Extracted

• • Target

    3cec8aba4c0c34ec0c222689d040b0e58f806a2b6a13eaa3a5fb0c6535365024N

  • Size

    2.6MB

  • MD5

    c8bb6e096436eca4e86cad395f58c500

  • SHA1

    a81c30766323dfe9003b7d233e92f04b8d0a49de

  • SHA256

    3cec8aba4c0c34ec0c222689d040b0e58f806a2b6a13eaa3a5fb0c6535365024

  • SHA512

    00d9169b3453a9e058ef17a05e044b0336b219ea0a3253aacdef3f5cde318561361bcc53e9d0b768dc048ca8c3f219316eca79d495024efc34ebf7b21f447807

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlh:86SIROiFJiwp0xlrlh

  Score

  10^/10

  ponydiscoveryevasionpersistenceratspywarestealer

  • Modifies WinLogon for persistence

    persistence

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • Pony family

    pony

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2