pony | 91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3

Analysis

max time kernel
157s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 15:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Size

178KB
MD5

022071261308398bd7f1b0f736862694
SHA1

be445d8129f8baeb2ce0e93f7c476671320761ac
SHA256

91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3
SHA512

32ec6a68b58c04cddffc7f4615ab8f0952b534202d05db95012ad889a22974f82858ced8a3d30b9645ee8c83f6f0b62c2272782c672bc6794c6029d354c70594
SSDEEP

3072:xO1eji5yoSfDGPPfRWtbBoj40dZuUAE1br+Fh:YAji5yoSfDGPQtbij1fH+z

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeTcbPrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeChangeNotifyPrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeCreateTokenPrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeBackupPrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeRestorePrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeIncreaseQuotaPrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
Token: SeAssignPrimaryTokenPrivilege	4960	91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe

C:\Users\Admin\AppData\Local\Temp\91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe
"C:\Users\Admin\AppData\Local\Temp\91a216f9a5729656edf38b8b2242db0fc1c619bd8779e7661f126705251fe4b3.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4960-133-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/4960-132-0x00000000005C0000-0x00000000005D7000-memory.dmp

Filesize
92KB

Download
memory/4960-134-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4960-135-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/4960-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download