pony | 80738536df7d45bc98db85d4fbc2a00b41f4afd77ed434caf6b38a1d677a723d | Triage

Sharing

General

Target

JaffaCakes118_237ea80f4e66154fd208ba493982be51
Size

147KB
Sample

250124-vdsw1szkeq
MD5

237ea80f4e66154fd208ba493982be51
SHA1

72d2828f340e8c15a1e6f65644805d29b0030249
SHA256

80738536df7d45bc98db85d4fbc2a00b41f4afd77ed434caf6b38a1d677a723d
SHA512

f7f3b85285d9cf309518a701bbd94da6614440c855c2117ebf89e20abe590b1ed06a74646ea7bd54e523d5a8959e0acc7ed7435f0eedeb213749aa31db96f5d4
SSDEEP

3072:z5Rfr1ZZpFhVpnFYGGCE+q5q9ovASq6mowKZUDibXDl:z5tr5BVFF2Ca5q0qUTD

Score

10^/10

pony collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://217.20.117.145:8080/pony/gate.php

http://217.20.118.117:8080/pony/gate.php

Attributes

payload_url
http://viveroparadiso.com.ar/NSyf.exe

http://uppalneurohospital.com/x7nx.exe

http://greatroastcoffee.com/w1HjW1.exe

Targets

- Target
  
  JaffaCakes118_237ea80f4e66154fd208ba493982be51
- Size
  
  147KB
- MD5
  
  237ea80f4e66154fd208ba493982be51
- SHA1
  
  72d2828f340e8c15a1e6f65644805d29b0030249
- SHA256
  
  80738536df7d45bc98db85d4fbc2a00b41f4afd77ed434caf6b38a1d677a723d
- SHA512
  
  f7f3b85285d9cf309518a701bbd94da6614440c855c2117ebf89e20abe590b1ed06a74646ea7bd54e523d5a8959e0acc7ed7435f0eedeb213749aa31db96f5d4
- SSDEEP
  
  3072:z5Rfr1ZZpFhVpnFYGGCE+q5q9ovASq6mowKZUDibXDl:z5tr5BVFF2Ca5q0qUTD
Score

10^/10

pony collection credential_access discovery rat spyware stealer
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycollectioncredential_accessdiscoveryratspywarestealer

behavioral2

ponycollectioncredential_accessdiscoveryratspywarestealer