pony | 15ac3e1e72396a1633a29f848569f0c3f6b0781ae5b4c41bd068f617500c4da7

General

Target

8.exe
Size

166KB
MD5

392d7d7f1914dd823d01554471881c42
SHA1

f511f5cce1caeee2cb6bf46ccbb639c98b60d4f2
SHA256

60da9a353c2ca13cdbcba17dfd53ccaa42d12614aba9d3f03ad66e11895a1813
SHA512

580f87205920c05f93ca725bfa8f260412448fc7e22e8a1190edd8bb37b7521097f0917bc3a8e156a75375c79649dff1575dc720cf066876570f9a502a16875c
SSDEEP

3072:T7Efexez/bONut3SdvOri6bJb3DcFKKkgTeO7gXsuME23v44Aa:T7BDOG4zcFKb4gXsuMnv44

Score

10^/10

pony collection rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://wholeheartedglobal.org/Az/panelnew/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Drops startup file 1 IoCs

Processes:

8.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url 8.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	8.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8.exe

description pid process target process

PID 1040 set thread context of 452 1040 8.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8.exe

pid process

1040 8.exe
1040 8.exe

description	pid	process	target process
PID 1040 set thread context of 452	1040	8.exe	vbc.exe

pid	process
1040	8.exe
1040	8.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

8.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1040	8.exe
Token: SeImpersonatePrivilege	452	vbc.exe
Token: SeTcbPrivilege	452	vbc.exe
Token: SeChangeNotifyPrivilege	452	vbc.exe
Token: SeCreateTokenPrivilege	452	vbc.exe
Token: SeBackupPrivilege	452	vbc.exe
Token: SeRestorePrivilege	452	vbc.exe
Token: SeIncreaseQuotaPrivilege	452	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	452	vbc.exe
Token: SeImpersonatePrivilege	452	vbc.exe
Token: SeTcbPrivilege	452	vbc.exe
Token: SeChangeNotifyPrivilege	452	vbc.exe
Token: SeCreateTokenPrivilege	452	vbc.exe
Token: SeBackupPrivilege	452	vbc.exe
Token: SeRestorePrivilege	452	vbc.exe
Token: SeIncreaseQuotaPrivilege	452	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	452	vbc.exe
Token: SeImpersonatePrivilege	452	vbc.exe
Token: SeTcbPrivilege	452	vbc.exe
Token: SeChangeNotifyPrivilege	452	vbc.exe
Token: SeCreateTokenPrivilege	452	vbc.exe
Token: SeBackupPrivilege	452	vbc.exe
Token: SeRestorePrivilege	452	vbc.exe
Token: SeIncreaseQuotaPrivilege	452	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	452	vbc.exe
Token: SeImpersonatePrivilege	452	vbc.exe
Token: SeTcbPrivilege	452	vbc.exe
Token: SeChangeNotifyPrivilege	452	vbc.exe
Token: SeCreateTokenPrivilege	452	vbc.exe
Token: SeBackupPrivilege	452	vbc.exe
Token: SeRestorePrivilege	452	vbc.exe
Token: SeIncreaseQuotaPrivilege	452	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	452	vbc.exe
Token: SeImpersonatePrivilege	452	vbc.exe
Token: SeTcbPrivilege	452	vbc.exe
Token: SeChangeNotifyPrivilege	452	vbc.exe
Token: SeCreateTokenPrivilege	452	vbc.exe
Token: SeBackupPrivilege	452	vbc.exe
Token: SeRestorePrivilege	452	vbc.exe
Token: SeIncreaseQuotaPrivilege	452	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	452	vbc.exe
Token: SeImpersonatePrivilege	452	vbc.exe
Token: SeTcbPrivilege	452	vbc.exe
Token: SeChangeNotifyPrivilege	452	vbc.exe
Token: SeCreateTokenPrivilege	452	vbc.exe
Token: SeBackupPrivilege	452	vbc.exe
Token: SeRestorePrivilege	452	vbc.exe
Token: SeIncreaseQuotaPrivilege	452	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	452	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

8.execsc.exevbc.exe

description	pid	process	target process
PID 1040 wrote to memory of 668	1040	8.exe	csc.exe
PID 1040 wrote to memory of 668	1040	8.exe	csc.exe
PID 1040 wrote to memory of 668	1040	8.exe	csc.exe
PID 668 wrote to memory of 3140	668	csc.exe	cvtres.exe
PID 668 wrote to memory of 3140	668	csc.exe	cvtres.exe
PID 668 wrote to memory of 3140	668	csc.exe	cvtres.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 1040 wrote to memory of 452	1040	8.exe	vbc.exe
PID 452 wrote to memory of 2476	452	vbc.exe	cmd.exe
PID 452 wrote to memory of 2476	452	vbc.exe	cmd.exe
PID 452 wrote to memory of 2476	452	vbc.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\neoqq3nl\neoqq3nl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES443D.tmp" "c:\Users\Admin\AppData\Local\Temp\neoqq3nl\CSCDD8A17E3CAC4589B59A4C5FCBEF1D10.TMP"
    3⤵
    PID:3140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Accesses Microsoft Outlook accounts
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240601421.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240601421.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES443D.tmp

