Extracted

• • Target

    14d212f9979c9d43b6bcf4ff61650ec10f2f1b61254337a84996923d5aae37e9N

  • Size

    2.6MB

  • MD5

    be3e0eeac1e56582a4270ec7a60ca110

  • SHA1

    6e5dc583dc5a889282c4db982a634f61529c7011

  • SHA256

    14d212f9979c9d43b6bcf4ff61650ec10f2f1b61254337a84996923d5aae37e9

  • SHA512

    b671f77912a26a562f34a79adb86844c3f779442efab0e24aae894e9171da640f30c51017fed129a33861ffa314a96f05dbd8f5f9c01692cf4fd0ec9453b813a

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl9:86SIROiFJiwp0xlrl9

  Score

  10^/10

  ponydiscoveryevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony family

    pony

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2