pony | 24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a

General

Target

24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Size

35KB
MD5

48266c00ea316f7f4f1b20c00525dd6f
SHA1

ffa306b7b5b9ee673142db206de8467377500bd8
SHA256

24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a
SHA512

9b29573e35081b951762ebaa32f31f4f3cb6ecc71fd533787a5730a3f3ecd30102d7d114e10fdfac4234e05862fe50935bc9554243136d03b00f49a603db3977

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

description	pid	process
Token: SeImpersonatePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeTcbPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeChangeNotifyPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeCreateTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeBackupPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeRestorePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeIncreaseQuotaPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeAssignPrimaryTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeImpersonatePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeTcbPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeChangeNotifyPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeCreateTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeBackupPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeRestorePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeIncreaseQuotaPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeAssignPrimaryTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeImpersonatePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeTcbPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeChangeNotifyPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeCreateTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeBackupPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeRestorePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeIncreaseQuotaPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeAssignPrimaryTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeImpersonatePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeTcbPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeChangeNotifyPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeCreateTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeBackupPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeRestorePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeIncreaseQuotaPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeAssignPrimaryTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeImpersonatePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeTcbPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeChangeNotifyPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeCreateTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeBackupPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeRestorePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeIncreaseQuotaPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeAssignPrimaryTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeImpersonatePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeTcbPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeChangeNotifyPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeCreateTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeBackupPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeRestorePrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeIncreaseQuotaPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
Token: SeAssignPrimaryTokenPrivilege	3428	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

outlook_win_path 1 IoCs

Processes:

24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe

C:\Users\Admin\AppData\Local\Temp\24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe
"C:\Users\Admin\AppData\Local\Temp\24c900aca4e6635d6f7abeceeb6fc71b67fe0e601a74c3044e7487050a1ca41a.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3428