pony | 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98

General

Target

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Size

1.7MB
MD5

fd860b8c9003b60b1e1d4cf5a81171a2
SHA1

0d96bf07de613c46920d99282408421024472d11
SHA256

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
SHA512

cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
SSDEEP

24576:h1TGH/LFxCGGmZu5P9dZd+R30w43EsNHM2GpZNqfTY0TDjm0jRbm:hUH/nCG52PDZd+iw43Emz2ZNiYqiu1

Score

10^/10

pony collection discovery persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://www.estateboulv.com/html/nza/html/gate.php

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1552 svhost.exe
Loads dropped DLL 1 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

pid process

2032 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1552	svhost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svhost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

description	pid	process	target process
PID 2032 set thread context of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1152 timeout.exe

pid	process
1152	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

pid	process
2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Token: SeImpersonatePrivilege	1552	svhost.exe
Token: SeTcbPrivilege	1552	svhost.exe
Token: SeChangeNotifyPrivilege	1552	svhost.exe
Token: SeCreateTokenPrivilege	1552	svhost.exe
Token: SeBackupPrivilege	1552	svhost.exe
Token: SeRestorePrivilege	1552	svhost.exe
Token: SeIncreaseQuotaPrivilege	1552	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svhost.exe
Token: SeImpersonatePrivilege	1552	svhost.exe
Token: SeTcbPrivilege	1552	svhost.exe
Token: SeChangeNotifyPrivilege	1552	svhost.exe
Token: SeCreateTokenPrivilege	1552	svhost.exe
Token: SeBackupPrivilege	1552	svhost.exe
Token: SeRestorePrivilege	1552	svhost.exe
Token: SeIncreaseQuotaPrivilege	1552	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svhost.exe
Token: SeImpersonatePrivilege	1552	svhost.exe
Token: SeTcbPrivilege	1552	svhost.exe
Token: SeChangeNotifyPrivilege	1552	svhost.exe
Token: SeCreateTokenPrivilege	1552	svhost.exe
Token: SeBackupPrivilege	1552	svhost.exe
Token: SeRestorePrivilege	1552	svhost.exe
Token: SeIncreaseQuotaPrivilege	1552	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svhost.exe
Token: SeImpersonatePrivilege	1552	svhost.exe
Token: SeTcbPrivilege	1552	svhost.exe
Token: SeChangeNotifyPrivilege	1552	svhost.exe
Token: SeCreateTokenPrivilege	1552	svhost.exe
Token: SeBackupPrivilege	1552	svhost.exe
Token: SeRestorePrivilege	1552	svhost.exe
Token: SeIncreaseQuotaPrivilege	1552	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	1552	svhost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.execmd.exewscript.execmd.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1688	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1688	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1688	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1688	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 2032 wrote to memory of 1552	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	wscript.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	wscript.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	wscript.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	wscript.exe
PID 976 wrote to memory of 1496	976	wscript.exe	cmd.exe
PID 976 wrote to memory of 1496	976	wscript.exe	cmd.exe
PID 976 wrote to memory of 1496	976	wscript.exe	cmd.exe
PID 976 wrote to memory of 1496	976	wscript.exe	cmd.exe
PID 1496 wrote to memory of 1800	1496	cmd.exe	reg.exe
PID 1496 wrote to memory of 1800	1496	cmd.exe	reg.exe
PID 1496 wrote to memory of 1800	1496	cmd.exe	reg.exe
PID 1496 wrote to memory of 1800	1496	cmd.exe	reg.exe
PID 2032 wrote to memory of 1592	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1592	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1592	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 2032 wrote to memory of 1592	2032	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 1592 wrote to memory of 1152	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1152	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1152	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1152	1592	cmd.exe	timeout.exe

outlook_win_path 1 IoCs

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svhost.exe

C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
"C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:1800

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
1.7MB

MD5
fd860b8c9003b60b1e1d4cf5a81171a2

SHA1
0d96bf07de613c46920d99282408421024472d11

SHA256
63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98

SHA512
cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
45d23b4fd5b312f783e0b79d66cf50dd

SHA1
6bd9a94566f15c90efd11beb9f059a608c5548cf

SHA256
dff86170a2e18d684397ee1b7153a9872bbe3ca1f1b4631bdffd46e2f6e62497

SHA512
7bd3c9ead90fbc14448b700b4449030ae252e904cbbb10062d02a8238231f0bee62a5018dada89f483a0c50c47549616389272e900486e7c57dcd5171f6c1d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat
Filesize
209B

MD5
3ba713a30330c94bc3f0d92fb337db0c

SHA1
1aa5bf3f8c05f0ab2d4ee1fd0e896613b090eaf3

SHA256
f4ad6712f6c8cf58b6f7ca9fae11864498000306f8afd05b6ac447b2c82768eb

SHA512
4c8c18a92b932512bb559f45eac73c779be47c9c3c3ca2f8f644ee098bcfe776c82bb337e5f14eb0cf834a6476065c52c64327cd585205fb3c6d18d12460b1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/976-70-0x0000000000000000-mapping.dmp

Download
memory/1152-81-0x0000000000000000-mapping.dmp

Download
memory/1496-75-0x0000000000000000-mapping.dmp

Download
memory/1552-69-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1552-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1552-66-0x000000000040FF04-mapping.dmp

Download
memory/1552-65-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1552-63-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1552-62-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1552-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1552-77-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/1592-78-0x0000000000000000-mapping.dmp

Download
memory/1688-56-0x0000000000000000-mapping.dmp

Download
memory/1800-76-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-82-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads