pony | 6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280

General

Target

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Size

144KB
MD5

31f1b62f71d96421d814159d79eeff85
SHA1

8309c09348332be80133bc913a41dc10204f8870
SHA256

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280
SHA512

298841d345184d04e4b1d5975c868e39231e774e9ae0e453a67cd6ff6ec740cbcbebb078fbdd972d1161270afccaeea70353e967dc834c1c41804d1cf51f8622

Score

10^/10

pony collection discovery rat spyware stealer suricata

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32.Fareit.A/Pony Downloader Checkin
suricata: ET MALWARE Win32.Fareit.A/Pony Downloader Checkin
suricata
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1692 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1692	cmd.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

description	pid	process
Token: SeImpersonatePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeTcbPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeChangeNotifyPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeCreateTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeBackupPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeRestorePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeIncreaseQuotaPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeAssignPrimaryTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeImpersonatePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeTcbPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeChangeNotifyPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeCreateTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeBackupPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeRestorePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeIncreaseQuotaPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeAssignPrimaryTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeImpersonatePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeTcbPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeChangeNotifyPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeCreateTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeBackupPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeRestorePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeIncreaseQuotaPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeAssignPrimaryTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeImpersonatePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeTcbPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeChangeNotifyPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeCreateTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeBackupPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeRestorePrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeIncreaseQuotaPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
Token: SeAssignPrimaryTokenPrivilege	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

pid process

1984 6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

pid	process
1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

description	pid	process	target process
PID 1984 wrote to memory of 1692	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe	cmd.exe
PID 1984 wrote to memory of 1692	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe	cmd.exe
PID 1984 wrote to memory of 1692	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe	cmd.exe
PID 1984 wrote to memory of 1692	1984	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe

C:\Users\Admin\AppData\Local\Temp\6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe
"C:\Users\Admin\AppData\Local\Temp\6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\abcd.bat" "C:\Users\Admin\AppData\Local\Temp\6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280.exe" "
2⤵
- Deletes itself
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abcd.bat
Filesize
75B

MD5
0849cfe65b98ba5fcd9a9ec61a671d09

SHA1
9d0ccb383c32b1bc07fd9064b9324a18e1276902

SHA256
44f6a1e48081deccfb61075e585bcb36c6d8e8feeb6ebae50bab41677822c643

SHA512
afdeda8122b4cefcf7549018c40d3142985e88a6d8f13eb58e9a59aa312b73608123de5f9feebc2ce25b6ec215d23c324b9f3a9a0e97041d67d863a25e15e57a

Download Submit
memory/1692-57-0x0000000000000000-mapping.dmp

Download
memory/1984-54-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1984-55-0x0000000000250000-0x0000000000269000-memory.dmp

Filesize
100KB

Download
memory/1984-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads