pony | 5b7d08c2c13f94fea3ff8f017bc1277ae16080885e4fe9a39f9c554147f46b23

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:09

Target

079429a05ce57875cca8c38720d31c2e.exe
Size

129KB
MD5

079429a05ce57875cca8c38720d31c2e
SHA1

5c778e757f9ca7a4634f979f7de69bd8ee8d8a1a
SHA256

5b7d08c2c13f94fea3ff8f017bc1277ae16080885e4fe9a39f9c554147f46b23
SHA512

5fb4066d709aacc1e79257aeff42a21b2698ca087a05467c779cf693cb8dcd66ac1035196c7078ffc4b57989dfd90bc85659cd012b9accd3c794b748f16095db
SSDEEP

1536:UUBiFqtXmPmgC9Xc7LPY3pf+gij01r7TNwm7QQHfADHkTZvMS3J/HjYWtLm1DK:UOn16mg2X6gR+B43TNwIWTM/DzqD

Score

10^/10

Family

pony

http://67.215.225.205:8080/forum/viewtopic.php

http://74.91.117.168/forum/viewtopic.php

Attributes

payload_url
http://codglobal.com/9WsB.exe

http://edpromagna.zeronove.it/pUR.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 4920	1336	079429a05ce57875cca8c38720d31c2e.exe	94
PID 1336 wrote to memory of 4920	1336	079429a05ce57875cca8c38720d31c2e.exe	94
PID 1336 wrote to memory of 4920	1336	079429a05ce57875cca8c38720d31c2e.exe	94

C:\Users\Admin\AppData\Local\Temp\079429a05ce57875cca8c38720d31c2e.exe
"C:\Users\Admin\AppData\Local\Temp\079429a05ce57875cca8c38720d31c2e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\079429a05ce57875cca8c38720d31c2e.exe
  "C:\Users\Admin\AppData\Local\Temp\079429a05ce57875cca8c38720d31c2e.exe"
  2⤵
  PID:4920

memory/1336-0-0x0000000000450000-0x0000000000474000-memory.dmp

Filesize
144KB

Download
memory/1336-1-0x0000000000450000-0x0000000000474000-memory.dmp

Filesize
144KB

Download