pony | 57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f

General

Target

57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exe
Size

1.2MB
MD5

63533e07c471cf29ce6fc5887e933494
SHA1

01eea47a0f55b7df7d8275110fa159e5b82be64e
SHA256

57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f
SHA512

a3ad09374b933b11a26864d931fd5324443f68b15492767c44ad1da826e80f391796e8aeecc210bfd2c7d1facc72462fd3b96aa3a541eacf2a23e44026b820ec

Score

10^/10

pony discovery evasion rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://www.ptsinar.co/ymg/apisiylo/gate.php

Attributes

payload_url
http://www.ptsinar.co/ymg/apisiylo/shit.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Resm1.exeResm1.exe

pid process

200 Resm1.exe
3436 Resm1.exe
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Resm1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Resm1.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Resm1.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine Resm1.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Resm1.exe

description pid process target process

PID 200 set thread context of 3436 200 Resm1.exe Resm1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
200	Resm1.exe
3436	Resm1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Resm1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Wine	Resm1.exe

description	pid	process	target process
PID 200 set thread context of 3436	200	Resm1.exe	Resm1.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Resm1.exe

description	pid	process
Token: SeImpersonatePrivilege	3436	Resm1.exe
Token: SeTcbPrivilege	3436	Resm1.exe
Token: SeChangeNotifyPrivilege	3436	Resm1.exe
Token: SeCreateTokenPrivilege	3436	Resm1.exe
Token: SeBackupPrivilege	3436	Resm1.exe
Token: SeRestorePrivilege	3436	Resm1.exe
Token: SeIncreaseQuotaPrivilege	3436	Resm1.exe
Token: SeAssignPrimaryTokenPrivilege	3436	Resm1.exe
Token: SeImpersonatePrivilege	3436	Resm1.exe
Token: SeTcbPrivilege	3436	Resm1.exe
Token: SeChangeNotifyPrivilege	3436	Resm1.exe
Token: SeCreateTokenPrivilege	3436	Resm1.exe
Token: SeBackupPrivilege	3436	Resm1.exe
Token: SeRestorePrivilege	3436	Resm1.exe
Token: SeIncreaseQuotaPrivilege	3436	Resm1.exe
Token: SeAssignPrimaryTokenPrivilege	3436	Resm1.exe
Token: SeImpersonatePrivilege	3436	Resm1.exe
Token: SeTcbPrivilege	3436	Resm1.exe
Token: SeChangeNotifyPrivilege	3436	Resm1.exe
Token: SeCreateTokenPrivilege	3436	Resm1.exe
Token: SeBackupPrivilege	3436	Resm1.exe
Token: SeRestorePrivilege	3436	Resm1.exe
Token: SeIncreaseQuotaPrivilege	3436	Resm1.exe
Token: SeAssignPrimaryTokenPrivilege	3436	Resm1.exe
Token: SeImpersonatePrivilege	3436	Resm1.exe
Token: SeTcbPrivilege	3436	Resm1.exe
Token: SeChangeNotifyPrivilege	3436	Resm1.exe
Token: SeCreateTokenPrivilege	3436	Resm1.exe
Token: SeBackupPrivilege	3436	Resm1.exe
Token: SeRestorePrivilege	3436	Resm1.exe
Token: SeIncreaseQuotaPrivilege	3436	Resm1.exe
Token: SeAssignPrimaryTokenPrivilege	3436	Resm1.exe
Token: SeImpersonatePrivilege	3436	Resm1.exe
Token: SeTcbPrivilege	3436	Resm1.exe
Token: SeChangeNotifyPrivilege	3436	Resm1.exe
Token: SeCreateTokenPrivilege	3436	Resm1.exe
Token: SeBackupPrivilege	3436	Resm1.exe
Token: SeRestorePrivilege	3436	Resm1.exe
Token: SeIncreaseQuotaPrivilege	3436	Resm1.exe
Token: SeAssignPrimaryTokenPrivilege	3436	Resm1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Resm1.exe

pid process

200 Resm1.exe

pid	process
200	Resm1.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exeResm1.exeResm1.exe

description	pid	process	target process
PID 2104 wrote to memory of 200	2104	57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exe	Resm1.exe
PID 2104 wrote to memory of 200	2104	57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exe	Resm1.exe
PID 2104 wrote to memory of 200	2104	57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 200 wrote to memory of 3436	200	Resm1.exe	Resm1.exe
PID 3436 wrote to memory of 3360	3436	Resm1.exe	cmd.exe
PID 3436 wrote to memory of 3360	3436	Resm1.exe	cmd.exe
PID 3436 wrote to memory of 3360	3436	Resm1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exe
"C:\Users\Admin\AppData\Local\Temp\57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\Resm1.exe
"C:\Users\Admin\AppData\Local\Temp\Resm1.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\Resm1.exe
"C:\Users\Admin\AppData\Local\Temp\Resm1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\259268687.bat" "C:\Users\Admin\AppData\Local\Temp\Resm1.exe" "
4⤵
PID:3360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259268687.bat
MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resm1.exe
MD5
d8e14a9ccc62c5521cc0185e70a4b3ac

SHA1
dee2d62258264afe66e20434658b66bc8bbcc317

SHA256
2f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357

SHA512
8e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resm1.exe
MD5
d8e14a9ccc62c5521cc0185e70a4b3ac

SHA1
dee2d62258264afe66e20434658b66bc8bbcc317

SHA256
2f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357

SHA512
8e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resm1.exe
MD5
d8e14a9ccc62c5521cc0185e70a4b3ac

SHA1
dee2d62258264afe66e20434658b66bc8bbcc317

SHA256
2f481a7ba5a0016e2cdcc9ba3ac91cf9fe00f00bd5726aba3b0d0cf3d155d357

SHA512
8e47a49f4b19b2ec36ea6897accaa10a2c331c59eecc8dcd56d45f16aca003ad8d544ec32f8694e8e6de68cad1a33194e9ff72f50b214fbc6294680604692920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resm2.jpg
MD5
cd7dab4af922c2e5c7d03a0e0d973b37

SHA1
0bce45fe7d0eb0b5da797fac00d5fc639c3570d2

SHA256
11e58d94f929782e1267df6d8bde5dc781320fb6082acaefda6352880fda7674

SHA512
0868a97478b73ad78d9c43365f92ccffdfb999bef4d0293de57cba138db3cfccce1de6e6422d50ec0bd03ca9acbcd64082254860bec0d1a7241d34f135ecaf9d

Download Submit
memory/200-141-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/200-162-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/200-119-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/200-117-0x0000000000AA0000-0x0000000000B00000-memory.dmp

Filesize
384KB

Download
memory/200-120-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/200-122-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/200-123-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/200-121-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/200-124-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/200-125-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/200-126-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/200-127-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-128-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-129-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-131-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/200-130-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-132-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/200-133-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/200-134-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/200-135-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/200-136-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/200-137-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-140-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/200-114-0x0000000000000000-mapping.dmp

Download
memory/200-139-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/200-138-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-142-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/200-143-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/200-118-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/200-146-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-144-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/200-147-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-148-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-149-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-151-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/200-152-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/200-150-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/200-154-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/200-153-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/200-155-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/200-156-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/200-158-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/200-157-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/200-159-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/200-160-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/200-161-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/200-163-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/200-145-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/200-164-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3360-170-0x0000000000000000-mapping.dmp

Download
memory/3436-166-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3436-167-0x0000000000410621-mapping.dmp

Download
memory/3436-169-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing