pony | b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603

General

Target

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
Size

959KB
MD5

a7b3d8bf5e1016eb03af417e28b3405a
SHA1

865a61dfc45a5ed708106055de5ff19a76349d2d
SHA256

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603
SHA512

cb1a3e3f3b6f1a9cf9fd2e2bb0f7f04923289708b717979f31967a32f4715eff8d90bb1b624a40e1f27e83240071cd2540df41c56e2b9bd335d8037fad699bec
SSDEEP

12288:G1uKSavywZ8oPEVzTEnUycspBKugd7uDjde1sKcilllPqwHiZEIUbWSDz45ohOk5:GMKS6ywZHDp6dge1sKgwHMExe53ckq

Score

10^/10

pony discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://eileen.3eeweb.com/1/1/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

NirSoft MailPassView 10 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1680-62-0x0000000000400000-0x000000000049A000-memory.dmp	MailPassView
behavioral1/memory/1680-63-0x0000000000400000-0x000000000049A000-memory.dmp	MailPassView
behavioral1/memory/1680-64-0x0000000000400000-0x000000000049A000-memory.dmp	MailPassView
behavioral1/memory/1680-65-0x000000000049551E-mapping.dmp	MailPassView
behavioral1/memory/1680-67-0x0000000000400000-0x000000000049A000-memory.dmp	MailPassView
behavioral1/memory/1680-69-0x0000000000400000-0x000000000049A000-memory.dmp	MailPassView
behavioral1/memory/1408-74-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1408-75-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/1408-78-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/1408-79-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 10 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1680-62-0x0000000000400000-0x000000000049A000-memory.dmp	WebBrowserPassView
behavioral1/memory/1680-63-0x0000000000400000-0x000000000049A000-memory.dmp	WebBrowserPassView
behavioral1/memory/1680-64-0x0000000000400000-0x000000000049A000-memory.dmp	WebBrowserPassView
behavioral1/memory/1680-65-0x000000000049551E-mapping.dmp	WebBrowserPassView
behavioral1/memory/1680-67-0x0000000000400000-0x000000000049A000-memory.dmp	WebBrowserPassView
behavioral1/memory/1680-69-0x0000000000400000-0x000000000049A000-memory.dmp	WebBrowserPassView
behavioral1/memory/268-88-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/268-89-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/268-92-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/268-93-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-62-0x0000000000400000-0x000000000049A000-memory.dmp	Nirsoft
behavioral1/memory/1680-63-0x0000000000400000-0x000000000049A000-memory.dmp	Nirsoft
behavioral1/memory/1680-64-0x0000000000400000-0x000000000049A000-memory.dmp	Nirsoft
behavioral1/memory/1680-65-0x000000000049551E-mapping.dmp	Nirsoft
behavioral1/memory/1680-67-0x0000000000400000-0x000000000049A000-memory.dmp	Nirsoft
behavioral1/memory/1680-69-0x0000000000400000-0x000000000049A000-memory.dmp	Nirsoft
behavioral1/memory/1408-74-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1408-75-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/1408-78-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1408-79-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/268-88-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/268-89-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/268-92-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/268-93-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

EBFile_1.exe

pid process

664 EBFile_1.exe

pid	process
664	EBFile_1.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\EBFile_1.exe	upx
\Users\Admin\AppData\Local\Temp\EBFile_1.exe	upx
C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe	upx
behavioral1/memory/664-87-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

pid	process
1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 whatismyipaddress.com
7 whatismyipaddress.com
4 whatismyipaddress.com

flow	ioc
6	whatismyipaddress.com
7	whatismyipaddress.com
4	whatismyipaddress.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exeb23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

description	pid	process	target process
PID 2032 set thread context of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 1680 set thread context of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe

