pony | d99870981586e21d1bff1ada990a126c854674d9fc2baef87441a5e94a9b73de | Triage

Sharing

General

Target

ff0452c618fb5ff3b2acf804d56e499f_JaffaCakes118
Size

1.3MB
Sample

240929-v1nwkstamr
MD5

ff0452c618fb5ff3b2acf804d56e499f
SHA1

140cc35c62afb08f46c4942003083e89e6bc21e4
SHA256

d99870981586e21d1bff1ada990a126c854674d9fc2baef87441a5e94a9b73de
SHA512

42a6cd4e5a91c5976b58a7076b824c4728e5bbd3c988c9ed1e6ac099c5d597f75fba87fc2d0f06d22a6dcd21edd9eebe6fd9d7d737b3d5fb2167db8ea08e4bb5
SSDEEP

12288:dE5vhW6Rzx/LA/A8RNwlAiP6CEhH1IfkGdl8o6h69n02e2ZP:dE3Rzx/L2A8R6lAiP62f6c9n0GZP

Score

10^/10

pony collection credential_access discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://onlygoodm.com/ac9/gate.php

Attributes

payload_url
http://onlygoodm.com/ac9/ac9.exe

Targets

- Target
  
  ff0452c618fb5ff3b2acf804d56e499f_JaffaCakes118
- Size
  
  1.3MB
- MD5
  
  ff0452c618fb5ff3b2acf804d56e499f
- SHA1
  
  140cc35c62afb08f46c4942003083e89e6bc21e4
- SHA256
  
  d99870981586e21d1bff1ada990a126c854674d9fc2baef87441a5e94a9b73de
- SHA512
  
  42a6cd4e5a91c5976b58a7076b824c4728e5bbd3c988c9ed1e6ac099c5d597f75fba87fc2d0f06d22a6dcd21edd9eebe6fd9d7d737b3d5fb2167db8ea08e4bb5
- SSDEEP
  
  12288:dE5vhW6Rzx/LA/A8RNwlAiP6CEhH1IfkGdl8o6h69n02e2ZP:dE3Rzx/L2A8R6lAiP62f6c9n0GZP
Score

10^/10

pony collection credential_access discovery persistence privilege_escalation rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Installer Packages

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Installer Packages

Defense Evasion

Modify Registry

System Binary Proxy Execution

Msiexec

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycollectioncredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer

behavioral2

ponycollectioncredential_accessdiscoverypersistenceprivilege_escalationratspywarestealer