pony | 6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 06:10

Target

6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe
Size

128KB
MD5

9499724bf606d914ee12105fbd754de4
SHA1

618b6b3d01f746e7ab5741f1585901f7879f249c
SHA256

6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e
SHA512

65e45a9edcea5a3ab5ca63b3f5323749b5cfc43521a67637ba2d6a2d4268d2cc195a58c0b46b8dd21e23e72c0213874503c609799488359934684972c56b79ac
SSDEEP

3072:uGHi6mwnuRP5oNRw6BxqzF4tKzL1xqDHhJVPhwcj:+4u74Rw6B3tKzTqDHhfPhf

Score

10^/10

Family

pony

http://67.215.225.205:8080/forum/viewtopic.php

http://216.231.139.111/forum/viewtopic.php

Attributes

payload_url
http://barna-consulting.info/bsnCqdm3.exe
http://dobracoconstrucoes.com.br/AR5rrw.exe
http://ftp.spaziometi.org/nPgqe.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe

description	pid	process	target process
PID 1248 wrote to memory of 1384	1248	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe
PID 1248 wrote to memory of 1384	1248	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe
PID 1248 wrote to memory of 1384	1248	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe
PID 1248 wrote to memory of 1384	1248	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe	6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe

C:\Users\Admin\AppData\Local\Temp\6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe
"C:\Users\Admin\AppData\Local\Temp\6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe
"C:\Users\Admin\AppData\Local\Temp\6d813aca96b12db993c8e7a8d1db6cfe4929238c48761e9441bbb9a81a31f89e.exe"
2⤵
PID:1384

memory/1248-54-0x0000000000960000-0x0000000000984000-memory.dmp

Filesize
144KB

Download
memory/1248-55-0x0000000000960000-0x0000000000984000-memory.dmp

Filesize
144KB

Download