pony | 61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd

General

Target

61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe
Size

363KB
MD5

651e98248fb539e7433b3fa4a7cd5e60
SHA1

b6b5382e87b62ff4b0153d3b00ec800979319d6e
SHA256

61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd
SHA512

576d5330590e4b55e3c7ad925ceb2996b799b8b2466b9ab2106cae4a8c1a1140caea75056f5dd4d76d847d2dbe48e36113cb8f72c7d2e45005197cc1c0419bc5
SSDEEP

3072:M+PELy5CJgYWvhB+TSF83aPsu7DbBIU5++hYmAEESBAyZ7vhW3XaHrJe0Zozup0b:LPnobS759Z7c6HDuyuqcrz4

Score

10^/10

pony collection rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://rtdtx.net/lock/track/coral/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe
Token: SeImpersonatePrivilege	2012	vbc.exe
Token: SeTcbPrivilege	2012	vbc.exe
Token: SeChangeNotifyPrivilege	2012	vbc.exe
Token: SeCreateTokenPrivilege	2012	vbc.exe
Token: SeBackupPrivilege	2012	vbc.exe
Token: SeRestorePrivilege	2012	vbc.exe
Token: SeIncreaseQuotaPrivilege	2012	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2012	vbc.exe
Token: SeImpersonatePrivilege	2012	vbc.exe
Token: SeTcbPrivilege	2012	vbc.exe
Token: SeChangeNotifyPrivilege	2012	vbc.exe
Token: SeCreateTokenPrivilege	2012	vbc.exe
Token: SeBackupPrivilege	2012	vbc.exe
Token: SeRestorePrivilege	2012	vbc.exe
Token: SeIncreaseQuotaPrivilege	2012	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2012	vbc.exe
Token: SeImpersonatePrivilege	2012	vbc.exe
Token: SeTcbPrivilege	2012	vbc.exe
Token: SeChangeNotifyPrivilege	2012	vbc.exe
Token: SeCreateTokenPrivilege	2012	vbc.exe
Token: SeBackupPrivilege	2012	vbc.exe
Token: SeRestorePrivilege	2012	vbc.exe
Token: SeIncreaseQuotaPrivilege	2012	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2012	vbc.exe
Token: SeImpersonatePrivilege	2012	vbc.exe
Token: SeTcbPrivilege	2012	vbc.exe
Token: SeChangeNotifyPrivilege	2012	vbc.exe
Token: SeCreateTokenPrivilege	2012	vbc.exe
Token: SeBackupPrivilege	2012	vbc.exe
Token: SeRestorePrivilege	2012	vbc.exe
Token: SeIncreaseQuotaPrivilege	2012	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2012	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 1376 wrote to memory of 2012	1376	61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe	28
PID 2012 wrote to memory of 1668	2012	vbc.exe	30
PID 2012 wrote to memory of 1668	2012	vbc.exe	30
PID 2012 wrote to memory of 1668	2012	vbc.exe	30
PID 2012 wrote to memory of 1668	2012	vbc.exe	30

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe
"C:\Users\Admin\AppData\Local\Temp\61a99641dd17b8e5f90b9bcab31310fef29f044a0df028f1958de9b3e4e95afd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7144143.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7144143.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
memory/1376-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-56-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-67-0x0000000074E90000-0x000000007543B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2012-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads