Malware Analysis Report

2025-08-06 04:32

Sample ID 221120-h8eawsce56
Target d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65
SHA256 d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65
Tags
pony collection discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65

Threat Level: Known bad

The file d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65 was found to be: Known bad.

Malicious Activity Summary

pony collection discovery rat spyware stealer

Pony,Fareit

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-20 07:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-20 07:24

Reported

2022-11-20 07:27

Platform

win7-20221111-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

Checks installed software on the system

discovery

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe

"C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe"

Network

Country Destination Domain Proto
N/A 213.155.112.91:8080 tcp
N/A 213.155.112.91:8080 tcp
N/A 213.155.112.91:8080 tcp
N/A 213.155.112.91:8080 tcp
N/A 213.155.112.91:8080 tcp

Files

memory/1700-54-0x0000000076651000-0x0000000076653000-memory.dmp

memory/1700-56-0x00000000003B0000-0x00000000003E3000-memory.dmp

memory/1700-55-0x0000000000310000-0x0000000000329000-memory.dmp

memory/1700-57-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-20 07:24

Reported

2022-11-20 07:27

Platform

win10v2004-20221111-en

Max time kernel

163s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

Checks installed software on the system

discovery

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe

"C:\Users\Admin\AppData\Local\Temp\d9b808e05b8c7825a2bac7ce669e621d4d003e028fa46ce92d0f8c8108a33c65.exe"

Network

Country Destination Domain Proto
N/A 213.155.112.91:8080 tcp
N/A 93.184.220.29:80 tcp
N/A 52.152.110.14:443 tcp
N/A 213.155.112.91:8080 tcp
N/A 104.80.225.205:443 tcp
N/A 52.152.110.14:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 213.155.112.91:8080 tcp
N/A 52.152.110.14:443 tcp
N/A 93.184.221.240:80 tcp
N/A 213.155.112.91:8080 tcp
N/A 213.155.112.91:8080 tcp
N/A 213.155.112.91:8080 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp

Files

memory/3508-132-0x0000000002080000-0x0000000002099000-memory.dmp

memory/3508-133-0x00000000020A0000-0x00000000020D3000-memory.dmp

memory/3508-134-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3508-135-0x0000000000400000-0x0000000000433000-memory.dmp