pony | 9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4

General

Target

9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
Size

275KB
MD5

6d5f7b81e4d9f13d36154d90004b8613
SHA1

99dc5390d5ace103ca823b7861515b207b2e4409
SHA256

9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4
SHA512

0764d47579177c6bb8aeb3fe746412d33fd32ce2cbebf6a4fe3557ae0fea7f74740dbdf3a8f5236853e8ddcfe1d78b9b03ad63ba38d8726b911641630bfb5fea
SSDEEP

6144:phL+RZK7JeZk9t7cxx1IXgdggfNqsfzPV6NnwL:HL+fvZ+kpugVqezyn

Score

10^/10

pony discovery persistence rat spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\CED73\\8BED3.exe"	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 1 IoCs

pid	Process
5008	AEDD.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1884-132-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/1172-135-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/1884-137-0x0000000000400000-0x00000000004A8000-memory.dmp	upx
behavioral2/memory/5104-140-0x0000000000400000-0x00000000004A8000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\D3FC\AEDD.tmp	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1172	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	82
PID 1884 wrote to memory of 1172	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	82
PID 1884 wrote to memory of 1172	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	82
PID 1884 wrote to memory of 5104	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	85
PID 1884 wrote to memory of 5104	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	85
PID 1884 wrote to memory of 5104	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	85
PID 1884 wrote to memory of 5008	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	92
PID 1884 wrote to memory of 5008	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	92
PID 1884 wrote to memory of 5008	1884	9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe	92

C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
"C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
  C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe startC:\Program Files (x86)\Internet Explorer\D3FC\5BB.exe%C:\Program Files (x86)\Internet Explorer\D3FC
  2⤵
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe
  C:\Users\Admin\AppData\Local\Temp\9fa82d753f259fc080ae943c83432f76806011325018ff8dc4e9c70606737aa4.exe startC:\Program Files (x86)\739D8\lvvm.exe%C:\Program Files (x86)\739D8
  2⤵
  PID:5104
- C:\Program Files (x86)\Internet Explorer\D3FC\AEDD.tmp
  "C:\Program Files (x86)\Internet Explorer\D3FC\AEDD.tmp"
  2⤵
  - Executes dropped EXE
  PID:5008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\D3FC\AEDD.tmp

Filesize
102KB

MD5
f1485cafc15a02799025650dbfe4af1e

SHA1
6a76d472edb299f68ecd848c1d3c1f08767a39bd

SHA256
d1b221cd94f7898bf0addb89cfe1206159961bd4cd48c0e394ef1acb682d7ad6

SHA512
8396c786e18a9e56b207c0d0640ffa41f0879a2ed467e364d90e3dbb215229b576ff108804cd7d637317c5d32866f9ae69fb2302c030ef9bc57f1eac22563b2c

Download Submit
C:\Program Files (x86)\Internet Explorer\D3FC\AEDD.tmp

Filesize
102KB

MD5
f1485cafc15a02799025650dbfe4af1e

SHA1
6a76d472edb299f68ecd848c1d3c1f08767a39bd

SHA256
d1b221cd94f7898bf0addb89cfe1206159961bd4cd48c0e394ef1acb682d7ad6

SHA512
8396c786e18a9e56b207c0d0640ffa41f0879a2ed467e364d90e3dbb215229b576ff108804cd7d637317c5d32866f9ae69fb2302c030ef9bc57f1eac22563b2c

Download Submit
memory/1172-136-0x00000000006F6000-0x000000000071A000-memory.dmp

Filesize
144KB

Download
memory/1172-135-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-132-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-137-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1884-138-0x0000000000631000-0x0000000000655000-memory.dmp

Filesize
144KB

Download
memory/1884-133-0x0000000000631000-0x0000000000655000-memory.dmp

Filesize
144KB

Download
memory/5008-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5008-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5008-146-0x00000000004F1000-0x0000000000501000-memory.dmp

Filesize
64KB

Download
memory/5008-148-0x00000000004F1000-0x0000000000501000-memory.dmp

Filesize
64KB

Download
memory/5008-150-0x00000000004F1000-0x0000000000501000-memory.dmp

Filesize
64KB

Download
memory/5008-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5104-141-0x0000000000766000-0x000000000078A000-memory.dmp

Filesize
144KB

Download
memory/5104-140-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download

Analysis

Sharing