pony | 5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0

Analysis

max time kernel
133s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2023 23:24

Target

5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe
Size

2.4MB
MD5

dd609583a5baf83eda150f9365e77067
SHA1

d449bd9634d29e429cc1378f171a00b018fd6b44
SHA256

5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0
SHA512

695259a378f7ed10cb1ffe7fe9e75f5af0fb6befe3d3333c9dcdb1ab8d2f8365639c033dda9d83738e28b37cf711b65e01395dcf853691ec7e41b1489a5fbcec
SSDEEP

24576:F2OTeFxvKLuoucZybHXMDg2cQV09aoz25OVn3GuQ5Y3h3js9shlieh:bTux6ZT0sozGK3Ns9shlFh

Score

10^/10

Family

pony

http://www.alberghi.com:8080/pony/gate.php

http://buyandsmile.atomclick.co:8080/pony/gate.php

Attributes

payload_url
http://ftp.eburneenne.com/7zBY7xS.exe
http://www.spetter.com/mi19YgV.exe
http://photosfoto.com/uTM.exe
http://www.daginternacional.com/trXe.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Executes dropped EXE 1 IoCs

Processes:

Child.exe

pid process

4248 Child.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

628 4248 WerFault.exe Child.exe

pid	process
4248	Child.exe

pid	pid_target	process	target process
628	4248	WerFault.exe	Child.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.execmd.exe

description	pid	process	target process
PID 5052 wrote to memory of 5072	5052	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 5052 wrote to memory of 5072	5052	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 5052 wrote to memory of 5072	5052	5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe	cmd.exe
PID 5072 wrote to memory of 4248	5072	cmd.exe	Child.exe
PID 5072 wrote to memory of 4248	5072	cmd.exe	Child.exe
PID 5072 wrote to memory of 4248	5072	cmd.exe	Child.exe

C:\Users\Admin\AppData\Local\Temp\5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe
"C:\Users\Admin\AppData\Local\Temp\5f697f9e967d6f2f01beb702cae01a5696444372545381315f68ce00c45902d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c .\Child.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\Child.exe
.\Child.exe
3⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 508
4⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4248 -ip 4248
1⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Child.exe
Filesize
137KB

MD5
00f447529c6b07feaf76e7e00ec4b50a

SHA1
25bae6d02ff7c6d1a19e3ffc2936c650645d2265

SHA256
81552d75d8021824d8e516357a306f38c25e904e83accbcf806e6a33fbc0d9ce

SHA512
54a5bf50c9ba4293882f708bd6ba2ea44b93e17d23694153f1d6f9b0e84ea73674b076c793d6f582b6c6362367777dade2d1d372a2b437b2830a2356a4228664

Download Submit
memory/4248-137-0x00000000006C0000-0x00000000006D7000-memory.dmp

Filesize
92KB

Download
memory/4248-138-0x0000000002090000-0x00000000020B4000-memory.dmp

Filesize
144KB

Download
memory/4248-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/5052-141-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download