General
-
Target
3f1036008dc10f205be9ee1d9391148905aa99d44b29ee1e9d20f47a1199e375
-
Size
2.6MB
-
Sample
241117-e2b1eazqfx
-
MD5
74ebca588f28d3de9149635f1d3740f8
-
SHA1
5ad7f0fa82fabbc5597512eafc4bba3cb4b17f00
-
SHA256
3f1036008dc10f205be9ee1d9391148905aa99d44b29ee1e9d20f47a1199e375
-
SHA512
60c5c8095c8926ff6b2e706170c14dd2f413e13edaff75a6490fd191b375c27a4ae6dcbb93187fe6151d7b23326bdacb0c6ccded1bae70a137fd5dcd77a9a7c7
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlK:86SIROiFJiwp0xlrlK
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Targets
-
-
Target
3f1036008dc10f205be9ee1d9391148905aa99d44b29ee1e9d20f47a1199e375
-
Size
2.6MB
-
MD5
74ebca588f28d3de9149635f1d3740f8
-
SHA1
5ad7f0fa82fabbc5597512eafc4bba3cb4b17f00
-
SHA256
3f1036008dc10f205be9ee1d9391148905aa99d44b29ee1e9d20f47a1199e375
-
SHA512
60c5c8095c8926ff6b2e706170c14dd2f413e13edaff75a6490fd191b375c27a4ae6dcbb93187fe6151d7b23326bdacb0c6ccded1bae70a137fd5dcd77a9a7c7
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlK:86SIROiFJiwp0xlrlK
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4