pony | 7762218a83a5727fb397da102dff3b99419bdd0e0f15c1b7f09898010faa780c

Resubmissions

01-07-2024 12:59

240701-p717lasgmc 10

01-07-2024 12:33

240701-prmn9ssakf 10

Sharing

Copy URL

Twitter E-mail

General

Target

1b51840b9af837bd65732bcc6300740e_JaffaCakes118
Size

153KB
Sample

240701-p717lasgmc
MD5

1b51840b9af837bd65732bcc6300740e
SHA1

4899fa8f8df8bc923bd300ff079ffb89e960890f
SHA256

7762218a83a5727fb397da102dff3b99419bdd0e0f15c1b7f09898010faa780c
SHA512

115b9d7f520ef62fe323a7986131c11a14ae77237a9a63637257827665f9aa7b1bf876a35abada3f2f0eaa68794efd75d355e086b3188f872d0752b7ac96cc92
SSDEEP

3072:QGXG0qvTNFMJFHXQEkQkS6vmCNQMblOZhpwXuqOmg:QGXSvTNFMHHXQHQkjNVl4wXBz

Score

10^/10

Malware Config

Extracted

Family

pony

http://67.215.225.205:8080/ponys/gate.php

http://216.231.139.111/ponys/gate.php

Attributes

payload_url
http://123-engagement-ring.com/F2ziEErm.exe
http://sultanesmonterrey.com/6VRjCFx.exe
http://cafedoc.info/BxvUvh.exe
http://butelii-oxigen.ro/fojJM.exe
http://aurangabadproperties.com/rfoMUzmK.exe

Targets

- Target
  
  1b51840b9af837bd65732bcc6300740e_JaffaCakes118
- Size
  
  153KB
- MD5
  
  1b51840b9af837bd65732bcc6300740e
- SHA1
  
  4899fa8f8df8bc923bd300ff079ffb89e960890f
- SHA256
  
  7762218a83a5727fb397da102dff3b99419bdd0e0f15c1b7f09898010faa780c
- SHA512
  
  115b9d7f520ef62fe323a7986131c11a14ae77237a9a63637257827665f9aa7b1bf876a35abada3f2f0eaa68794efd75d355e086b3188f872d0752b7ac96cc92
- SSDEEP
  
  3072:QGXG0qvTNFMJFHXQEkQkS6vmCNQMblOZhpwXuqOmg:QGXSvTNFMHHXQHQkjNVl4wXBz
Score

10^/10

pony collection discovery evasion execution persistence rat spyware stealer
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5