pony | eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca

General

Target

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Size

1.1MB
MD5

b70279fc1c857dc76a50f77a46460657
SHA1

fbcabd564c13287b0a0d42026c77006f0c6e7983
SHA256

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
SHA512

424726d9175411466cb5fb0d99ecb843fb9609506b88e708c13717d5b47921485c370324b08f3f5379b6e7b2266ae30e45f49a6030ad2409446ec971ddbd761f

Score

10^/10

discovery rat spyware stealer pony

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Script User-Agent 2 IoCs

Processes:

description flow ioc

HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1
HTTP User-Agent header 9 WinHttp.WinHttpRequest.5.1

description	flow	ioc
HTTP User-Agent header	5	WinHttp.WinHttpRequest.5.1
HTTP User-Agent header	9	WinHttp.WinHttpRequest.5.1

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exeeda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.execmd.exe

description	pid	process	target process
PID 1072 wrote to memory of 1660	1072	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
PID 1072 wrote to memory of 1660	1072	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
PID 1072 wrote to memory of 1660	1072	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
PID 1072 wrote to memory of 1660	1072	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
PID 1660 wrote to memory of 1940	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	cmd.exe
PID 1660 wrote to memory of 1940	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	cmd.exe
PID 1660 wrote to memory of 1940	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	cmd.exe
PID 1660 wrote to memory of 1940	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	cmd.exe
PID 1940 wrote to memory of 1976	1940	cmd.exe	PING.EXE
PID 1940 wrote to memory of 1976	1940	cmd.exe	PING.EXE
PID 1940 wrote to memory of 1976	1940	cmd.exe	PING.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe

description	pid	process
Token: SeImpersonatePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	1660	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1940 cmd.exe

pid	process
1940	cmd.exe

Checks for installed software on the system 1 TTPs 10 IoCs

discovery

Query Registry

T1012

Processes:

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe

Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1976 PING.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1976	PING.EXE

C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
"C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe dfsr
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:1660

C:\Windows\system32\cmd.exe
cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1940

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-0-0x0000000000000000-mapping.dmp

Download
memory/1660-1-0x00000000029B0000-0x00000000029CC000-memory.dmp

Filesize
112KB

Download
memory/1940-2-0x0000000000000000-mapping.dmp

Download
memory/1976-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads