pony | 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170

General

Target

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
Size

88KB
MD5

65cac1988793cbffda3ad67b065cade0
SHA1

b5711cad13bd7d22444a74e78ff5d05d363d2d97
SHA256

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170
SHA512

7172495113c311a55cae793de701baa345d627705db9a797fbb576b05cbb519d368413d65a8220aea6fc536a7f3315c48b39b746e707f97d69339f812d9f3797
SSDEEP

1536:29aTff+Vt58Nir18lhGm8BuMyZTPjvcVuL1AzrSMVx55ZS+G8USRlE4O3zzmOEC1:2gf+8iZCGWMejLcVmYrSexTjr1RK3nmy

Score

10^/10

pony collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://podaro-vk.esy.es/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1724-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1724-58-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1724-64-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1724-67-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1724-68-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1724-71-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1724-73-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\File.exe"	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe

description pid process target process

PID 756 set thread context of 1724 756 2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 756 set thread context of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
Token: SeImpersonatePrivilege	1724	vbc.exe
Token: SeTcbPrivilege	1724	vbc.exe
Token: SeChangeNotifyPrivilege	1724	vbc.exe
Token: SeCreateTokenPrivilege	1724	vbc.exe
Token: SeBackupPrivilege	1724	vbc.exe
Token: SeRestorePrivilege	1724	vbc.exe
Token: SeIncreaseQuotaPrivilege	1724	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1724	vbc.exe
Token: SeImpersonatePrivilege	1724	vbc.exe
Token: SeTcbPrivilege	1724	vbc.exe
Token: SeChangeNotifyPrivilege	1724	vbc.exe
Token: SeCreateTokenPrivilege	1724	vbc.exe
Token: SeBackupPrivilege	1724	vbc.exe
Token: SeRestorePrivilege	1724	vbc.exe
Token: SeIncreaseQuotaPrivilege	1724	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1724	vbc.exe
Token: SeImpersonatePrivilege	1724	vbc.exe
Token: SeTcbPrivilege	1724	vbc.exe
Token: SeChangeNotifyPrivilege	1724	vbc.exe
Token: SeCreateTokenPrivilege	1724	vbc.exe
Token: SeBackupPrivilege	1724	vbc.exe
Token: SeRestorePrivilege	1724	vbc.exe
Token: SeIncreaseQuotaPrivilege	1724	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1724	vbc.exe
Token: SeImpersonatePrivilege	1724	vbc.exe
Token: SeTcbPrivilege	1724	vbc.exe
Token: SeChangeNotifyPrivilege	1724	vbc.exe
Token: SeCreateTokenPrivilege	1724	vbc.exe
Token: SeBackupPrivilege	1724	vbc.exe
Token: SeRestorePrivilege	1724	vbc.exe
Token: SeIncreaseQuotaPrivilege	1724	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1724	vbc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exevbc.exe

description	pid	process	target process
PID 756 wrote to memory of 960	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	WScript.exe
PID 756 wrote to memory of 960	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	WScript.exe
PID 756 wrote to memory of 960	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	WScript.exe
PID 756 wrote to memory of 960	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	WScript.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 756 wrote to memory of 1724	756	2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe	vbc.exe
PID 1724 wrote to memory of 1196	1724	vbc.exe	cmd.exe
PID 1724 wrote to memory of 1196	1724	vbc.exe	cmd.exe
PID 1724 wrote to memory of 1196	1724	vbc.exe	cmd.exe
PID 1724 wrote to memory of 1196	1724	vbc.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe
"C:\Users\Admin\AppData\Local\Temp\2587f394c485ab31f8f04fd627da20884019980055de1a949147a6af28b13170.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\FUCKING_USG_ME.vbs"
2⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7101149.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
3⤵
PID:1196

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7101149.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\FUCKING_USG_ME.vbs
Filesize
515B

MD5
543de9b9f119a1a93dc1ce0cce74b78a

SHA1
76cadc4d3b8235b67df5d9ef4157605a4c1f8854

SHA256
dcd90f682d770f6e03ff468a31391bca12891759284be7f791697933207b7b48

SHA512
2ee6de9c7a81c9947e75ba414afaaf1171a4dccaf66b9299b3e8338ffa33ea6cdae1e58131e6565030a2b9ccd03a8259cc5fe928f3452095658512de73f81869

Download Submit
memory/756-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/756-55-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download
memory/756-69-0x0000000074DC0000-0x000000007536B000-memory.dmp

Filesize
5.7MB

Download
memory/960-56-0x0000000000000000-mapping.dmp

Download
memory/1196-72-0x0000000000000000-mapping.dmp

Download
memory/1724-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-65-0x000000000041D060-mapping.dmp

Download
memory/1724-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-71-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-73-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1724-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads