pony | 78da25e1780ea1efc42205ff601cd73dee0075ab4f3c58c59387cce8719c46dd | Triage

Sharing

General

Target

e3172834b20898b8a25184c3bd0948ed_JaffaCakes118
Size

93KB
Sample

240915-wqsmfswbnf
MD5

e3172834b20898b8a25184c3bd0948ed
SHA1

a86227c1630d54dfe059e9a71df1299c1566a146
SHA256

78da25e1780ea1efc42205ff601cd73dee0075ab4f3c58c59387cce8719c46dd
SHA512

f31077dde00e8924aa3f53125eb0a884a5c35251b41c5c38d1b27ba64bc4b99cc41d953eacf62db11cac8950273698538d4ac570633a784ebc2a17cbbacf9a82
SSDEEP

1536:luZQ4OaD0uIwaq7M4KoQuURcKc2sXTc3+yA7TNeNQ5BAkdlFKT17s:Q967wf7M4KoQukcRXTaH8TNv0kZKTBs

Score

10^/10

pony credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://88.85.99.44:8080/pony/gate.php

http://91.121.140.103:8080/pony/gate.php

http://91.121.178.156:8080/pony/gate.php

Attributes

payload_url
http://www.stablerkraemer.at/15Psv3zJ/4ah6NuS.exe

http://www.grupozear.es/5PYpsVTJ/mPt0Zx.exe

http://cairngorm.basestationdev.co.uk/tv9TcPVk/rXExfz.exe

Targets

- Target
  
  e3172834b20898b8a25184c3bd0948ed_JaffaCakes118
- Size
  
  93KB
- MD5
  
  e3172834b20898b8a25184c3bd0948ed
- SHA1
  
  a86227c1630d54dfe059e9a71df1299c1566a146
- SHA256
  
  78da25e1780ea1efc42205ff601cd73dee0075ab4f3c58c59387cce8719c46dd
- SHA512
  
  f31077dde00e8924aa3f53125eb0a884a5c35251b41c5c38d1b27ba64bc4b99cc41d953eacf62db11cac8950273698538d4ac570633a784ebc2a17cbbacf9a82
- SSDEEP
  
  1536:luZQ4OaD0uIwaq7M4KoQuURcKc2sXTc3+yA7TNeNQ5BAkdlFKT17s:Q967wf7M4KoQukcRXTaH8TNv0kZKTBs
Score

10^/10

pony credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycredential_accessdiscoveryratspywarestealer

behavioral2

ponycredential_accessdiscoveryratspywarestealer