Malware Analysis Report

2025-08-06 04:32

Sample ID 221120-hvnmeafc6z
Target f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec
SHA256 f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec
Tags
pony collection discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec

Threat Level: Known bad

The file f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec was found to be: Known bad.

Malicious Activity Summary

pony collection discovery rat spyware stealer

Pony,Fareit

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-20 07:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-20 07:03

Reported

2022-11-20 07:06

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe

"C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe"

Network

Country Destination Domain Proto
N/A 8.248.5.254:80 tcp
N/A 95.101.78.82:80 tcp
N/A 8.248.5.254:80 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.238.110.126:80 tcp
N/A 52.182.143.208:443 tcp
N/A 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
N/A 8.238.21.126:80 tcp
N/A 8.8.8.8:53 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 8.248.5.254:80 tcp
N/A 8.248.5.254:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-20 07:03

Reported

2022-11-20 07:06

Platform

win7-20220901-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe"

Signatures

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe N/A

Checks installed software on the system

discovery

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe

"C:\Users\Admin\AppData\Local\Temp\f5f33ce8b0548deecd5aa4ba3d1e6df6a88ada03c67d68b1bce6b7fbe32c32ec.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 checkpointluggage.com udp
N/A 8.8.8.8:53 clotheswalla.com udp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 212.32.237.101:80 clotheswalla.com tcp
N/A 8.8.8.8:53 consumerluggage.com udp
N/A 13.248.216.40:80 consumerluggage.com tcp
N/A 13.248.216.40:80 consumerluggage.com tcp
N/A 13.248.216.40:80 consumerluggage.com tcp
N/A 13.248.216.40:80 consumerluggage.com tcp

Files

memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

memory/2032-56-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2032-55-0x0000000000400000-0x000000000041F000-memory.dmp