pony | 07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941

Analysis

max time kernel
148s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 04:11

Target

07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Size

92KB
MD5

4d11068c86c1adb1b3a2520689dcc0e0
SHA1

f1a64ae0337d455a7ba5310937a8d72a85262a67
SHA256

07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941
SHA512

8bbd6776f648ca5dd4a03e76ec000fc08d6c9243331e730e37d6fcf7eee2222ed87c3fe1a1f7fee9b31c4b454e38dffd0caea1c1173bd46d33043b1b0655daa7
SSDEEP

1536:4SgLEGdqTWYcxHtQCxHyVZim8JdBmeyl5HsTvNEAmkZI7+:4dv9CRVZL8PL8YEAtI7+

Score

10^/10

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeTcbPrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeChangeNotifyPrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeCreateTokenPrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeBackupPrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeRestorePrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeIncreaseQuotaPrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
Token: SeAssignPrimaryTokenPrivilege	2412	07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe

C:\Users\Admin\AppData\Local\Temp\07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe
"C:\Users\Admin\AppData\Local\Temp\07b9eb901cea5bccc30c42fcae981bc87b97a3808e1869379b360e6defe9f941.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact