pony | eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca

Analysis

max time kernel
92s
max time network
97s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Size

1.1MB
MD5

b70279fc1c857dc76a50f77a46460657
SHA1

fbcabd564c13287b0a0d42026c77006f0c6e7983
SHA256

eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
SHA512

424726d9175411466cb5fb0d99ecb843fb9609506b88e708c13717d5b47921485c370324b08f3f5379b6e7b2266ae30e45f49a6030ad2409446ec971ddbd761f

Score

10^/10

spyware discovery rat stealer pony

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeImpersonatePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeTcbPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeChangeNotifyPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeCreateTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeBackupPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeRestorePrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeIncreaseQuotaPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Token: SeAssignPrimaryTokenPrivilege	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3836	4016	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	67
PID 4016 wrote to memory of 3836	4016	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	67
PID 4016 wrote to memory of 3836	4016	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	67
PID 3836 wrote to memory of 3956	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	68
PID 3836 wrote to memory of 3956	3836	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe	68
PID 3956 wrote to memory of 4064	3956	cmd.exe	70
PID 3956 wrote to memory of 4064	3956	cmd.exe	70

Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4064	PING.EXE

Script User-Agent 2 IoCs

description	flow	ioc
HTTP User-Agent header	2	WinHttp.WinHttpRequest.5.1
HTTP User-Agent header	3	WinHttp.WinHttpRequest.5.1

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe

C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
"C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
  C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe dfsr
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - Checks for installed software on the system
  PID:3836
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3836-1-0x0000000003010000-0x000000000302C000-memory.dmp

Filesize
112KB

Download