pony | 8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa

General

Target

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
Size

2.1MB
MD5

3aee1d3b499fdcbb350151761e99bad3
SHA1

b8835a0230b87317d795301712bd9fba049f4928
SHA256

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa
SHA512

872911943165a5b059008e5b83e74aed5f17274e67dab086a7f86ad7c517b84e56d062daccc29316a78e2875dff05907a51a74d19b0d66b431a92a66d16128a9
SSDEEP

49152:A0l4lo5JJ41mCsXBbKu6pYfSaiLphjORS85V0wKt4dZC6hAAAAXt:A0qqB41tZbqGjYS2KhWC6O

Score

10^/10

pony collection rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://rebeccasun.webatu.com/pony/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Drops file in Drivers directory 1 IoCs

Processes:

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe

Executes dropped EXE 1 IoCs

Processes:

cdOGqEc0RiM5L3b5.exe

pid process

1352 cdOGqEc0RiM5L3b5.exe

pid	process
1352	cdOGqEc0RiM5L3b5.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe

description	pid	process	target process
PID 4328 set thread context of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.execdOGqEc0RiM5L3b5.exe

pid	process
4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe
1352	cdOGqEc0RiM5L3b5.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
Token: SeImpersonatePrivilege	1260	vbc.exe
Token: SeTcbPrivilege	1260	vbc.exe
Token: SeChangeNotifyPrivilege	1260	vbc.exe
Token: SeCreateTokenPrivilege	1260	vbc.exe
Token: SeBackupPrivilege	1260	vbc.exe
Token: SeRestorePrivilege	1260	vbc.exe
Token: SeIncreaseQuotaPrivilege	1260	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1260	vbc.exe
Token: SeImpersonatePrivilege	1260	vbc.exe
Token: SeTcbPrivilege	1260	vbc.exe
Token: SeChangeNotifyPrivilege	1260	vbc.exe
Token: SeCreateTokenPrivilege	1260	vbc.exe
Token: SeBackupPrivilege	1260	vbc.exe
Token: SeRestorePrivilege	1260	vbc.exe
Token: SeIncreaseQuotaPrivilege	1260	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1260	vbc.exe
Token: SeImpersonatePrivilege	1260	vbc.exe
Token: SeTcbPrivilege	1260	vbc.exe
Token: SeChangeNotifyPrivilege	1260	vbc.exe
Token: SeCreateTokenPrivilege	1260	vbc.exe
Token: SeBackupPrivilege	1260	vbc.exe
Token: SeRestorePrivilege	1260	vbc.exe
Token: SeIncreaseQuotaPrivilege	1260	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1260	vbc.exe
Token: SeImpersonatePrivilege	1260	vbc.exe
Token: SeTcbPrivilege	1260	vbc.exe
Token: SeChangeNotifyPrivilege	1260	vbc.exe
Token: SeCreateTokenPrivilege	1260	vbc.exe
Token: SeBackupPrivilege	1260	vbc.exe
Token: SeRestorePrivilege	1260	vbc.exe
Token: SeIncreaseQuotaPrivilege	1260	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1260	vbc.exe
Token: SeImpersonatePrivilege	1260	vbc.exe
Token: SeTcbPrivilege	1260	vbc.exe
Token: SeChangeNotifyPrivilege	1260	vbc.exe
Token: SeCreateTokenPrivilege	1260	vbc.exe
Token: SeBackupPrivilege	1260	vbc.exe
Token: SeRestorePrivilege	1260	vbc.exe
Token: SeIncreaseQuotaPrivilege	1260	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1260	vbc.exe
Token: SeImpersonatePrivilege	1260	vbc.exe
Token: SeTcbPrivilege	1260	vbc.exe
Token: SeChangeNotifyPrivilege	1260	vbc.exe
Token: SeCreateTokenPrivilege	1260	vbc.exe
Token: SeBackupPrivilege	1260	vbc.exe
Token: SeRestorePrivilege	1260	vbc.exe
Token: SeIncreaseQuotaPrivilege	1260	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1260	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cdOGqEc0RiM5L3b5.exe

pid process

1352 cdOGqEc0RiM5L3b5.exe

pid	process
1352	cdOGqEc0RiM5L3b5.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe

description	pid	process	target process
PID 4328 wrote to memory of 1352	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	cdOGqEc0RiM5L3b5.exe
PID 4328 wrote to memory of 1352	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	cdOGqEc0RiM5L3b5.exe
PID 4328 wrote to memory of 1352	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	cdOGqEc0RiM5L3b5.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe
PID 4328 wrote to memory of 1260	4328	8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe
"C:\Users\Admin\AppData\Local\Temp\8583a7b27f2f08665cfd9bfe81a58cac45fda9ea93f48cb226e5c818326895aa.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exe
"C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exe
Filesize
1.8MB

MD5
a73f1d9524938ea432e69d6d20796f93

SHA1
51d1480f868742a13da3c4692d9245c74bfd53da

SHA256
08f92f133bb20adbb8bfb2b3c2c0a4e91cd74abfea8c69c107174d0e3b243bfa

SHA512
17af0f18a2de71d42f5cbc3014304af5afc3489136ec8a24a48f6298f0a3f81cb80e2a1c6e4cf85b50740e1a5c71a1901dc5d1a28737bbacef0f1790404b5b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdOGqEc0RiM5L3b5.exe
Filesize
1.8MB

MD5
a73f1d9524938ea432e69d6d20796f93

SHA1
51d1480f868742a13da3c4692d9245c74bfd53da

SHA256
08f92f133bb20adbb8bfb2b3c2c0a4e91cd74abfea8c69c107174d0e3b243bfa

SHA512
17af0f18a2de71d42f5cbc3014304af5afc3489136ec8a24a48f6298f0a3f81cb80e2a1c6e4cf85b50740e1a5c71a1901dc5d1a28737bbacef0f1790404b5b59

Download Submit
memory/1260-137-0x0000000000000000-mapping.dmp

Download
memory/1260-138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1260-140-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1260-142-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1260-143-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1260-144-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1352-134-0x0000000000000000-mapping.dmp

Download
memory/4328-132-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/4328-133-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/4328-141-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads