pony | 63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98

General

Target

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Size

1.7MB
MD5

fd860b8c9003b60b1e1d4cf5a81171a2
SHA1

0d96bf07de613c46920d99282408421024472d11
SHA256

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98
SHA512

cc4fda0f5fd20a07e101e179c10f2ba3bfef2574abc73784c918f5eb319f8a7d5a799f737e6de7b3128630b0b59b8cf0b4eb41500e910d7fab970b48ee1604c9
SSDEEP

24576:h1TGH/LFxCGGmZu5P9dZd+R30w43EsNHM2GpZNqfTY0TDjm0jRbm:hUH/nCG52PDZd+iw43Emz2ZNiYqiu1

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://www.estateboulv.com/html/nza/html/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3708 svhost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3708	svhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svhost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

description	pid	process	target process
PID 3444 set thread context of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
File created	C:\Windows\assembly\Desktop.ini	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

pid	process
3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
Token: SeImpersonatePrivilege	3708	svhost.exe
Token: SeTcbPrivilege	3708	svhost.exe
Token: SeChangeNotifyPrivilege	3708	svhost.exe
Token: SeCreateTokenPrivilege	3708	svhost.exe
Token: SeBackupPrivilege	3708	svhost.exe
Token: SeRestorePrivilege	3708	svhost.exe
Token: SeIncreaseQuotaPrivilege	3708	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3708	svhost.exe
Token: SeImpersonatePrivilege	3708	svhost.exe
Token: SeTcbPrivilege	3708	svhost.exe
Token: SeChangeNotifyPrivilege	3708	svhost.exe
Token: SeCreateTokenPrivilege	3708	svhost.exe
Token: SeBackupPrivilege	3708	svhost.exe
Token: SeRestorePrivilege	3708	svhost.exe
Token: SeIncreaseQuotaPrivilege	3708	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3708	svhost.exe
Token: SeImpersonatePrivilege	3708	svhost.exe
Token: SeTcbPrivilege	3708	svhost.exe
Token: SeChangeNotifyPrivilege	3708	svhost.exe
Token: SeCreateTokenPrivilege	3708	svhost.exe
Token: SeBackupPrivilege	3708	svhost.exe
Token: SeRestorePrivilege	3708	svhost.exe
Token: SeIncreaseQuotaPrivilege	3708	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3708	svhost.exe
Token: SeImpersonatePrivilege	3708	svhost.exe
Token: SeTcbPrivilege	3708	svhost.exe
Token: SeChangeNotifyPrivilege	3708	svhost.exe
Token: SeCreateTokenPrivilege	3708	svhost.exe
Token: SeBackupPrivilege	3708	svhost.exe
Token: SeRestorePrivilege	3708	svhost.exe
Token: SeIncreaseQuotaPrivilege	3708	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3708	svhost.exe
Token: SeImpersonatePrivilege	3708	svhost.exe
Token: SeTcbPrivilege	3708	svhost.exe
Token: SeChangeNotifyPrivilege	3708	svhost.exe
Token: SeCreateTokenPrivilege	3708	svhost.exe
Token: SeBackupPrivilege	3708	svhost.exe
Token: SeRestorePrivilege	3708	svhost.exe
Token: SeIncreaseQuotaPrivilege	3708	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3708	svhost.exe
Token: SeImpersonatePrivilege	3708	svhost.exe
Token: SeTcbPrivilege	3708	svhost.exe
Token: SeChangeNotifyPrivilege	3708	svhost.exe
Token: SeCreateTokenPrivilege	3708	svhost.exe
Token: SeBackupPrivilege	3708	svhost.exe
Token: SeRestorePrivilege	3708	svhost.exe
Token: SeIncreaseQuotaPrivilege	3708	svhost.exe
Token: SeAssignPrimaryTokenPrivilege	3708	svhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.execmd.exe

description	pid	process	target process
PID 3444 wrote to memory of 1876	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 3444 wrote to memory of 1876	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 3444 wrote to memory of 1876	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	cmd.exe
PID 1876 wrote to memory of 3104	1876	cmd.exe	wscript.exe
PID 1876 wrote to memory of 3104	1876	cmd.exe	wscript.exe
PID 1876 wrote to memory of 3104	1876	cmd.exe	wscript.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe
PID 3444 wrote to memory of 3708	3444	63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe	svhost.exe

outlook_win_path 1 IoCs

Processes:

svhost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svhost.exe

C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe
"C:\Users\Admin\AppData\Local\Temp\63f2cda34866403609afd766ec449f78bff877433a16f0aeb0bed86e98d29e98.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Checks computer location settings
PID:3104

C:\Users\Admin\AppData\Local\Temp\svhost.exe
C:\Users\Admin\AppData\Local\Temp\svhost.exe
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
45d23b4fd5b312f783e0b79d66cf50dd

SHA1
6bd9a94566f15c90efd11beb9f059a608c5548cf

SHA256
dff86170a2e18d684397ee1b7153a9872bbe3ca1f1b4631bdffd46e2f6e62497

SHA512
7bd3c9ead90fbc14448b700b4449030ae252e904cbbb10062d02a8238231f0bee62a5018dada89f483a0c50c47549616389272e900486e7c57dcd5171f6c1d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/1876-134-0x0000000000000000-mapping.dmp

Download
memory/3104-136-0x0000000000000000-mapping.dmp

Download
memory/3444-132-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3444-133-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3444-145-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/3708-137-0x0000000000000000-mapping.dmp

Download
memory/3708-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3708-142-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads