pony | 243036edddff8d25f6997bb6cba8cc784adb92229e149f41420962ed17523c75

General

Target

a81cf5af7a5c1929ef6dea8cf11961cc.exe
Size

2.5MB
MD5

a81cf5af7a5c1929ef6dea8cf11961cc
SHA1

dc360a9605efd32c676d931745f600745ac3579f
SHA256

243036edddff8d25f6997bb6cba8cc784adb92229e149f41420962ed17523c75
SHA512

29fcb5ed083ce5ff92bc01cc8b49249b589311d4b41bf0615efa8837e81224b660d7c912496f875a886af20d495175326907e71a8c3d7ec46efbd1eb54ceeedf
SSDEEP

24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9sy:bTux6ZT0sozGK3Ns9sy

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://98.158.129.17:8080/pony/gate.php

http://50.116.9.68/pony/gate.php

Attributes

payload_url
http://www.longingtech.com/14jJyU.exe
http://ghanaleakplus.com/KVvCk7B.exe
http://arvina.cz/PpBCye.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

Child.exe

pid process

1440 Child.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1440	Child.exe

pid	process
940	cmd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Child.exe

description	pid	process
Token: SeImpersonatePrivilege	1440	Child.exe
Token: SeTcbPrivilege	1440	Child.exe
Token: SeChangeNotifyPrivilege	1440	Child.exe
Token: SeCreateTokenPrivilege	1440	Child.exe
Token: SeBackupPrivilege	1440	Child.exe
Token: SeRestorePrivilege	1440	Child.exe
Token: SeIncreaseQuotaPrivilege	1440	Child.exe
Token: SeAssignPrimaryTokenPrivilege	1440	Child.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Child.exe

pid process

1440 Child.exe

pid	process
1440	Child.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a81cf5af7a5c1929ef6dea8cf11961cc.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 940	1204	a81cf5af7a5c1929ef6dea8cf11961cc.exe	cmd.exe
PID 1204 wrote to memory of 940	1204	a81cf5af7a5c1929ef6dea8cf11961cc.exe	cmd.exe
PID 1204 wrote to memory of 940	1204	a81cf5af7a5c1929ef6dea8cf11961cc.exe	cmd.exe
PID 1204 wrote to memory of 940	1204	a81cf5af7a5c1929ef6dea8cf11961cc.exe	cmd.exe
PID 940 wrote to memory of 1440	940	cmd.exe	Child.exe
PID 940 wrote to memory of 1440	940	cmd.exe	Child.exe
PID 940 wrote to memory of 1440	940	cmd.exe	Child.exe
PID 940 wrote to memory of 1440	940	cmd.exe	Child.exe

C:\Users\Admin\AppData\Local\Temp\a81cf5af7a5c1929ef6dea8cf11961cc.exe
"C:\Users\Admin\AppData\Local\Temp\a81cf5af7a5c1929ef6dea8cf11961cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\Child.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\Child.exe
.\Child.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
178KB

MD5
63df17fb0b2d7b936d41ab6696a1e163

SHA1
3ff44a657ce599e2d828c8bbaa148895c2933ea5

SHA256
cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d

SHA512
132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
178KB

MD5
63df17fb0b2d7b936d41ab6696a1e163

SHA1
3ff44a657ce599e2d828c8bbaa148895c2933ea5

SHA256
cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d

SHA512
132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
178KB

MD5
63df17fb0b2d7b936d41ab6696a1e163

SHA1
3ff44a657ce599e2d828c8bbaa148895c2933ea5

SHA256
cf9e7f28868b657569cbf18bf47228d06635e742f78316c5a0f14b2bba20044d

SHA512
132347b6e06347eab5347c2076c63d9efced5e9030842036e0cca8ef73552f00586e83dec4d1b4f7ab0b8b69611fa83ffd0cb0ccef98d8c23c81dc9a90e5395a

Download Submit
memory/1204-61-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1440-58-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/1440-59-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/1440-60-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1440-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing