pony | fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c

General

Target

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Size

277KB
MD5

9c3eb9d6d97bac4824476f30daf14ea0
SHA1

e16aac321c4c9ac7c5bdab14871639306f818a27
SHA256

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c
SHA512

d507d363d34bcb77ef945e715d712b36e0cf5d1c71fddc801dad01e12f722725fec2a006370423d7f51279a2ca64d4a17257969004adce6cc6476f439ca8ffb6
SSDEEP

6144:uG10m1mYfBH81GQd7duWNELJzjjb7yj4qGt7eGgH2X:31LNMbdRBNIyj4HtS0X

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://azpo05.no-ip.biz/pon/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	pid	process	target process
PID 1632 set thread context of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exefca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	pid	process
Token: SeDebugPrivilege	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeImpersonatePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeTcbPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeChangeNotifyPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeCreateTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeBackupPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeRestorePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeIncreaseQuotaPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeAssignPrimaryTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeImpersonatePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeTcbPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeChangeNotifyPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeCreateTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeBackupPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeRestorePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeIncreaseQuotaPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeAssignPrimaryTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeImpersonatePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeTcbPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeChangeNotifyPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeCreateTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeBackupPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeRestorePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeIncreaseQuotaPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeAssignPrimaryTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeImpersonatePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeTcbPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeChangeNotifyPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeCreateTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeBackupPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeRestorePrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeIncreaseQuotaPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
Token: SeAssignPrimaryTokenPrivilege	240	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	pid	process	target process
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
PID 1632 wrote to memory of 240	1632	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

outlook_win_path 1 IoCs

Processes:

fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe

C:\Users\Admin\AppData\Local\Temp\fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
"C:\Users\Admin\AppData\Local\Temp\fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe
"C:\Users\Admin\AppData\Local\Temp\fca39b0e6b64697c9a44303bba1dc35d51b6dfcd56a28e77912cc7484513822c.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-61-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-60-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-63-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-64-0x00000000004100CA-mapping.dmp

Download
memory/240-66-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-69-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/240-70-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1632-55-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-56-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1632-67-0x00000000748F0000-0x0000000074E9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads