pony | 7c4e0b95c73cc6c75ad1c74bc4bb7ea27444015c9934a000cf183eb5d4948a3b | Triage

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-05-2023 11:20

Sharing

Report Analysis Logs

General

Target

06573599.exe
Size

1.1MB
MD5

aaecf776a6f8850da8a1b4d63bc15e6c
SHA1

a17344b14cc9bf756d8b52666dfb665e19e8bb31
SHA256

7c4e0b95c73cc6c75ad1c74bc4bb7ea27444015c9934a000cf183eb5d4948a3b
SHA512

8f8a04540d5c3dde132dd876376dc1b0195cc911c0ca746f67a4761d5c00602c7cb1cf1958d03cbddf3736cfe46a22c7ae1ad634b5260db4c89cb3aae2950f8d
SSDEEP

24576:iu6J33O0c+JY5UZ+XC0kGsoTGcjr1I1lOq6sb8hTH7NWYu:Eu0c++OCvkGsEGcjr1i6skHUYu

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://185.79.156.18/bit/03/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/988-54-0x0000000000F40000-0x0000000001068000-memory.dmp	autoit_exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

06573599.exe

pid process

988 06573599.exe
988 06573599.exe
988 06573599.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

06573599.exe

pid process

988 06573599.exe
988 06573599.exe
988 06573599.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

06573599.exe

description	pid	process	target process
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe
PID 988 wrote to memory of 2012	988	06573599.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\06573599.exe
"C:\Users\Admin\AppData\Local\Temp\06573599.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2012

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-54-0x0000000000F40000-0x0000000001068000-memory.dmp

Filesize
1.2MB

Download
memory/988-61-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2012-58-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2012-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download