pony | feb8ef1b98b0eddaf5cef0efb04654cbd28de14784c494ee86e007a9961e7dfb

General

Target

product.scr
Size

624KB
MD5

fff4955ffce3b5e5260408e7fef6872d
SHA1

78b85c6cb35cb007882ecce9602b60cd6c5bae97
SHA256

a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f
SHA512

e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75
SSDEEP

12288:mcER/WFqpOCIYqv2/eso4QDiWVpDiKiS9BYM1efta7iXS6GnEv0CNisXoNBW9x:mcER/WFqpOCIYqv2/eso4QDiW3DiKiSM

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://190.14.37.80/akpos/Panel/Panelz/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 5 IoCs

Processes:

mamade.exeScan002.scrmamade.exeScan002.scrmamade.exe

pid process

1736 mamade.exe
3636 Scan002.scr
3168 mamade.exe
4312 Scan002.scr
4908 mamade.exe

pid	process
1736	mamade.exe
3636	Scan002.scr
3168	mamade.exe
4312	Scan002.scr
4908	mamade.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4312-152-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4908-159-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4312-161-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4312-165-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4312-163-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4908-166-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4312-167-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Drops startup file 3 IoCs

Processes:

product.scrmamade.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe	product.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe	product.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe	mamade.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

mamade.exeScan002.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mamade.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Scan002.scr

Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

mamade.exeScan002.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	mamade.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Scan002.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

mamade.exeScan002.scrmamade.exe

description	pid	process	target process
PID 1736 set thread context of 3168	1736	mamade.exe	mamade.exe
PID 3636 set thread context of 4312	3636	Scan002.scr	Scan002.scr
PID 3168 set thread context of 4908	3168	mamade.exe	mamade.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Scan002.scrmamade.exe

pid process

3636 Scan002.scr
3636 Scan002.scr
3168 mamade.exe
3168 mamade.exe

pid	process
3636	Scan002.scr
3636	Scan002.scr
3168	mamade.exe
3168	mamade.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

mamade.exeScan002.scr

description	pid	process
Token: SeImpersonatePrivilege	4908	mamade.exe
Token: SeTcbPrivilege	4908	mamade.exe
Token: SeChangeNotifyPrivilege	4908	mamade.exe
Token: SeCreateTokenPrivilege	4908	mamade.exe
Token: SeBackupPrivilege	4908	mamade.exe
Token: SeRestorePrivilege	4908	mamade.exe
Token: SeIncreaseQuotaPrivilege	4908	mamade.exe
Token: SeAssignPrimaryTokenPrivilege	4908	mamade.exe
Token: SeImpersonatePrivilege	4312	Scan002.scr
Token: SeTcbPrivilege	4312	Scan002.scr
Token: SeChangeNotifyPrivilege	4312	Scan002.scr
Token: SeCreateTokenPrivilege	4312	Scan002.scr
Token: SeBackupPrivilege	4312	Scan002.scr
Token: SeRestorePrivilege	4312	Scan002.scr
Token: SeIncreaseQuotaPrivilege	4312	Scan002.scr
Token: SeAssignPrimaryTokenPrivilege	4312	Scan002.scr

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

product.scrmamade.exeScan002.scrmamade.exe

pid process

3720 product.scr
1736 mamade.exe
3636 Scan002.scr
3168 mamade.exe
3636 Scan002.scr
3168 mamade.exe

pid	process
3720	product.scr
1736	mamade.exe
3636	Scan002.scr
3168	mamade.exe
3636	Scan002.scr
3168	mamade.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

product.scrcmd.exemamade.exeScan002.scrmamade.exe

description	pid	process	target process
PID 3720 wrote to memory of 4636	3720	product.scr	cmd.exe
PID 3720 wrote to memory of 4636	3720	product.scr	cmd.exe
PID 3720 wrote to memory of 4636	3720	product.scr	cmd.exe
PID 3720 wrote to memory of 1736	3720	product.scr	mamade.exe
PID 3720 wrote to memory of 1736	3720	product.scr	mamade.exe
PID 3720 wrote to memory of 1736	3720	product.scr	mamade.exe
PID 4636 wrote to memory of 3636	4636	cmd.exe	Scan002.scr
PID 4636 wrote to memory of 3636	4636	cmd.exe	Scan002.scr
PID 4636 wrote to memory of 3636	4636	cmd.exe	Scan002.scr
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 1736 wrote to memory of 3168	1736	mamade.exe	mamade.exe
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3636 wrote to memory of 4312	3636	Scan002.scr	Scan002.scr
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe
PID 3168 wrote to memory of 4908	3168	mamade.exe	mamade.exe

outlook_win_path 1 IoCs

Processes:

Scan002.scr

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Scan002.scr

C:\Users\Admin\AppData\Local\Temp\product.scr
"C:\Users\Admin\AppData\Local\Temp\product.scr" /S
1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Scan002.scr
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\Scan002.scr
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\Scan002.scr
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:4312

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:4908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scan002.scr
Filesize
200KB

MD5
261f3314b3cafb38d5b2611e3ae97bd5

SHA1
de94aa12402a0a16fd36e3b2103f38fe549478b8

SHA256
74ced44c66224194a486a2f095a07db4ebabf485927676da5ecc1a51e088c036

SHA512
1c02bdce453d7e4d0663d17808d0c3494e8766c9d061dd851173af47bf497ab8f6a32b8556b906cb8ecb7e4c4d83bf0103fb79bdb2ad2bb874ac320163ec3026

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mamade.exe
Filesize
624KB

MD5
fff4955ffce3b5e5260408e7fef6872d

SHA1
78b85c6cb35cb007882ecce9602b60cd6c5bae97

SHA256
a894c9771d9cf0a526dc628e2aaf508db00fac2cf5f3aa45688b6a10366dc19f

SHA512
e50b4668c8247b5c582d8818fdffaa9e4d7eb740197f7fc328b2defdd96b41bc472b04591b6ebfd87ec39e8faf7065b6304b0793270f7ffa7ab4db30d6ba0e75

Download Submit
memory/1736-135-0x0000000000000000-mapping.dmp

Download
memory/3168-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-143-0x0000000000000000-mapping.dmp

Download
memory/3168-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-154-0x00000000005D0000-0x00000000005D4000-memory.dmp

Filesize
16KB

Download
memory/3636-140-0x0000000000000000-mapping.dmp

Download
memory/4312-161-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4312-152-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4312-150-0x0000000000000000-mapping.dmp

Download
memory/4312-165-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4312-163-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4312-167-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4636-134-0x0000000000000000-mapping.dmp

Download
memory/4908-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4908-151-0x0000000000000000-mapping.dmp

Download
memory/4908-166-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads