pony | d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98

General

Target

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Size

124KB
MD5

c9069b4eaed3b8e321f6b1ff19938e44
SHA1

5564bf3fe5eee93db82852f8a1c04bf8938d6bc6
SHA256

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98
SHA512

5e933b19c94efb7fc6caf9c46f78f7a332debe1cfb3bc95d2c5bc1a390fcd0f074f95cb2efd38b6d8c6b896346327d32d6a78161510017659571076530999505
SSDEEP

1536:XeqRQxvfZvIQ1/beoDTEeno0x5mgHAiBG3nCiCQVeYuWdvBz2umSohogDrIqsL:XkXF/c0nmggiBGSife1W5l23FfIJL

Score

10^/10

pony collection discovery rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://194.1.184.65/internet_gas.php

http://194.1.184.77/internet_gas.php

http://94.23.26.38/jvoie898a/vijasopew83279

http://94.23.26.38/jvoie898a/2ay798faovaaeq

http://94.23.26.38/jvoie898a/ivmtuc432iwqer

http://91.220.35.48/fb/internet.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2948-133-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2948-135-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2948-136-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2948-137-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral2/memory/2948-138-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

description	pid	process	target process
PID 2960 set thread context of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

description	pid	process
Token: SeImpersonatePrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeTcbPrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeChangeNotifyPrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeCreateTokenPrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeBackupPrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeRestorePrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeIncreaseQuotaPrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
Token: SeAssignPrimaryTokenPrivilege	2948	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

description	pid	process	target process
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
PID 2960 wrote to memory of 2948	2960	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

outlook_win_path 1 IoCs

Processes:

d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe

C:\Users\Admin\AppData\Local\Temp\d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
"C:\Users\Admin\AppData\Local\Temp\d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
C:\Users\Admin\AppData\Local\Temp\d428d885c09be504af45697ccb0190a6f5712e0559ef5230cf6b9e47969b3d98.exe
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2948-132-0x0000000000000000-mapping.dmp

Download
memory/2948-133-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-135-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-136-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-137-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2948-138-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads