pony | e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2 | Triage

Submit
Reports

Overview

overview

Static

static

e796cc6924...b2.exe

windows7-x64

e796cc6924...b2.exe

windows10-2004-x64

Analysis

max time kernel
335s
max time network
358s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 03:51

Sharing

Static task

static1

Behavioral task

behavioral1

Sample

e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2.exe

Resource

win7-20220901-en

pony discovery rat spyware stealer

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2.exe

Resource

win10v2004-20221111-en

pony discovery rat spyware stealer

windows10-2004-x64

4 signatures

150 seconds

Report Analysis Logs

General

Target

e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2.exe
Size

93KB
MD5

c675864f8115abc6bc36dce2a9d7b0bb
SHA1

26badbc5be4efc5743c6ff66b9dd780eb8cbe126
SHA256

e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2
SHA512

c77fb3e33de8b0db2fca7d2dd0e46786c585cb8c2898f5c2c6614ebbe3a72c70530effccf3955b1b23332f57f704fc4cf3c1198966ccf9ff17280e0e39b97bae
SSDEEP

1536:d38vHxl3cVJxZdh3H2M/C4vuFNqy+NFsE7a52lTiZcvJwuoAz6EVQ25L6SYp:d3aHT3Edh3gYDPFKAlmZcaxY6gt5L

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Processes

C:\Users\Admin\AppData\Local\Temp\e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2.exe
"C:\Users\Admin\AppData\Local\Temp\e796cc6924c31f424a3549c076c62d6cd551a178226657d6d0ad0b2b93e1a9b2.exe"
1⤵
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-132-0x0000000002140000-0x0000000002240000-memory.dmp

Filesize
1024KB

Download
memory/320-133-0x0000000002140000-0x0000000002240000-memory.dmp

Filesize
1024KB

Download
memory/320-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

© 2018-2025

Terms | Privacy