pony | 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32

General

Target

Akt nachalo iyulya.exe
Size

1.1MB
MD5

7f7c5cacc9352348efed2bd68321dae6
SHA1

a01fe5803a58bdb1f3095806433186efbfc6f409
SHA256

4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32
SHA512

5cd1662246f7c6f3b3107d710c0ff754ed8c7bacaf5b6115a3c87ac54c95dd5ea08973ca72a609582620928dda2ea43f3af4aaf8e7971dbbdd48c1ca2f44a234

Score

10^/10

spyware discovery rat stealer pony

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Akt nachalo iyulya.exeAkt nachalo iyulya.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 3836	3068	Akt nachalo iyulya.exe	Akt nachalo iyulya.exe
PID 3068 wrote to memory of 3836	3068	Akt nachalo iyulya.exe	Akt nachalo iyulya.exe
PID 3068 wrote to memory of 3836	3068	Akt nachalo iyulya.exe	Akt nachalo iyulya.exe
PID 3836 wrote to memory of 3600	3836	Akt nachalo iyulya.exe	cmd.exe
PID 3836 wrote to memory of 3600	3836	Akt nachalo iyulya.exe	cmd.exe
PID 3600 wrote to memory of 3372	3600	cmd.exe	PING.EXE
PID 3600 wrote to memory of 3372	3600	cmd.exe	PING.EXE

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

Processes:

Akt nachalo iyulya.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	Akt nachalo iyulya.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	Akt nachalo iyulya.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	Akt nachalo iyulya.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	Akt nachalo iyulya.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	Akt nachalo iyulya.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	Akt nachalo iyulya.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	Akt nachalo iyulya.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3372 PING.EXE

pid	process
3372	PING.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Akt nachalo iyulya.exe

description	pid	process
Token: SeImpersonatePrivilege	3836	Akt nachalo iyulya.exe
Token: SeTcbPrivilege	3836	Akt nachalo iyulya.exe
Token: SeChangeNotifyPrivilege	3836	Akt nachalo iyulya.exe
Token: SeCreateTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeBackupPrivilege	3836	Akt nachalo iyulya.exe
Token: SeRestorePrivilege	3836	Akt nachalo iyulya.exe
Token: SeIncreaseQuotaPrivilege	3836	Akt nachalo iyulya.exe
Token: SeAssignPrimaryTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeImpersonatePrivilege	3836	Akt nachalo iyulya.exe
Token: SeTcbPrivilege	3836	Akt nachalo iyulya.exe
Token: SeChangeNotifyPrivilege	3836	Akt nachalo iyulya.exe
Token: SeCreateTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeBackupPrivilege	3836	Akt nachalo iyulya.exe
Token: SeRestorePrivilege	3836	Akt nachalo iyulya.exe
Token: SeIncreaseQuotaPrivilege	3836	Akt nachalo iyulya.exe
Token: SeAssignPrimaryTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeImpersonatePrivilege	3836	Akt nachalo iyulya.exe
Token: SeTcbPrivilege	3836	Akt nachalo iyulya.exe
Token: SeChangeNotifyPrivilege	3836	Akt nachalo iyulya.exe
Token: SeCreateTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeBackupPrivilege	3836	Akt nachalo iyulya.exe
Token: SeRestorePrivilege	3836	Akt nachalo iyulya.exe
Token: SeIncreaseQuotaPrivilege	3836	Akt nachalo iyulya.exe
Token: SeAssignPrimaryTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeImpersonatePrivilege	3836	Akt nachalo iyulya.exe
Token: SeTcbPrivilege	3836	Akt nachalo iyulya.exe
Token: SeChangeNotifyPrivilege	3836	Akt nachalo iyulya.exe
Token: SeCreateTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeBackupPrivilege	3836	Akt nachalo iyulya.exe
Token: SeRestorePrivilege	3836	Akt nachalo iyulya.exe
Token: SeIncreaseQuotaPrivilege	3836	Akt nachalo iyulya.exe
Token: SeAssignPrimaryTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeImpersonatePrivilege	3836	Akt nachalo iyulya.exe
Token: SeTcbPrivilege	3836	Akt nachalo iyulya.exe
Token: SeChangeNotifyPrivilege	3836	Akt nachalo iyulya.exe
Token: SeCreateTokenPrivilege	3836	Akt nachalo iyulya.exe
Token: SeBackupPrivilege	3836	Akt nachalo iyulya.exe
Token: SeRestorePrivilege	3836	Akt nachalo iyulya.exe
Token: SeIncreaseQuotaPrivilege	3836	Akt nachalo iyulya.exe
Token: SeAssignPrimaryTokenPrivilege	3836	Akt nachalo iyulya.exe

Script User-Agent 2 IoCs

Processes:

description flow ioc

HTTP User-Agent header 3 WinHttp.WinHttpRequest.5.1
HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	flow	ioc
HTTP User-Agent header	3	WinHttp.WinHttpRequest.5.1
HTTP User-Agent header	5	WinHttp.WinHttpRequest.5.1

C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe
"C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe
"C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe" dfsr
2⤵
- Suspicious use of WriteProcessMemory
- Checks for installed software on the system
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\Akt nachalo iyulya.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3372-3-0x0000000000000000-mapping.dmp

Download
memory/3600-2-0x0000000000000000-mapping.dmp

Download
memory/3836-0-0x0000000000000000-mapping.dmp

Download
memory/3836-1-0x0000000002ED0000-0x0000000002EEB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads