Pony Fareit 08th November 2025 - Sandbox detonation analysis + C&C threat intelligence and OSINT analysis

In the present article we are going to analyze with sandbox detonation a Pony Fareit malware sample. The threat gets information about language and geographical references of the victim machine:

It gets information and data from FTP clients, browser user data and profiles, Outlook Accounts and Profiles data and details, credentials saved in files:

The malware enumerates the details of installed software through Uninstall registry keys details:

The bat malicious script dropped under AppData\Local\Temp folder executes a malicious JS script which works as an installer for the final stage stealer artifact. The script also gets details about the credentials in the victim machine:

We can see details related to the Windows Script Host platform:

There are also details that could be associated to Windows Defender evasion:

Here are the OSINT details of the Pony sample:

The main Pony malware contacts the C&C domain central[.]pk, registered 14 years ago and probably compromised, it has mixed HTTP and HTTPS content:

Here is a behaviour process related to the scripts dropping phase and CMD execution:

The C&C IP address 5.134.14[.]119 has been registered in UKDedicated LTD in UK and it has the following opened ports and services:

21 (FTP), 22 (SSH), 25 (SMTP), 80 (HTTP), 110 (POP3), 143 (IMAP), 443 (HTTP), 465/ (SMTP), 587 (SMTP), 993 (IMAP), 995 (POP3), 2078 (HTTP), 2080 (HTTP), 2083 (HTTP), 2087 (HTTP), 2096 (HTTP)