pony | 15ac3e1e72396a1633a29f848569f0c3f6b0781ae5b4c41bd068f617500c4da7

General

Target

8.exe
Size

166KB
MD5

392d7d7f1914dd823d01554471881c42
SHA1

f511f5cce1caeee2cb6bf46ccbb639c98b60d4f2
SHA256

60da9a353c2ca13cdbcba17dfd53ccaa42d12614aba9d3f03ad66e11895a1813
SHA512

580f87205920c05f93ca725bfa8f260412448fc7e22e8a1190edd8bb37b7521097f0917bc3a8e156a75375c79649dff1575dc720cf066876570f9a502a16875c
SSDEEP

3072:T7Efexez/bONut3SdvOri6bJb3DcFKKkgTeO7gXsuME23v44Aa:T7BDOG4zcFKb4gXsuMnv44

Score

10^/10

pony collection rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://wholeheartedglobal.org/Az/panelnew/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Drops startup file 1 IoCs

Processes:

8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url 8.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	8.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8.exe

description pid process target process

PID 2696 set thread context of 2676 2696 8.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8.exe

pid process

2696 8.exe
2696 8.exe

description	pid	process	target process
PID 2696 set thread context of 2676	2696	8.exe	vbc.exe

pid	process
2696	8.exe
2696	8.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

8.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2696	8.exe
Token: SeImpersonatePrivilege	2676	vbc.exe
Token: SeTcbPrivilege	2676	vbc.exe
Token: SeChangeNotifyPrivilege	2676	vbc.exe
Token: SeCreateTokenPrivilege	2676	vbc.exe
Token: SeBackupPrivilege	2676	vbc.exe
Token: SeRestorePrivilege	2676	vbc.exe
Token: SeIncreaseQuotaPrivilege	2676	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2676	vbc.exe
Token: SeImpersonatePrivilege	2676	vbc.exe
Token: SeTcbPrivilege	2676	vbc.exe
Token: SeChangeNotifyPrivilege	2676	vbc.exe
Token: SeCreateTokenPrivilege	2676	vbc.exe
Token: SeBackupPrivilege	2676	vbc.exe
Token: SeRestorePrivilege	2676	vbc.exe
Token: SeIncreaseQuotaPrivilege	2676	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2676	vbc.exe
Token: SeImpersonatePrivilege	2676	vbc.exe
Token: SeTcbPrivilege	2676	vbc.exe
Token: SeChangeNotifyPrivilege	2676	vbc.exe
Token: SeCreateTokenPrivilege	2676	vbc.exe
Token: SeBackupPrivilege	2676	vbc.exe
Token: SeRestorePrivilege	2676	vbc.exe
Token: SeIncreaseQuotaPrivilege	2676	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2676	vbc.exe
Token: SeImpersonatePrivilege	2676	vbc.exe
Token: SeTcbPrivilege	2676	vbc.exe
Token: SeChangeNotifyPrivilege	2676	vbc.exe
Token: SeCreateTokenPrivilege	2676	vbc.exe
Token: SeBackupPrivilege	2676	vbc.exe
Token: SeRestorePrivilege	2676	vbc.exe
Token: SeIncreaseQuotaPrivilege	2676	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2676	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

8.execsc.exevbc.exe

description	pid	process	target process
PID 2696 wrote to memory of 1740	2696	8.exe	csc.exe
PID 2696 wrote to memory of 1740	2696	8.exe	csc.exe
PID 2696 wrote to memory of 1740	2696	8.exe	csc.exe
PID 2696 wrote to memory of 1740	2696	8.exe	csc.exe
PID 1740 wrote to memory of 2924	1740	csc.exe	cvtres.exe
PID 1740 wrote to memory of 2924	1740	csc.exe	cvtres.exe
PID 1740 wrote to memory of 2924	1740	csc.exe	cvtres.exe
PID 1740 wrote to memory of 2924	1740	csc.exe	cvtres.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2696 wrote to memory of 2676	2696	8.exe	vbc.exe
PID 2676 wrote to memory of 2208	2676	vbc.exe	cmd.exe
PID 2676 wrote to memory of 2208	2676	vbc.exe	cmd.exe
PID 2676 wrote to memory of 2208	2676	vbc.exe	cmd.exe
PID 2676 wrote to memory of 2208	2676	vbc.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31iles0v\31iles0v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89E8.tmp" "c:\Users\Admin\AppData\Local\Temp\31iles0v\CSCA10F0BE85A426CAC7DEA91DB4FED44.TMP"
    3⤵
    PID:2924
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259433983.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259433983.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31iles0v\31iles0v.dll

Filesize
6KB

MD5
05545831ad33f2da60d08e3665046595

SHA1
9026c12544de6a04ce18fcd5017d3b6211216f65

SHA256
4e825ffe81c3331ef18b2daef02fafbaf8d6665a1742dbb60ff39b4896d3dd66

SHA512
b327e2a7ea59e2287fcad3cd36c35dc92af6d4f5597f0149cb73c862b16c4e7c8ebfd6af00db06708d382394c5c85bf30709824805cfc28ce83b0789080a6747

Download Submit
C:\Users\Admin\AppData\Local\Temp\31iles0v\31iles0v.pdb

Filesize
19KB

MD5
b9d32e4e0595a7627d6cad52a21ccf89

SHA1
503672c427b27347306dcef9712d59a1a7ce23d9

SHA256
f656e7d6b51f741a6485ebf6b916f9011eb35400ef6b6cab0b5f50f6f677309b

SHA512
faf02fd992832cb2db7b29ea978a9aa73bd724dcf09075ec128afdeb6b9a45c8df453154c4ac506ada80b65245eb34e726856650afc918dc719f9e0961c62847

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES89E8.tmp

Filesize
1KB

MD5
dc1dd2a944cb87ed6e90d94aad7daf3a

SHA1
8b750dd105a1d8bd6da0456e4b5c51de86542188

SHA256
3d28868ce5adaaae8752ca47966625b434dd2bcf3054895cb8d859e546b3bff3

SHA512
c65d52026b4eb780e68c67ec55c5ec21045020249cc0d2eec86da5f63a34c830779b800e9123598e8b7ff650e88f89ee553a3de67e9febc4eebfa748df792a7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31iles0v\31iles0v.0.cs

Filesize
3KB

MD5
dadf6f8ea29b54c9e635377663710027

SHA1
a09617b5f46ab2a0eec6b581e1d38ea65486f884

SHA256
7e07f0f03f765d2cc2d98b87eab4ed231fcfb7f9b868284edd82f69ed7f38cce

SHA512
345aed870288cb1d182d9db9de82828cd01219e473db45e4375dcef6e2e4d3cfc9506de70be0eeefe6d59c92a735f2c2823caf5d2c77bc8d6caa40d056cf5c09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31iles0v\31iles0v.cmdline

Filesize
248B

MD5
caf4d081d6937bce2bcecc812b9ca2d6

SHA1
0798910ea940f33c57a8c4c8d3e5cb899b4e843f

SHA256
7af55c4956932eaf0cdbb8b6f4f098aa6661894ecb47a685a462ef9216dcf87b

SHA512
99320f8deaed06b4cc424b39f15e4bbe9449a01823737c1dbf9ec994dd7ce144c78b93cfc280a3e8bcc039cb0b5b7e152c39d3c519e38a803e0cbcbce0a8dde2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31iles0v\CSCA10F0BE85A426CAC7DEA91DB4FED44.TMP

Filesize
1KB

MD5
3f6bbc2edd40b74ff06903333ca1e1ed

SHA1
f164b5373abbf0de3dd94983e3ed799bf84eae1e

SHA256
36e55c98037578defcb7d2dab4434536b32fd272791fed36670e6b84d7cc5f87

SHA512
fe100cf2174a59b9b1fca1b00f74f6073cd48a635348d01d8e15c5fe1497c01606ca5222c7322e1a4a84b65de4ccee05cc80c910399be3f3a474d9a8120eb2ae

Download Submit
memory/2676-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-24-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-49-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-26-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-30-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2676-36-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-34-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2676-37-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2696-23-0x0000000000720000-0x0000000000739000-memory.dmp

Filesize
100KB

Download
memory/2696-20-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2696-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2696-19-0x0000000000600000-0x0000000000626000-memory.dmp

Filesize
152KB

Download
memory/2696-4-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-38-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-1-0x0000000000D00000-0x0000000000D30000-memory.dmp

Filesize
192KB

Download
memory/2696-17-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads