General

  • Target

    9f9c69fcb112a620df3e0520db004e633c42141e2d6e7029d23b9ce18a97e6eaN.exe

  • Size

    571KB

  • Sample

    241226-c5aweavma1

  • MD5

    77c247a34a0d0ec0648c4882d8dd5110

  • SHA1

    70731974511cc49ba2ba85d56d570302c5eb03f4

  • SHA256

    9f9c69fcb112a620df3e0520db004e633c42141e2d6e7029d23b9ce18a97e6ea

  • SHA512

    b1426504483437d56d40303fc5473e74b8d993e940ba3c64efcba657cce37b61c3ba58b58e949421e19ee63697f3bc55bad6144ef4ecaf39d034a2796298b59e

  • SSDEEP

    12288:++ngP9XSjEEVA29cr605He6GurJRcnlaUG3Y:nOL605He6GurJRclNyY

Malware Config

Extracted

Family

pony

C2

http://kushilxiriuxm.net/11/gate.php

Targets

    • Target

      9f9c69fcb112a620df3e0520db004e633c42141e2d6e7029d23b9ce18a97e6eaN.exe

    • Size

      571KB

    • MD5

      77c247a34a0d0ec0648c4882d8dd5110

    • SHA1

      70731974511cc49ba2ba85d56d570302c5eb03f4

    • SHA256

      9f9c69fcb112a620df3e0520db004e633c42141e2d6e7029d23b9ce18a97e6ea

    • SHA512

      b1426504483437d56d40303fc5473e74b8d993e940ba3c64efcba657cce37b61c3ba58b58e949421e19ee63697f3bc55bad6144ef4ecaf39d034a2796298b59e

    • SSDEEP

      12288:++ngP9XSjEEVA29cr605He6GurJRcnlaUG3Y:nOL605He6GurJRclNyY

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks