
- SHA512
  
  27733d2717dd42e45c2b3029f64f2c971f6ce86c9852f478619afb1cff0115d2f7b20cb1382b0a1dcd206b18b6948bae488e847ea571be268a9ab13ceda06233
- SSDEEP
  
  1536:joRBVXkOMn6+EB+SwWaIdHdG60vLRVysjbgHmTbMTdPuvJgIjyKDhlGswtL:jcDa7Y+SwfIdHsvPymsJPGgIjtlx8
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral15 behavioral16
- Target
  
  F1E546FE9D51DC96EB766EC61269EDFB
- Size
  
  572KB
- MD5
  
  f1e546fe9d51dc96eb766ec61269edfb
- SHA1
  
  4edea5d41c6c5888f95f77a048982eae57612818
- SHA256
  
  a474534bf4185fc604b66396b69fb3a032c9f47b38bcf5ab4e9104d25cfe1054
- SHA512
  
  e9a9fbd99ef9f8463c4c3da914c0b77f5112ad0b97d51862a29cfb65848e7fd3e21f48603fe41c31e3a28bde013c4263244a3363806ead86b9b8931038825555
- SSDEEP
  
  12288:X81Ed0hYcVhrGFTlZaVXVYr92FFilE5AUJHPx6hhsH4u0Q7w:X81EdVcVhGNDyYr9Wi4NJccHM
Score

7^/10

discovery upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral17 behavioral18
- Target
  
  F77DB63CBED98391027F2525C14E161F
- Size
  
  93KB
- MD5
  
  f77db63cbed98391027f2525c14e161f
- SHA1
  
  632d9707e0cf70d2fe99b1529ad637ab50718664
- SHA256
  
  17deee35f00935d1f2d931dcd0f5b51743ae7505d1f52123f2a3b1f89c8bbc61
- SHA512
  
  5ab30f96a0122fdb72dfc744358906840cf7d2afe6d7ad6d058de783cd5d449ff7db35c063466497110031e88d4b189bc71f4b38a86176ee5c98df5d21f27573
- SSDEEP
  
  1536:oMwpusTKobR1xeHIRd1olaGeNaV9vUDpy0hGj6nlZtPWmVALInel9vY4:w1KovoHIREwaVFUlyk5lZtT6ll9vY4
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral19 behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Pony,Fareit

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Pony,Fareit

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Pony,Fareit

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Pony,Fareit

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Pony,Fareit

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks installed software on the system

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

AutoIT Executable

Pony,Fareit

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Checks installed software on the system

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20