Drops file in Windows directory 2 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

description	ioc	process
File opened for modification	C:\Windows\26	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
File opened for modification	C:\Windows\28	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

pid process

2032 b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

pid	process
2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exeb23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exeEBFile_1.exe

description	pid	process
Token: SeDebugPrivilege	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
Token: SeDebugPrivilege	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
Token: SeImpersonatePrivilege	664	EBFile_1.exe
Token: SeTcbPrivilege	664	EBFile_1.exe
Token: SeChangeNotifyPrivilege	664	EBFile_1.exe
Token: SeCreateTokenPrivilege	664	EBFile_1.exe
Token: SeBackupPrivilege	664	EBFile_1.exe
Token: SeRestorePrivilege	664	EBFile_1.exe
Token: SeIncreaseQuotaPrivilege	664	EBFile_1.exe
Token: SeAssignPrimaryTokenPrivilege	664	EBFile_1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

pid process

1680 b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exeb23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe

description	pid	process	target process
PID 2032 wrote to memory of 688	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 688	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 688	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 688	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 1304	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 1304	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 1304	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 1304	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	CMD.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 2032 wrote to memory of 1680	2032	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 1408	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	vbc.exe
PID 1680 wrote to memory of 664	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	EBFile_1.exe
PID 1680 wrote to memory of 664	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	EBFile_1.exe
PID 1680 wrote to memory of 664	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	EBFile_1.exe
PID 1680 wrote to memory of 664	1680	b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe	EBFile_1.exe

C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
"C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:688
- C:\Windows\SysWOW64\CMD.exe
  "CMD"
  2⤵
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe
  "C:\Users\Admin\AppData\Local\Temp\b23d34467dc531af94893450e0b8035a8747f3d7fb86519a419ed9c7388bb603.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe
    "C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
    3⤵
    PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EBFile_1.exe

Filesize
34KB

MD5
9870cf3bfa9d28e60cada6d16b42c2a7

SHA1
dacfbe479063f4d771d05ddc92c35e9b72e9d34f

SHA256
a141d1b4b207f8d350f67ebbecc422909720d4fa2d520e66182224c361ccdab0

SHA512
63667d96d923d361f7e68dc517fd693e76be4c51cf883621463a33b6ce54d47569492cd8ae75996efb37222d97ac86db54b99bea92a24d2b404ef813b7e9f52a

Download Submit
\Users\Admin\AppData\Local\Temp\EBFile_1.exe

Filesize
34KB

MD5
9870cf3bfa9d28e60cada6d16b42c2a7

SHA1
dacfbe479063f4d771d05ddc92c35e9b72e9d34f

SHA256
a141d1b4b207f8d350f67ebbecc422909720d4fa2d520e66182224c361ccdab0

SHA512
63667d96d923d361f7e68dc517fd693e76be4c51cf883621463a33b6ce54d47569492cd8ae75996efb37222d97ac86db54b99bea92a24d2b404ef813b7e9f52a

Download Submit
\Users\Admin\AppData\Local\Temp\EBFile_1.exe

Filesize
34KB

MD5
9870cf3bfa9d28e60cada6d16b42c2a7

SHA1
dacfbe479063f4d771d05ddc92c35e9b72e9d34f

SHA256
a141d1b4b207f8d350f67ebbecc422909720d4fa2d520e66182224c361ccdab0

SHA512
63667d96d923d361f7e68dc517fd693e76be4c51cf883621463a33b6ce54d47569492cd8ae75996efb37222d97ac86db54b99bea92a24d2b404ef813b7e9f52a

Download Submit
memory/268-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/268-89-0x0000000000442628-mapping.dmp

Download
memory/268-92-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/268-93-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/664-87-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/664-82-0x0000000000000000-mapping.dmp

Download
memory/688-57-0x0000000000000000-mapping.dmp

Download
memory/1304-58-0x0000000000000000-mapping.dmp

Download
memory/1408-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-79-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1408-75-0x0000000000411654-mapping.dmp

Download
memory/1680-62-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1680-64-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1680-59-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1680-71-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1680-69-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1680-67-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1680-65-0x000000000049551E-mapping.dmp

Download
memory/1680-73-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1680-63-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1680-86-0x00000000049C0000-0x00000000049DD000-memory.dmp

Filesize
116KB

Download
memory/1680-85-0x00000000049C0000-0x00000000049DD000-memory.dmp

Filesize
116KB

Download
memory/1680-60-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2032-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/2032-72-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-56-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-55-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads