pony | a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00

General

Target

a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Size

129KB
MD5

1c690d7f0e5238916db2f2dbc4300b81
SHA1

675d6ce01543f80989074e17ce00fc307ac47726
SHA256

a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00
SHA512

ee8488d8b77f584a3302621fc83213ea65677ff70e76299ceab135507408b742d8e20c3390e33cef72862784ed7a4b40bbd6a911e554b0408cfb2114ffa8b7c7

Score

10^/10

pony discovery rat spyware stealer upx

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1464-2-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1464-4-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1464-5-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

description	pid	process	target process
PID 1080 set thread context of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

description	pid	process
Token: SeImpersonatePrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeTcbPrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeChangeNotifyPrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeCreateTokenPrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeBackupPrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeRestorePrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeIncreaseQuotaPrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
Token: SeAssignPrimaryTokenPrivilege	1464	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

pid process

1080 a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

pid	process
1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

description	pid	process	target process
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
PID 1080 wrote to memory of 1464	1080	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe	a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe

C:\Users\Admin\AppData\Local\Temp\a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
"C:\Users\Admin\AppData\Local\Temp\a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe
"C:\Users\Admin\AppData\Local\Temp\a136bf3fd2e55ddc5abfaf05830fa0eb0b6b4f8d81720b2999307987d6adac00.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-2-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1464-3-0x000000000041A6B0-mapping.dmp

Download
memory/1464-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1464-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1596-6-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads