pony | ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d

General

Target

PAYMENT ADVICE.exe
Size

485KB
MD5

7b3a0c8d0b05933156402de9a42490fc
SHA1

49ea0ae6f2740dbbb7231423c16f8e88566bdb92
SHA256

ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d
SHA512

49e37363637fb91c2a8325c0a6f734f194d38a3aecdbf9f271a7dc2d22241a287467f7ad672a81e8b6fe6c5a642c45c3ceba05f762b18c7f5525f6c9c8988164

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

776 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT ADVICE.exe

description pid process target process

PID 1640 set thread context of 1780 1640 PAYMENT ADVICE.exe PAYMENT ADVICE.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PAYMENT ADVICE.exe

pid process

1640 PAYMENT ADVICE.exe
1640 PAYMENT ADVICE.exe
1640 PAYMENT ADVICE.exe
1640 PAYMENT ADVICE.exe

pid	process
776	cmd.exe

description	pid	process	target process
PID 1640 set thread context of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe

pid	process
1640	PAYMENT ADVICE.exe
1640	PAYMENT ADVICE.exe
1640	PAYMENT ADVICE.exe
1640	PAYMENT ADVICE.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

PAYMENT ADVICE.exePAYMENT ADVICE.exe

description	pid	process
Token: SeDebugPrivilege	1640	PAYMENT ADVICE.exe
Token: SeImpersonatePrivilege	1780	PAYMENT ADVICE.exe
Token: SeTcbPrivilege	1780	PAYMENT ADVICE.exe
Token: SeChangeNotifyPrivilege	1780	PAYMENT ADVICE.exe
Token: SeCreateTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeBackupPrivilege	1780	PAYMENT ADVICE.exe
Token: SeRestorePrivilege	1780	PAYMENT ADVICE.exe
Token: SeIncreaseQuotaPrivilege	1780	PAYMENT ADVICE.exe
Token: SeAssignPrimaryTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeImpersonatePrivilege	1780	PAYMENT ADVICE.exe
Token: SeTcbPrivilege	1780	PAYMENT ADVICE.exe
Token: SeChangeNotifyPrivilege	1780	PAYMENT ADVICE.exe
Token: SeCreateTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeBackupPrivilege	1780	PAYMENT ADVICE.exe
Token: SeRestorePrivilege	1780	PAYMENT ADVICE.exe
Token: SeIncreaseQuotaPrivilege	1780	PAYMENT ADVICE.exe
Token: SeAssignPrimaryTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeImpersonatePrivilege	1780	PAYMENT ADVICE.exe
Token: SeTcbPrivilege	1780	PAYMENT ADVICE.exe
Token: SeChangeNotifyPrivilege	1780	PAYMENT ADVICE.exe
Token: SeCreateTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeBackupPrivilege	1780	PAYMENT ADVICE.exe
Token: SeRestorePrivilege	1780	PAYMENT ADVICE.exe
Token: SeIncreaseQuotaPrivilege	1780	PAYMENT ADVICE.exe
Token: SeAssignPrimaryTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeImpersonatePrivilege	1780	PAYMENT ADVICE.exe
Token: SeTcbPrivilege	1780	PAYMENT ADVICE.exe
Token: SeChangeNotifyPrivilege	1780	PAYMENT ADVICE.exe
Token: SeCreateTokenPrivilege	1780	PAYMENT ADVICE.exe
Token: SeBackupPrivilege	1780	PAYMENT ADVICE.exe
Token: SeRestorePrivilege	1780	PAYMENT ADVICE.exe
Token: SeIncreaseQuotaPrivilege	1780	PAYMENT ADVICE.exe
Token: SeAssignPrimaryTokenPrivilege	1780	PAYMENT ADVICE.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PAYMENT ADVICE.exePAYMENT ADVICE.exe

description	pid	process	target process
PID 1640 wrote to memory of 1088	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1088	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1088	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1088	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1640 wrote to memory of 1780	1640	PAYMENT ADVICE.exe	PAYMENT ADVICE.exe
PID 1780 wrote to memory of 776	1780	PAYMENT ADVICE.exe	cmd.exe
PID 1780 wrote to memory of 776	1780	PAYMENT ADVICE.exe	cmd.exe
PID 1780 wrote to memory of 776	1780	PAYMENT ADVICE.exe	cmd.exe
PID 1780 wrote to memory of 776	1780	PAYMENT ADVICE.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe
"{path}"
2⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259324221.bat" "C:\Users\Admin\AppData\Local\Temp\PAYMENT ADVICE.exe" "
3⤵
- Deletes itself
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259324221.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
memory/776-14-0x0000000000000000-mapping.dmp

Download
memory/1468-13-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

Filesize
2.5MB

Download
memory/1640-2-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1640-3-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1640-5-0x00000000005F0000-0x000000000063D000-memory.dmp

Filesize
308KB

Download
memory/1640-8-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/1640-9-0x0000000004ED0000-0x0000000004F21000-memory.dmp

Filesize
324KB

Download
memory/1780-10-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1780-11-0x0000000000410621-mapping.dmp

Download
memory/1780-12-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing