pony | 93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e

General

Target

93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Size

132KB
MD5

5047fb8fd1a75f2eeafcc2492f847508
SHA1

cf0ca3e3d801084f3579f89a05118c958c8e5261
SHA256

93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e
SHA512

ba2fe6c4aa2cd7dd64667a6c6e844ede61b897295db414f37d18d550a832e79f8e5e1dd08de550755d1ce4a2b5552b7464ce16e65331e2a86e2cde6b4f8ca09d
SSDEEP

1536:scx7hINAwh06A3Z6LIv96q7mFoEIT5mq/mDjX4z6WLpVh3eK7M+2nHEZg4avy2nG:aAqRk6LgRxtluQz6MpVtM+2nHEN39

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://69.194.194.21/forum/viewtopic.php

http://108.178.59.55/forum/viewtopic.php

Attributes

payload_url
http://cezarow.nazwa.pl/pr0QZ8oy/U0Y7.exe

http://hello977.com/3Bv7WsbC/yz3W.exe

http://icopedia.com/s7pQPShD/kfwmMr.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeTcbPrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeChangeNotifyPrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeCreateTokenPrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeBackupPrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeRestorePrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeIncreaseQuotaPrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
Token: SeAssignPrimaryTokenPrivilege	1996	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27
PID 1872 wrote to memory of 1996	1872	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe	27

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe

C:\Users\Admin\AppData\Local\Temp\93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
"C:\Users\Admin\AppData\Local\Temp\93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe
  "C:\Users\Admin\AppData\Local\Temp\93855147c6288bed1edab94ebfb2ab5af3ad2477f930b5019dc26470cf68494e.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_win_path
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1872-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1996-55-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-61-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-65-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1996-66-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-67-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1996-68-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads