General

  • Target

    88fcd1756aacde0d6172d00ad3b483f04e7258813fa09455e6c61e658b397154N

  • Size

    143KB

  • Sample

    240919-na2w7avfra

  • MD5

    e4e5db158333e997ec1db475fc838120

  • SHA1

    46eb9a9f8e92b42fc98a9f5ebf1015b2e7b13df9

  • SHA256

    88fcd1756aacde0d6172d00ad3b483f04e7258813fa09455e6c61e658b397154

  • SHA512

    19207fe43a1baed3d7ccc5c05d182ccbb5a77a829603cff0b753195a05fc2f8b37801df99a80c077e3ec523c687bc39bb736ac1673ece0b99a9d4329e66315aa

  • SSDEEP

    3072:0e6EY/P8vyLqcE7Rvu0+y3ewjdwk8oj9zV1/JPAi:oR/Ue6vR0gz//j

Malware Config

Extracted

Family

pony

C2

http://64.111.24.123/pony/gate.php

http://66.175.216.111/pony/gate.php

Attributes
  • payload_url

    http://millanta.com/kYwJSdk7/KAnx.exe

    http://www.constructorajuvelca.com.ve/7TNWKmPr/RHB7.exe

    http://lifemissionchiropractic.com/b47hxj06/ttwi1.exe

    http://ftp.meridional.tur.br/eHbgtz5y/n9moPYU.exe

    http://heenamkim.com/Jq6aoUkD/kE4P.exe

    http://smarty.smsplay.cz/7wd5zYew/Ut6GBX.exe

Targets

    • Target

      88fcd1756aacde0d6172d00ad3b483f04e7258813fa09455e6c61e658b397154N

    • Size

      143KB

    • MD5

      e4e5db158333e997ec1db475fc838120

    • SHA1

      46eb9a9f8e92b42fc98a9f5ebf1015b2e7b13df9

    • SHA256

      88fcd1756aacde0d6172d00ad3b483f04e7258813fa09455e6c61e658b397154

    • SHA512

      19207fe43a1baed3d7ccc5c05d182ccbb5a77a829603cff0b753195a05fc2f8b37801df99a80c077e3ec523c687bc39bb736ac1673ece0b99a9d4329e66315aa

    • SSDEEP

      3072:0e6EY/P8vyLqcE7Rvu0+y3ewjdwk8oj9zV1/JPAi:oR/Ue6vR0gz//j

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks