pony | 4b8cabae8a2e35cef0d50a79b91c654dd159e6cc7d75d343ff1867ba0cc8607a

Analysis

max time kernel
147s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

593e17125bd844543159d40b03f75c8f.exe
Size

92KB
MD5

593e17125bd844543159d40b03f75c8f
SHA1

441db74d933565d2c22360d38f23e79772c43f6a
SHA256

4b8cabae8a2e35cef0d50a79b91c654dd159e6cc7d75d343ff1867ba0cc8607a
SHA512

b090082931f381cca3690de1d29a53a62b1baef9d9216fe07f5179f0d6e2b76ef897cf3b120015fbae6a198accfa4a043a58dea4947b25539ecb9f427e3d2a7a
SSDEEP

1536:e1u0tXzRvQsfpERs2KSE5VBCucyNazPOdS38uZS/Zm9ZO6e9bFFekmPh4ZS:yjBIPjQAZyNazCSMUAZm9ZO6e9bPekmN

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

593e17125bd844543159d40b03f75c8f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	593e17125bd844543159d40b03f75c8f.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

593e17125bd844543159d40b03f75c8f.exe

description	pid	process	target process
PID 1592 wrote to memory of 3352	1592	593e17125bd844543159d40b03f75c8f.exe	cmd.exe
PID 1592 wrote to memory of 3352	1592	593e17125bd844543159d40b03f75c8f.exe	cmd.exe
PID 1592 wrote to memory of 3352	1592	593e17125bd844543159d40b03f75c8f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\593e17125bd844543159d40b03f75c8f.exe
"C:\Users\Admin\AppData\Local\Temp\593e17125bd844543159d40b03f75c8f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\593e17125bd844543159d40b03f75c8f.exe" "
2⤵
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ytk.bat

Filesize
71B

MD5
e6b031b9b7d40fa332ebc6f38b2f9f64

SHA1
d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f

SHA256
66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b

SHA512
7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948

Download Submit
memory/1592-0-0x0000000002240000-0x0000000002340000-memory.dmp

Filesize
1024KB

Download
memory/1592-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1592-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download