pony | 5fe463955e90ecafbe55da40620d633668f02fb1ec64fc0e7cdc9a779088479a | Triage

Sharing

General

Target

f6e5a0da6deb3dd844365912b59a2126_JaffaCakes118
Size

145KB
Sample

240925-1cvbcasane
MD5

f6e5a0da6deb3dd844365912b59a2126
SHA1

8e2015e82cb74cf39f82813dd5abf0b1f4a8fbca
SHA256

5fe463955e90ecafbe55da40620d633668f02fb1ec64fc0e7cdc9a779088479a
SHA512

87b4a68bc6ac1af4a3c15b5be0d45eb3b75dbe37d6451a50dc041440dc29eb0e96042de9d44c1b64e2103a804fbdc368921ea25b8ee34bb3afda9e3288650962
SSDEEP

3072:J9PkQIQY2jhkRarEdTVTeX347V6u+NZo/rkAq32Be417gfovR9:HLP2o8TeX3a/zq32Be41EfovR

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://209.59.219.1/forum/viewtopic.php

http://212.58.20.11/forum/viewtopic.php

Attributes

payload_url
http://110.50.201.178/gnqc1X.exe

http://automazioneindustriale.co/KK63dqpH.exe

http://ptu65.brest.by/XfF65k.exe

Targets

- Target
  
  f6e5a0da6deb3dd844365912b59a2126_JaffaCakes118
- Size
  
  145KB
- MD5
  
  f6e5a0da6deb3dd844365912b59a2126
- SHA1
  
  8e2015e82cb74cf39f82813dd5abf0b1f4a8fbca
- SHA256
  
  5fe463955e90ecafbe55da40620d633668f02fb1ec64fc0e7cdc9a779088479a
- SHA512
  
  87b4a68bc6ac1af4a3c15b5be0d45eb3b75dbe37d6451a50dc041440dc29eb0e96042de9d44c1b64e2103a804fbdc368921ea25b8ee34bb3afda9e3288650962
- SSDEEP
  
  3072:J9PkQIQY2jhkRarEdTVTeX347V6u+NZo/rkAq32Be417gfovR9:HLP2o8TeX3a/zq32Be41EfovR
Score

10^/10

pony collection credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycollectioncredential_accessdiscoveryratspywarestealer

behavioral2

ponycollectioncredential_accessdiscoveryratspywarestealer