pony | fb3c8bc0a2e39ae1a0cdcfc039a954c9cb99dc8b6a75b874db37a8042ca74230

Analysis

max time kernel
76s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/09/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d088a5d6d863ce392960ca3be1f221d0N.exe
Size

129KB
MD5

d088a5d6d863ce392960ca3be1f221d0
SHA1

ed4abeca2ab95865dcb4fe15547e10bb3a8a70f4
SHA256

fb3c8bc0a2e39ae1a0cdcfc039a954c9cb99dc8b6a75b874db37a8042ca74230
SHA512

b6ffce6dad310cf2551640278e02a176732e8f0213dbdccfcf41867ac973626ac89973165a5e1416eb0f18adddba21736d2bf5d73380bba12843c705978ff097
SSDEEP

1536:UUBiFqtXmPmgC9TcvLci0wLOQqOZD03XuCLMw+ucYmOI3JVgRY4ecRmBCaOD9RMi:UOn16mg2TW9vOy+nuq4DVkr3R/jrMf

Score

10^/10

pony discovery rat spyware stealer

Malware Config

Extracted

Family

pony

http://67.215.225.205:8080/forum/viewtopic.php

http://66.175.215.102/forum/viewtopic.php

Attributes

payload_url
http://www.drachenboot-strausberg.de/rgbykPm.exe

http://realitycoaching.es/23sf.exe

http://kms-anwaelte.de/mvCo.exe

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d088a5d6d863ce392960ca3be1f221d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2820	2776	d088a5d6d863ce392960ca3be1f221d0N.exe	30
PID 2776 wrote to memory of 2820	2776	d088a5d6d863ce392960ca3be1f221d0N.exe	30
PID 2776 wrote to memory of 2820	2776	d088a5d6d863ce392960ca3be1f221d0N.exe	30
PID 2776 wrote to memory of 2820	2776	d088a5d6d863ce392960ca3be1f221d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\d088a5d6d863ce392960ca3be1f221d0N.exe
"C:\Users\Admin\AppData\Local\Temp\d088a5d6d863ce392960ca3be1f221d0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\d088a5d6d863ce392960ca3be1f221d0N.exe
  "C:\Users\Admin\AppData\Local\Temp\d088a5d6d863ce392960ca3be1f221d0N.exe"
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2776-0-0x0000000000C00000-0x0000000000C24000-memory.dmp

Filesize
144KB

Download
memory/2776-1-0x0000000000C00000-0x0000000000C24000-memory.dmp

Filesize
144KB

Download