pony | 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558

General

Target

83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
Size

297KB
MD5

c446479bcfeeba0cf0b7df77dff5baef
SHA1

536fe412431ceac140dc2ac7a2a5d4107551d3fb
SHA256

83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558
SHA512

095f454845ddf29c876cf7d5524c15d7345672a6fe74aa09574accecca7e5ef6333e4366790aec10e5f832e0f6f3794ed1dce4189c46f987acb8719d60dea63d
SSDEEP

6144:NRs9OAwWCadFPSMzW5fJ6GuSjisgGDErz9jkf806MKjYR:NRGOAwWZofLjRgGW948VjY

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://coco-bomgo.ru/wp-content/themes/twentytwelve/admin1/php/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 2 IoCs

Processes:

FB_C994.tmp.exeFB_CAED.tmp.exe

pid process

4108 FB_C994.tmp.exe
4116 FB_CAED.tmp.exe

pid	process
4108	FB_C994.tmp.exe
4116	FB_CAED.tmp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe	upx
behavioral2/memory/4116-147-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4116-148-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

FB_CAED.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FB_CAED.tmp.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

FB_CAED.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_CAED.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

description	pid	process	target process
PID 732 set thread context of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

FB_CAED.tmp.exe

description	pid	process
Token: SeImpersonatePrivilege	4116	FB_CAED.tmp.exe
Token: SeTcbPrivilege	4116	FB_CAED.tmp.exe
Token: SeChangeNotifyPrivilege	4116	FB_CAED.tmp.exe
Token: SeCreateTokenPrivilege	4116	FB_CAED.tmp.exe
Token: SeBackupPrivilege	4116	FB_CAED.tmp.exe
Token: SeRestorePrivilege	4116	FB_CAED.tmp.exe
Token: SeIncreaseQuotaPrivilege	4116	FB_CAED.tmp.exe
Token: SeAssignPrimaryTokenPrivilege	4116	FB_CAED.tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

pid process

732 83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

pid	process
732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exenet.exe83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe

description	pid	process	target process
PID 732 wrote to memory of 2964	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	net.exe
PID 732 wrote to memory of 2964	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	net.exe
PID 732 wrote to memory of 2964	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	net.exe
PID 2964 wrote to memory of 4244	2964	net.exe	net1.exe
PID 2964 wrote to memory of 4244	2964	net.exe	net1.exe
PID 2964 wrote to memory of 4244	2964	net.exe	net1.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 732 wrote to memory of 4304	732	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
PID 4304 wrote to memory of 4108	4304	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	FB_C994.tmp.exe
PID 4304 wrote to memory of 4108	4304	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	FB_C994.tmp.exe
PID 4304 wrote to memory of 4108	4304	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	FB_C994.tmp.exe
PID 4304 wrote to memory of 4116	4304	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	FB_CAED.tmp.exe
PID 4304 wrote to memory of 4116	4304	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	FB_CAED.tmp.exe
PID 4304 wrote to memory of 4116	4304	83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe	FB_CAED.tmp.exe

outlook_win_path 1 IoCs

Processes:

FB_CAED.tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	FB_CAED.tmp.exe

C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
"C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop sharedaccess
2⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop sharedaccess
3⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe
"C:\Users\Admin\AppData\Local\Temp\83fe7ac2262980a94861891f4a49e3e4fc12aeca2b06bda2e58ff3f4f62eb558.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exe"
3⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exe
Filesize
138KB

MD5
2370b6bb61ccd369f29f59b7d2ca14a4

SHA1
cc93ff693771b16bc1b50363166d1338c6ec3ff5

SHA256
e3faf2e2f4579e380cab0f2587fa40ded664a0e475183681668fc348cbd8f9f1

SHA512
d7bd2edbfb785b2eaf6594c1bb9c4fc3b94f134d0466c2e817c83383be385eea9fa0f2413e72ec7158ab55c40e50d8879736b6b9365649f8036d5f475a70a676

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_C994.tmp.exe
Filesize
138KB

MD5
2370b6bb61ccd369f29f59b7d2ca14a4

SHA1
cc93ff693771b16bc1b50363166d1338c6ec3ff5

SHA256
e3faf2e2f4579e380cab0f2587fa40ded664a0e475183681668fc348cbd8f9f1

SHA512
d7bd2edbfb785b2eaf6594c1bb9c4fc3b94f134d0466c2e817c83383be385eea9fa0f2413e72ec7158ab55c40e50d8879736b6b9365649f8036d5f475a70a676

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe
Filesize
34KB

MD5
c35fde5a758e7a483c4f5324e06969b0

SHA1
739845158e3d535e030153e0515fc6abe044d792

SHA256
922fe72860eb43ad02f4255db52e7ac612314846c7839d1e8a830135b15f67e5

SHA512
7efff311582fb09a1822e8e9f719730871801c7cc1a285ab47b2ff68f5592b41a42319f0a697dc1faedd9f99390a5c3f6537f857d9624b3a1110f94c6bedff7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CAED.tmp.exe
Filesize
34KB

MD5
c35fde5a758e7a483c4f5324e06969b0

SHA1
739845158e3d535e030153e0515fc6abe044d792

SHA256
922fe72860eb43ad02f4255db52e7ac612314846c7839d1e8a830135b15f67e5

SHA512
7efff311582fb09a1822e8e9f719730871801c7cc1a285ab47b2ff68f5592b41a42319f0a697dc1faedd9f99390a5c3f6537f857d9624b3a1110f94c6bedff7b

Download Submit
memory/2964-134-0x0000000000000000-mapping.dmp

Download
memory/4108-140-0x0000000000000000-mapping.dmp

Download
memory/4116-143-0x0000000000000000-mapping.dmp

Download
memory/4116-147-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4116-148-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4244-135-0x0000000000000000-mapping.dmp

Download
memory/4304-136-0x0000000000000000-mapping.dmp

Download
memory/4304-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4304-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4304-146-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads