Malware Analysis Report

2025-08-06 04:32

Sample ID 221120-gj8b1aab55
Target cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5
SHA256 cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5
Tags
pony collection discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5

Threat Level: Known bad

The file cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5 was found to be: Known bad.

Malicious Activity Summary

pony collection discovery rat spyware stealer

Pony,Fareit

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Drops file in System32 directory

outlook_win_path

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-20 05:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-20 05:51

Reported

2022-11-20 05:53

Platform

win7-20221111-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe N/A

Checks installed software on the system

discovery

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe

"C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 customkids.com udp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 8.8.8.8:53 dharmaking.info udp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 8.8.8.8:53 dharmaking.net udp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp

Files

memory/936-55-0x0000000000400000-0x000000000041D000-memory.dmp

memory/936-54-0x0000000000400000-0x000000000041D000-memory.dmp

memory/936-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-20 05:51

Reported

2022-11-20 05:53

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2DD3F04E-B83C-4E4F-952D-FCE02E43C891}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{09DA512E-78C8-4413-9D16-F82D96C1AC52}.catalogItem C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe

"C:\Users\Admin\AppData\Local\Temp\cc6c4807522f03e6125df957a6e9f30ff757ac83f991bae215f619bc7b4b1ec5.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 customkids.com udp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 34.102.136.180:80 customkids.com tcp
N/A 8.8.8.8:53 dharmaking.info udp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 15.197.142.173:80 dharmaking.info tcp
N/A 8.8.8.8:53 dharmaking.net udp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp
N/A 15.197.142.173:80 dharmaking.net tcp

Files

memory/1152-133-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1152-132-0x0000000000400000-0x000000000041D000-memory.dmp