pony | cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee

General

Target

cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Size

128KB
MD5

43a04b8fe95da517033a4cc23c6435fa
SHA1

f74d331bd26f6f3441a65e4a82354d0b52a4a070
SHA256

cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee
SHA512

a2864336c54193918b6fb61a5fdc161c37ab241d54a87a1c4a7e726a2c97a344bf870ee94ad44edb06ebee05d3061a69e2f871a7bb1a33ea5958262450045324
SSDEEP

3072:fLv7moIzz+nOZAUMKed2e9bl2Fd9WpaJxaLuBmQ:jvy+nIAUj5wbOaazaLuBmQ

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://67.215.225.205:8080/forum/viewtopic.php

http://122.201.102.69:8080/forum/viewtopic.php

Attributes

payload_url
http://realitycoaching.es/23sf.exe

http://kms-anwaelte.de/mvCo.exe

http://easyinbox.net/Zsh.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeTcbPrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeChangeNotifyPrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeCreateTokenPrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeBackupPrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeRestorePrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeIncreaseQuotaPrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
Token: SeAssignPrimaryTokenPrivilege	1524	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81
PID 2684 wrote to memory of 1524	2684	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe	81

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe

C:\Users\Admin\AppData\Local\Temp\cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
"C:\Users\Admin\AppData\Local\Temp\cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe
  "C:\Users\Admin\AppData\Local\Temp\cb2746c1f7d5e484ec8b6757e840f3560c028d70f4843ab5b291da4ae0ce4aee.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_win_path
  PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-134-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1524-137-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2684-132-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

Filesize
144KB

Download
memory/2684-136-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads