General

  • Target

    6b8881aa3392c9b22e24eb51f65359d4967a6a0ed3f0abb1ea9fc916a2494980N

  • Size

    2.6MB

  • Sample

    241103-bnanmszpdz

  • MD5

    0ed4337bad4fbd2080142238cb7a7020

  • SHA1

    3cfb1d2123bf0f18d3dcfec1b36e53b34179c21a

  • SHA256

    6b8881aa3392c9b22e24eb51f65359d4967a6a0ed3f0abb1ea9fc916a2494980

  • SHA512

    2c317926942c8e9180846b08b1be987878209ed94a7fb59fe9ae68033ff2d0de065d869cbb3eded8f044e287ce940bb02d97046a669023ac953032d9cebbf7f3

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlM:86SIROiFJiwp0xlrlM

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      6b8881aa3392c9b22e24eb51f65359d4967a6a0ed3f0abb1ea9fc916a2494980N

    • Size

      2.6MB

    • MD5

      0ed4337bad4fbd2080142238cb7a7020

    • SHA1

      3cfb1d2123bf0f18d3dcfec1b36e53b34179c21a

    • SHA256

      6b8881aa3392c9b22e24eb51f65359d4967a6a0ed3f0abb1ea9fc916a2494980

    • SHA512

      2c317926942c8e9180846b08b1be987878209ed94a7fb59fe9ae68033ff2d0de065d869cbb3eded8f044e287ce940bb02d97046a669023ac953032d9cebbf7f3

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlM:86SIROiFJiwp0xlrlM

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks