pony | 31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-08-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ss.exe
Size

556KB
MD5

e6b6af3fa3af6e9f4ae44fce90988389
SHA1

bd325fdf83d8c2d37f04163a07d3ec8eea58bba9
SHA256

b2050e70dd2d045b445e372f31e83215291e2128b95461498c91de7d6f82e3af
SHA512

88a68cfac89f56a8f9c680de1de47c51125e7dc266592978a39dd145aec190b33d5d5cf5b437162235351c1cb4a1909d8a1d47fc65d372615a9ed898f3675558
SSDEEP

6144:xIoSRgtpfD2ywM9r6o/AT59zMXd509EdXYH0U5p4:xwCfD2A9mS859YXdKgn3

Score

10^/10

pony rat spyware stealer

Malware Config

Extracted

Family

pony

http://jo-blanc-fils.com/vsop/panelnew/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Drops startup file 1 IoCs

Processes:

ss.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url ss.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

ss.exe

description pid process target process

PID 2688 set thread context of 2616 2688 ss.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ss.exe

pid process

2688 ss.exe
2688 ss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url	ss.exe

description	pid	process	target process
PID 2688 set thread context of 2616	2688	ss.exe	vbc.exe

pid	process
2688	ss.exe
2688	ss.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

ss.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2688	ss.exe
Token: SeImpersonatePrivilege	2616	vbc.exe
Token: SeTcbPrivilege	2616	vbc.exe
Token: SeChangeNotifyPrivilege	2616	vbc.exe
Token: SeCreateTokenPrivilege	2616	vbc.exe
Token: SeBackupPrivilege	2616	vbc.exe
Token: SeRestorePrivilege	2616	vbc.exe
Token: SeIncreaseQuotaPrivilege	2616	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2616	vbc.exe
Token: SeImpersonatePrivilege	2616	vbc.exe
Token: SeTcbPrivilege	2616	vbc.exe
Token: SeChangeNotifyPrivilege	2616	vbc.exe
Token: SeCreateTokenPrivilege	2616	vbc.exe
Token: SeBackupPrivilege	2616	vbc.exe
Token: SeRestorePrivilege	2616	vbc.exe
Token: SeIncreaseQuotaPrivilege	2616	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2616	vbc.exe
Token: SeImpersonatePrivilege	2616	vbc.exe
Token: SeTcbPrivilege	2616	vbc.exe
Token: SeChangeNotifyPrivilege	2616	vbc.exe
Token: SeCreateTokenPrivilege	2616	vbc.exe
Token: SeBackupPrivilege	2616	vbc.exe
Token: SeRestorePrivilege	2616	vbc.exe
Token: SeIncreaseQuotaPrivilege	2616	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2616	vbc.exe
Token: SeImpersonatePrivilege	2616	vbc.exe
Token: SeTcbPrivilege	2616	vbc.exe
Token: SeChangeNotifyPrivilege	2616	vbc.exe
Token: SeCreateTokenPrivilege	2616	vbc.exe
Token: SeBackupPrivilege	2616	vbc.exe
Token: SeRestorePrivilege	2616	vbc.exe
Token: SeIncreaseQuotaPrivilege	2616	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2616	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ss.execsc.exevbc.exe

description	pid	process	target process
PID 2688 wrote to memory of 1916	2688	ss.exe	csc.exe
PID 2688 wrote to memory of 1916	2688	ss.exe	csc.exe
PID 2688 wrote to memory of 1916	2688	ss.exe	csc.exe
PID 2688 wrote to memory of 1916	2688	ss.exe	csc.exe
PID 1916 wrote to memory of 2528	1916	csc.exe	cvtres.exe
PID 1916 wrote to memory of 2528	1916	csc.exe	cvtres.exe
PID 1916 wrote to memory of 2528	1916	csc.exe	cvtres.exe
PID 1916 wrote to memory of 2528	1916	csc.exe	cvtres.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2688 wrote to memory of 2616	2688	ss.exe	vbc.exe
PID 2616 wrote to memory of 3060	2616	vbc.exe	cmd.exe
PID 2616 wrote to memory of 3060	2616	vbc.exe	cmd.exe
PID 2616 wrote to memory of 3060	2616	vbc.exe	cmd.exe
PID 2616 wrote to memory of 3060	2616	vbc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC4D.tmp" "c:\Users\Admin\AppData\Local\Temp\traigy22\CSC78D03A35B7984DF6A7F03117A8B1DFFB.TMP"
3⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259446729.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
3⤵
PID:3060

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259446729.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\259446729.bat
Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC4D.tmp
Filesize
1KB

MD5
59813bc7aa219b3ef2948d4a941855c1

SHA1
8869c3383a92e88d4d315278020137f45d62807c

SHA256
358382c169d7534361a663728db1f347f60b0a1bc872e8c5cefac61b808cccf7

SHA512
a9c6bd411423d5d196996da95ac512425509c5256d6f25f5077a565f7fd22c8ba1b78a294991ed6ab22e4b929def8c13eed0986a397c317ededc01e899604f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.dll
Filesize
7KB

MD5
ba381278aac27444670bef56e3318fa9

SHA1
4895543d6548cab0b6822c3772fb81032998c65b

SHA256
0f9de8452cb226183eb90e291dcaf90fc9e53e681e875107cb44ece721c22d52

SHA512
d2c91cee6af3b7a04ae0e8439a06ba98fc2635cd528366549a74be8d70af409820d6ecd0369cf411828ba7435c18656cc9db0fbccab05f546325285d963126bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.pdb
Filesize
19KB

MD5
7e4c9c63fb43c38f20030d053991f891

SHA1
800752c72739dcc64924fc03c9d648871df3bab0

SHA256
b5dc5baf8b8577b9fdb704da3af6654c19d2ca1586150ae54469f0be534418a9

SHA512
30554be574af975618b5ed4e3c8592bd7cad0d67e6b4bb09eba2e39fc55f6e7be4df25db65349fd2c484aa04ec118fea35e66473c853360d665a5ac1779aabfc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\traigy22\CSC78D03A35B7984DF6A7F03117A8B1DFFB.TMP
Filesize
1KB

MD5
e10a9737bef7b773cdb882880be67d01

SHA1
12ea760cd7650c709e0721a5426066ebb41ead05

SHA256
d9ac258e58a435cd703b9593d951e9b194810d425fb2b5cb215cdb0a9430c6af

SHA512
695fd374a5ece2ff5695156003bde2b6d125febfedd9fd7181f551b6479d9e63f48cbe19185e8dc536aea7c803e8c65d6b5463eacd83ab89aba73f221f2b2416

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.0.cs
Filesize
6KB

MD5
be3ee94e0df736f6079cf3f82039b9b9

SHA1
b1e5a6f2cf3790dd17e19dbe9d4f881b7922c817

SHA256
44b89526f2f795feff6e5c6762e55466699f8e6b09f74aff7968b94c1249e1fd

SHA512
655b49fcd792823219e5381e2e232606e86296d46e8b6b37c1c2656eb98927bce532aca4179584a595b00c612c569ee870da00a5f8684cb461d2a29d948aedb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.cmdline
Filesize
312B

MD5
21abb1e56326228edcd5bb5be040110c

SHA1
a2909111f5931db17748529b7565c458a78c9884

SHA256
820b0969fc10287878289d67337872449403ae59ec6c4976c54302b8266bb9e2

SHA512
30b6b4668041a7980ad9464fd38a1bc084d1ad41bfc40193ad534b7f84ded05a624599fb771f7a975fd71ffc23068f90f7a970ea6482f92293e1950207d9f8c1

Download Submit
memory/2616-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-82-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-98-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-97-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2616-87-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-85-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-80-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2616-81-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2688-78-0x0000000000570000-0x0000000000589000-memory.dmp

Filesize
100KB

Download
memory/2688-54-0x00000000008A0000-0x00000000008FE000-memory.dmp

Filesize
376KB

Download
memory/2688-57-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2688-75-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2688-88-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2688-56-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2688-74-0x0000000000600000-0x0000000000626000-memory.dmp

Filesize
152KB

Download
memory/2688-72-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2688-55-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download