pony | 9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4

General

Target

9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
Size

275KB
MD5

6d5f7b81e4d9f13d36154d90004b8613
SHA1

99dc5390d5ace103ca823b7861515b207b2e4409
SHA256

9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4
SHA512

0764d47579177c6bb8aeb3fe746412d33fd32ce2cbebf6a4fe3557ae0fea7f74740dbdf3a8f5236853e8ddcfe1d78b9b03ad63ba38d8726b911641630bfb5fea
SSDEEP

6144:phL+RZK7JeZk9t7cxx1IXgdggfNqsfzPV6NnwL:HL+fvZ+kpugVqezyn

Score

10^/10

pony discovery persistence rat spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\36190\\73ED3.exe"	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
1260	B29.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/576-55-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2020-59-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/576-61-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral1/memory/2040-65-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\D3F3\B29.tmp	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2020	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	26
PID 576 wrote to memory of 2020	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	26
PID 576 wrote to memory of 2020	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	26
PID 576 wrote to memory of 2020	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	26
PID 576 wrote to memory of 2040	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	28
PID 576 wrote to memory of 2040	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	28
PID 576 wrote to memory of 2040	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	28
PID 576 wrote to memory of 2040	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	28
PID 576 wrote to memory of 1260	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	29
PID 576 wrote to memory of 1260	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	29
PID 576 wrote to memory of 1260	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	29
PID 576 wrote to memory of 1260	576	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	29

C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
"C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
  C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe startC:\Program Files (x86)\Internet Explorer\D3F3\B75.exe%C:\Program Files (x86)\Internet Explorer\D3F3
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
  C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe startC:\Program Files (x86)\90796\lvvm.exe%C:\Program Files (x86)\90796
  2⤵
  PID:2040
- C:\Program Files (x86)\Internet Explorer\D3F3\B29.tmp
  "C:\Program Files (x86)\Internet Explorer\D3F3\B29.tmp"
  2⤵
  - Executes dropped EXE
  PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\D3F3\B29.tmp

Filesize
102KB

MD5
f1485cafc15a02799025650dbfe4af1e

SHA1
6a76d472edb299f68ecd848c1d3c1f08767a39bd

SHA256
d1b221cd94f7898bf0addb89cfe1206159961bd4cd48c0e394ef1acb682d7ad6

SHA512
8396c786e18a9e56b207c0d0640ffa41f0879a2ed467e364d90e3dbb215229b576ff108804cd7d637317c5d32866f9ae69fb2302c030ef9bc57f1eac22563b2c

Download Submit
\Program Files (x86)\Internet Explorer\D3F3\B29.tmp

Filesize
102KB

MD5
f1485cafc15a02799025650dbfe4af1e

SHA1
6a76d472edb299f68ecd848c1d3c1f08767a39bd

SHA256
d1b221cd94f7898bf0addb89cfe1206159961bd4cd48c0e394ef1acb682d7ad6

SHA512
8396c786e18a9e56b207c0d0640ffa41f0879a2ed467e364d90e3dbb215229b576ff108804cd7d637317c5d32866f9ae69fb2302c030ef9bc57f1eac22563b2c

Download Submit
\Program Files (x86)\Internet Explorer\D3F3\B29.tmp

Filesize
102KB

MD5
f1485cafc15a02799025650dbfe4af1e

SHA1
6a76d472edb299f68ecd848c1d3c1f08767a39bd

SHA256
d1b221cd94f7898bf0addb89cfe1206159961bd4cd48c0e394ef1acb682d7ad6

SHA512
8396c786e18a9e56b207c0d0640ffa41f0879a2ed467e364d90e3dbb215229b576ff108804cd7d637317c5d32866f9ae69fb2302c030ef9bc57f1eac22563b2c

Download Submit
memory/576-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-56-0x00000000002D1000-0x00000000002F5000-memory.dmp

Filesize
144KB

Download
memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-61-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/576-62-0x00000000002D1000-0x00000000002F5000-memory.dmp

Filesize
144KB

Download
memory/1260-77-0x0000000000521000-0x0000000000531000-memory.dmp

Filesize
64KB

Download
memory/1260-74-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1260-73-0x0000000000521000-0x0000000000531000-memory.dmp

Filesize
64KB

Download
memory/1260-75-0x0000000000521000-0x0000000000531000-memory.dmp

Filesize
64KB

Download
memory/1260-76-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1260-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2020-60-0x00000000005E1000-0x0000000000605000-memory.dmp

Filesize
144KB

Download
memory/2020-59-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2040-66-0x0000000000621000-0x0000000000645000-memory.dmp

Filesize
144KB

Download
memory/2040-65-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing