pony | 231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db

General

Target

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Size

100KB
MD5

046952a767b21ebe4c750e29a067cc71
SHA1

4db90105c79ef980cb539af6f89e8c7f6878e15e
SHA256

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db
SHA512

5655149fa794b9b30f05ff90206a1ac7f33ba666417ba0efee8a06638adf6862896e75a21052f47362fc59f9c6a1f60c69bb21ab47f5696828ffa119b290d193
SSDEEP

1536:TqB8j9QqTMSyWiWLrhwrkdXvKJV44Ri8k2UkOjXihqTvwEKXkzZF:mB+pLrYkZvKJtO2NEKYF

Score

10^/10

pony collection discovery rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

description	pid	process
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeImpersonatePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeTcbPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeChangeNotifyPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeCreateTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeBackupPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeRestorePrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeIncreaseQuotaPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
Token: SeAssignPrimaryTokenPrivilege	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

description	pid	process	target process
PID 384 wrote to memory of 3872	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe	cmd.exe
PID 384 wrote to memory of 3872	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe	cmd.exe
PID 384 wrote to memory of 3872	384	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe

C:\Users\Admin\AppData\Local\Temp\231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe
"C:\Users\Admin\AppData\Local\Temp\231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240575828.bat" "C:\Users\Admin\AppData\Local\Temp\231fa5e477b2133c25bc3d3eeb8928957f7de72d7b9a46f2b5845e449a39d1db.exe" "
2⤵
PID:3872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240575828.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
memory/3872-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads