pony | 5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0

General

Target

5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe
Size

2.4MB
MD5

dd609583a5baf83eda150f9365e77067
SHA1

d449bd9634d29e429cc1378f171a00b018fd6b44
SHA256

5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0
SHA512

695259a378f7ed10cb1ffe7fe9e75f5af0fb6befe3d3333c9dcdb1ab8d2f8365639c033dda9d83738e28b37cf711b65e01395dcf853691ec7e41b1489a5fbcec
SSDEEP

24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9shlieh:bTux6ZT0sozGK3Ns9shlFh

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://www.alberghi.com:8080/pony/gate.php

http://buyandsmile.atomclick.co:8080/pony/gate.php

Attributes

payload_url
http://ftp.eburneenne.com/7zBY7xS.exe

http://www.spetter.com/mi19YgV.exe

http://photosfoto.com/uTM.exe

http://www.daginternacional.com/trXe.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

Child.exe

pid process

1932 Child.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1976 cmd.exe
568 WerFault.exe
568 WerFault.exe
568 WerFault.exe
568 WerFault.exe
568 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

568 1932 WerFault.exe Child.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Child.exe

pid process

1932 Child.exe

pid	process
1932	Child.exe

pid	process
1976	cmd.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe

pid	pid_target	process	target process
568	1932	WerFault.exe	Child.exe

pid	process
1932	Child.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.execmd.exeChild.exe

description	pid	process	target process
PID 1724 wrote to memory of 1976	1724	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 1724 wrote to memory of 1976	1724	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 1724 wrote to memory of 1976	1724	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 1724 wrote to memory of 1976	1724	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 1976 wrote to memory of 1932	1976	cmd.exe	Child.exe
PID 1976 wrote to memory of 1932	1976	cmd.exe	Child.exe
PID 1976 wrote to memory of 1932	1976	cmd.exe	Child.exe
PID 1976 wrote to memory of 1932	1976	cmd.exe	Child.exe
PID 1932 wrote to memory of 568	1932	Child.exe	WerFault.exe
PID 1932 wrote to memory of 568	1932	Child.exe	WerFault.exe
PID 1932 wrote to memory of 568	1932	Child.exe	WerFault.exe
PID 1932 wrote to memory of 568	1932	Child.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe
"C:\Users\Admin\AppData\Local\Temp\5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\Child.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\Child.exe
.\Child.exe
3⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 192
4⤵
- Loads dropped DLL
- Program crash
PID:568

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
memory/1724-66-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/1932-64-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/1932-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1932-63-0x0000000000260000-0x0000000000277000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing