pony | ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a

General

Target

ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Size

103KB
MD5

e6d41215f7f5d61e7a088e6e3f2cef57
SHA1

04c8890e1e8d488e451eadb707d538ed8aaad312
SHA256

ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a
SHA512

ebea1b6ff92b80671b42a16e8de3d6b5715e83733aef56c9bc93b58ec66d6313b9eea96d9c648161574618898ab9eee6efed0a0803ea5891f9ef0d6548563a78
SSDEEP

3072:7fSw/ZxLsQMer0vwsGrjL4WMQpe4RlTQXj:bSw/HIrojL4WbpPlkX

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://neradio.ru/libraries/joomla/session/user.php

Attributes

payload_url
http://bontravel.com.ua/wp-includes/pomo/update.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4648 4684 WerFault.exe ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

pid	pid_target	process	target process
4648	4684	WerFault.exe	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

description	pid	process
Token: SeImpersonatePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeTcbPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeChangeNotifyPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeCreateTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeBackupPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeRestorePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeIncreaseQuotaPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeAssignPrimaryTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeImpersonatePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeTcbPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeChangeNotifyPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeCreateTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeBackupPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeRestorePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeIncreaseQuotaPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeAssignPrimaryTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeImpersonatePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeTcbPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeChangeNotifyPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeCreateTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeBackupPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeRestorePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeIncreaseQuotaPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeAssignPrimaryTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeImpersonatePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeTcbPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeChangeNotifyPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeCreateTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeBackupPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeRestorePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeIncreaseQuotaPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeAssignPrimaryTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeImpersonatePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeTcbPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeChangeNotifyPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeCreateTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeBackupPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeRestorePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeIncreaseQuotaPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeAssignPrimaryTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeImpersonatePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeTcbPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeChangeNotifyPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeCreateTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeBackupPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeRestorePrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeIncreaseQuotaPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
Token: SeAssignPrimaryTokenPrivilege	4684	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

outlook_win_path 1 IoCs

Processes:

ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe

C:\Users\Admin\AppData\Local\Temp\ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe
"C:\Users\Admin\AppData\Local\Temp\ac2a327b1fe8922b6385c5947a191dcf890321a5832c6bdecb3da8d84038143a.exe"
1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 220
2⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4684 -ip 4684
1⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4684-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4684-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4684-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4684-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4684-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads