pony | 55997bf8cf06b952a5a7d00c51a5c50af7ea6c2e65c8a907502b0008de4262da | Triage

Sharing

General

Target

a94d3f96113d43a0e6f1c8cd39885329_JaffaCakes118
Size

153KB
Sample

241127-x47h7swqew
MD5

a94d3f96113d43a0e6f1c8cd39885329
SHA1

6d7fa8ceea1cf7dce516c4240659e138bf9435ed
SHA256

55997bf8cf06b952a5a7d00c51a5c50af7ea6c2e65c8a907502b0008de4262da
SHA512

4d94b87959ae684d9b6c9f83ab92d92e9f4137e7d68639134ef6c8bced8bb01717f307debfb2e2fd0d5212df74b77501415a76a55c65a186b209fd3ad512ce83
SSDEEP

3072:d2jpmyvLmkrZOWpjNtd/barDx/J/ukrXzb/2UGvKrUiN3Y0wUJ:Y5d55dqJJ/ukvbuUGv8Br

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://66.55.89.149:8080/forum/viewtopic.php

http://66.55.89.150:8080/forum/viewtopic.php

Attributes

payload_url
http://nintendorevolutionfan.com/pb7fh3.exe

http://www.imprentavalenciaofertas.es/R3SfreR.exe

http://air-location-voiture.com/unbQ.exe

Targets

- Target
  
  a94d3f96113d43a0e6f1c8cd39885329_JaffaCakes118
- Size
  
  153KB
- MD5
  
  a94d3f96113d43a0e6f1c8cd39885329
- SHA1
  
  6d7fa8ceea1cf7dce516c4240659e138bf9435ed
- SHA256
  
  55997bf8cf06b952a5a7d00c51a5c50af7ea6c2e65c8a907502b0008de4262da
- SHA512
  
  4d94b87959ae684d9b6c9f83ab92d92e9f4137e7d68639134ef6c8bced8bb01717f307debfb2e2fd0d5212df74b77501415a76a55c65a186b209fd3ad512ce83
- SSDEEP
  
  3072:d2jpmyvLmkrZOWpjNtd/barDx/J/ukrXzb/2UGvKrUiN3Y0wUJ:Y5d55dqJJ/ukvbuUGv8Br
Score

10^/10

pony collection credential_access discovery rat spyware stealer
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Deletes itself
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycollectioncredential_accessdiscoveryratspywarestealer

behavioral2

ponycollectioncredential_accessdiscoveryratspywarestealer