Filesize
1KB

MD5
c40dae4a94ad0c1c9fb3580b4a9f0e3d

SHA1
f7b76730bc6039f345ee0f310f36277de969a389

SHA256
5613adef5348f6668a9441e87c5df38ec60f45e1bf625102a53417177f7c1fb3

SHA512
d97a22297b2ee80fe3bcc716d6d0f4e7d6d5863f50c139496c29a7ca0b76d62de63c1ed8731b27575af4858e428dcef3b763fed8aab4b6c7fa0dbb880865affa

Download Submit
C:\Users\Admin\AppData\Local\Temp\neoqq3nl\neoqq3nl.dll

Filesize
6KB

MD5
e697d2a831f0146cdc73ddb9aeb05286

SHA1
7a59a12f8957afb901f414d7b7d7d831bd32a7cc

SHA256
294542d183b92c9424d0f8c23d9b3c3a8be8524d11d03dd5f71dde9560dc1c0f

SHA512
7859da79e0c1f4f388ce4f78f635cbea0dde0c0bcb749fc39977ac1b8c6101b637f455631fc1c8bc2adb5917553da38160ef3490ef30a1f4cda4e25321c09d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\neoqq3nl\neoqq3nl.pdb

Filesize
19KB

MD5
a703e57287b99845dd90e5407083f1f8

SHA1
22e19ff1e84906b414ea519b92dceceb579e1437

SHA256
047ff699e7519c4e9401464544c14a6964f5f386c34568d69228ae4b6715d0c6

SHA512
7207ffe38b33be20d1d822337dd08f175c773d340bea95d94bd575e40ae812780b099a399cef7645a336217e62b9ec4e03ba9ab0334e27563b08b060adfee2c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\neoqq3nl\CSCDD8A17E3CAC4589B59A4C5FCBEF1D10.TMP

Filesize
1KB

MD5
858a05fc4434fa12e70392323f9b28da

SHA1
2bfa4108106dbb95d831ee4433ff0d123f3a2f4c

SHA256
df32cdbba4f84f4284487965993238f44089a9181e9d02ba4d78b83ef9bfed48

SHA512
1bbe4df6779b338d4e54f7827f1f6e7e9d393face23f36365d6573120dd58642c1af7a873a5aad122cdfc38ef10609c41e569d694e0fe7ec926660c5d684d6b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\neoqq3nl\neoqq3nl.0.cs

Filesize
3KB

MD5
dadf6f8ea29b54c9e635377663710027

SHA1
a09617b5f46ab2a0eec6b581e1d38ea65486f884

SHA256
7e07f0f03f765d2cc2d98b87eab4ed231fcfb7f9b868284edd82f69ed7f38cce

SHA512
345aed870288cb1d182d9db9de82828cd01219e473db45e4375dcef6e2e4d3cfc9506de70be0eeefe6d59c92a735f2c2823caf5d2c77bc8d6caa40d056cf5c09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\neoqq3nl\neoqq3nl.cmdline

Filesize
248B

MD5
2021d34873f82d819d846fc7577fb3ab

SHA1
6562d0f3e9a9069c945cc8058894e7c67ee69470

SHA256
e92eba13eb802a40dabc19dfa4b417a636d804a4da381aecf4fd6d9efc0eab79

SHA512
0c655397a9a2ed66130015e7fda4dbe8d731c1f81354f0535fc56a5285599e7bf58579ec47404cfff1ca5fd82520d60eb9ebbfadde406b3e36c7d4bbdf64f050

Download Submit
memory/452-26-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/452-29-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/452-34-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1040-5-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1040-17-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/1040-19-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/1040-20-0x0000000005050000-0x0000000005076000-memory.dmp

Filesize
152KB

Download
memory/1040-21-0x0000000005080000-0x000000000508C000-memory.dmp

Filesize
48KB

Download
memory/1040-24-0x00000000052B0000-0x00000000052C9000-memory.dmp

Filesize
100KB

Download
memory/1040-25-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/1040-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1040-30-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1040-1-0x0000000000420000-0x0000000000450000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads