Malware Analysis Report

2025-08-06 04:32

Sample ID 221120-gew36sdb3s
Target fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb
SHA256 fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb
Tags
pony discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb

Threat Level: Known bad

The file fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb was found to be: Known bad.

Malicious Activity Summary

pony discovery rat spyware stealer

Pony,Fareit

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks installed software on the system

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-20 05:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-20 05:43

Reported

2022-11-20 05:46

Platform

win7-20221111-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe

"C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe"

Network

Country Destination Domain Proto
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp

Files

memory/1284-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

memory/1284-55-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1284-56-0x00000000003E0000-0x00000000003F7000-memory.dmp

memory/1284-57-0x00000000005B0000-0x00000000005CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-20 05:43

Reported

2022-11-20 05:47

Platform

win10v2004-20221111-en

Max time kernel

193s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe

"C:\Users\Admin\AppData\Local\Temp\fce74b9a0aaab4dce2e5f9da02b34d29ec74e12ce008faa3f08b44bc1ad8d3bb.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 20.189.173.12:443 tcp
N/A 104.80.225.205:443 tcp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 91.121.84.204:8080 tcp
N/A 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp
N/A 91.121.84.204:8080 tcp

Files

memory/3544-133-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3544-134-0x0000000002040000-0x0000000002057000-memory.dmp

memory/3544-135-0x0000000002060000-0x000000000207E000-memory.dmp

memory/3544-136-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3544-137-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3544-138-0x0000000000400000-0x000000000041E000-memory.dmp