pony | 6fbf5abab7dbd2ed8c5b626b4b06162cce1831efe2103ebe96043db72dd61269

General

Target

6bc5ab7a2b6bfc1746e93b12813c942f_JaffaCakes118
Size

156KB
Sample

241022-y1lm1athlm
MD5

6bc5ab7a2b6bfc1746e93b12813c942f
SHA1

6acd4c29e04cc6b3294b4d74d03d210bba906772
SHA256

6fbf5abab7dbd2ed8c5b626b4b06162cce1831efe2103ebe96043db72dd61269
SHA512

5e1b4bc58900cf55ebac3e1568e7023cf150fd7a447b6fcf3408064071aa828eb266f83632991e274035fd36243864ed2f3670a0ad84db39a0e735297a17cb54
SSDEEP

3072:ul89tSKkKRayiGcgAsr6TdNQYlE4DpCY45wpK2nqILOZfw4BMB/y5vGgXqv1rEIm:SmtSaRayiAAy6nQ8lCe3l6ZI0MB/SbXr

Score

10^/10

Malware Config

Extracted

Family

pony

C2

http://ser.foryourcatonly.com/forum/viewtopic.php

http://ser.luckypetspetsitting.com/forum/viewtopic.php

Attributes

payload_url
http://dechotheband.gr/5Wjm3iV2.exe

http://barisdogalurunler.com/9BMu2.exe

http://alpertarimurunleri.com/rRq.exe

http://oneglobalexchange.com/19J.exe

http://rumanas.org/1vAWoxz3.exe

http://www.10130138.wavelearn.de/4pxp.exe

http://visiosofttechnologies.com/iDm9vs.exe

http://sgisolution.com.br/jq5.exe

http://plusloinart.be/Ue7cHNm.exe

http://marengoit.pl/ZBrBpBh2.exe

Targets

- Target
  
  6bc5ab7a2b6bfc1746e93b12813c942f_JaffaCakes118
- Size
  
  160KB
- MD5
  
  97f7ee0017ff15f182af0724499f7a2e
- SHA1
  
  e9ca48cd0d624e9443bbb0f6fb48537f5f65eb5a
- SHA256
  
  7abe00638fafb697900111330f5d3c4512cbf7fc4f83345139ebc4c4d57f684b
- SHA512
  
  74c976edb7d1293b8ff58c0e4127a06645208aeb15bd9cc1b6454cdc493895e9426478efddc91332f1250b627b1e3e6ad2e7a3f05f5e4a13bf0612fdf679fa93
- SSDEEP
  
  3072:KM+Ru0P/V1+KRrH1E4DpCY45wpK2nqILOZfw4BxHdnkv9QQl95mR7d:KM+FP+E1lCe3l6ZI0xHdk1X/Q7d
Score

1^/10
behavioral1 behavioral2
- Target
  
  eFAX.CORPORATE.personal.ID2EFR120091FRe1TT0932223545AEG32123434IP.new.pdf.exe
- Size
  
  80KB
- MD5
  
  16625f5ee30ba33945b807fb0b8b2f9e
- SHA1
  
  a9759e9000a04fe090b4f7cfa9dde9b2c0947c54
- SHA256
  
  755d3ccd26b99ae2ccae8483847a2e42f8756884e1f11eb05d637d383d90362f
- SHA512
  
  ca0e2000e00843555c7917ee08f8910ffd1f319e4c206fb8dac28663186b02b0113e435b9e03e4e4e8ac64966d71130a922abcec16c224f0841196fa1be059c7
- SSDEEP
  
  1536:7MCEZ7wJSFfiaUflrb55qm4M5NUFdKMMM06LJyTHGvRkaoV/H7JAbh9Cuo3ZI:787w8jMt5qm4M5NUHM16ayRg/H1AtBoq
Score

10^/10

pony collection credential_access discovery rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4
- Target
  
  vv/vv.pdf
- Size
  
  109KB
- MD5
  
  fe8882290d7fa1c4dc489075d16f4f93
- SHA1
  
  47bede05a2c78125b45890887acc28e2fc3f3d0e
- SHA256
  
  04266bd9cbc224c4f1ca78dccf0ec7c48ba81346ab55303fb9d49d3b55c3cc61
- SHA512
  
  a209c1ab3d6fbdaa4d8ae944cc53fab21ef1c7ccd744feb8bf81a4e7f72067ca5af90c23de3084d5f7e6748e4b78850c8930793645ad7aa92eb36e8af3a6e36b
- SSDEEP
  
  3072:hvo+TSa0iwPaCwxxZtiJeZxUa7i3aIbWm:hvo2LjwPpwzVpu3km
Score

3^/10

discovery
behavioral5 behavioral6