Malware Analysis Report

2025-04-03 14:14

Sample ID 241104-2wv8es1qeq
Target 7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N
SHA256 7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787
Tags
pony collection credential_access discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787

Threat Level: Known bad

The file 7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N was found to be: Known bad.

Malicious Activity Summary

pony collection credential_access discovery rat spyware stealer

Pony family

Pony,Fareit

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Checks installed software on the system

Unsigned PE

System Location Discovery: System Language Discovery

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 22:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 22:56

Reported

2024-11-04 22:58

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe"

Signatures

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe

"C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe"

Network

Country Destination Domain Proto
CN 115.47.49.181:80 tcp
CN 115.47.49.181:80 tcp
CN 115.47.49.181:80 tcp
CN 115.47.49.181:80 tcp
CN 115.47.49.181:80 tcp

Files

memory/2316-2-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-1-0x0000000000230000-0x000000000023D000-memory.dmp

memory/2316-0-0x0000000000220000-0x000000000022D000-memory.dmp

memory/2316-3-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2316-4-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 22:56

Reported

2024-11-04 22:58

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe"

Signatures

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe

"C:\Users\Admin\AppData\Local\Temp\7b2a3a2bf10926418447cf0e3e75814a429523de1abc4121ee67afec56e97787N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CN 115.47.49.181:80 tcp
US 8.8.8.8:53 81.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CN 115.47.49.181:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CN 115.47.49.181:80 tcp
CN 115.47.49.181:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
CN 115.47.49.181:80 tcp

Files

memory/3260-1-0x00000000009E0000-0x00000000009ED000-memory.dmp

memory/3260-0-0x00000000009D0000-0x00000000009DD000-memory.dmp

memory/3260-2-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3260-3-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3260-4-0x0000000000400000-0x000000000041F000-memory.dmp