pony | 52a24d465b42683adfa19511061a7b6a3aa3ec87c375c8a710ec3983ddbe0431

General

Target

1.dll
Size

70KB
MD5

beb47225071bd8762c0cb0d6e609129d
SHA1

48ca7e1d89edfb21cd2367eb9a38106c00adf7d2
SHA256

52a24d465b42683adfa19511061a7b6a3aa3ec87c375c8a710ec3983ddbe0431
SHA512

d694ef53ffee166523a749bccfc1c60b790fefe9904cfa616285932fe39e3f8d9cd9d706a85d6c2ef3922a3bf2c06e4312aab62ac50927ddc24da4750682cd53

Score

10^/10

discovery rat spyware stealer pony

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 3880	3832	rundll32.exe	67
PID 3832 wrote to memory of 3880	3832	rundll32.exe	67
PID 3832 wrote to memory of 3880	3832	rundll32.exe	67
PID 3880 wrote to memory of 4060	3880	rundll32.exe	68
PID 3880 wrote to memory of 4060	3880	rundll32.exe	68
PID 3880 wrote to memory of 4060	3880	rundll32.exe	68

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	3880	rundll32.exe
Token: SeTcbPrivilege	3880	rundll32.exe
Token: SeChangeNotifyPrivilege	3880	rundll32.exe
Token: SeCreateTokenPrivilege	3880	rundll32.exe
Token: SeBackupPrivilege	3880	rundll32.exe
Token: SeRestorePrivilege	3880	rundll32.exe
Token: SeIncreaseQuotaPrivilege	3880	rundll32.exe
Token: SeAssignPrimaryTokenPrivilege	3880	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	rundll32.exe
3880	rundll32.exe

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	rundll32.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	rundll32.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Checks for installed software on the system
  PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K
    3⤵
    PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads