pony | 29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e

General

Target

29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Size

109KB
MD5

171964df131f80b9539ae742fdd0e734
SHA1

ec30df099d9f7157a3c210657c0ee81805946465
SHA256

29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e
SHA512

bcd0087dd9843f4612d7a488575a5c7640bf8cba602f5421db724ab79c966b6b8acec409509474971dd9a130f539a9ed52f1d388be3af04cff45726382411cf3
SSDEEP

3072:rJZIqCxrmFlBIoCTLBYJZa4MOamUKx3zrnpoIZ2ayBusODV:9ZIbxrmFllouva4MOp99oe2RODV

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://golklopro.com/bitrix/modules.php

http://cosjesgame.su/bitrix/modules.php

Attributes

payload_url
http://teles4.com/333.exe

http://gavilan.cl/333.exe

http://emstudio.fr/333.exe

http://calduler.com/333.exe

http://iamsaved.org/333.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

description	pid	process
Token: SeImpersonatePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeTcbPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeChangeNotifyPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeCreateTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeBackupPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeRestorePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeIncreaseQuotaPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeAssignPrimaryTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeImpersonatePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeTcbPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeChangeNotifyPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeCreateTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeBackupPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeRestorePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeIncreaseQuotaPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeAssignPrimaryTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeImpersonatePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeTcbPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeChangeNotifyPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeCreateTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeBackupPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeRestorePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeIncreaseQuotaPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeAssignPrimaryTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeImpersonatePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeTcbPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeChangeNotifyPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeCreateTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeBackupPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeRestorePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeIncreaseQuotaPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeAssignPrimaryTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeImpersonatePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeTcbPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeChangeNotifyPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeCreateTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeBackupPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeRestorePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeIncreaseQuotaPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeAssignPrimaryTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeImpersonatePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeTcbPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeChangeNotifyPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeCreateTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeBackupPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeRestorePrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeIncreaseQuotaPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
Token: SeAssignPrimaryTokenPrivilege	3588	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

outlook_win_path 1 IoCs

Processes:

29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe

C:\Users\Admin\AppData\Local\Temp\29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe
"C:\Users\Admin\AppData\Local\Temp\29f94febbac1b9a2ccd4d94e3d39cfb1d58519d2fa64bffaaa4e7b77dc46779e.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3588-132-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3588-133-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads