pony | 76faf6b0a5f301e3c594e1ab0d8ed39e3c175f07b9fb1256cb5c42e09f8ec16c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/12/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
Size

896KB
MD5

21d13f2f3c4db8f083b672d81831fa5e
SHA1

b93f931a10a8a4b6f155b6b2ad9c5f9fbb3d71d0
SHA256

17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3
SHA512

005658047ae5bd43d2c709c640ffd60b17a3e551657502804dbfd288193b340834e74b6a007731f401d4fc62b76cbafde40e5a30b08f9fb00f9506b6438c470d
SSDEEP

12288:ZWBoBYd39letTbwm3Undsb+gfrEJLzDQ2bALSKLmDt8N90il5HyV/e4:ZeR9ItXwdnWbLrEJJrta5Hah

Score

10^/10

pony remcos remotehost collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Version

2.0.4 Pro

Botnet

RemoteHost

154.16.63.197:3360

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-XVE2ON
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

pony

http://admino.ml/eme/gate.php

Attributes

payload_url
http://admino.ml/eme/kachistub.exe

Signatures

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SGS.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGS.exe	SGS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SGS.exe	SGS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe

Executes dropped EXE 2 IoCs

pid	Process
1340	SGS.exe
2296	SGS.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SGS.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SGS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 728 set thread context of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 1340 set thread context of 2296	1340	SGS.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SGS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SGS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2296	SGS.exe
Token: SeTcbPrivilege	2296	SGS.exe
Token: SeChangeNotifyPrivilege	2296	SGS.exe
Token: SeCreateTokenPrivilege	2296	SGS.exe
Token: SeBackupPrivilege	2296	SGS.exe
Token: SeRestorePrivilege	2296	SGS.exe
Token: SeIncreaseQuotaPrivilege	2296	SGS.exe
Token: SeAssignPrimaryTokenPrivilege	2296	SGS.exe
Token: SeImpersonatePrivilege	2296	SGS.exe
Token: SeTcbPrivilege	2296	SGS.exe
Token: SeChangeNotifyPrivilege	2296	SGS.exe
Token: SeCreateTokenPrivilege	2296	SGS.exe
Token: SeBackupPrivilege	2296	SGS.exe
Token: SeRestorePrivilege	2296	SGS.exe
Token: SeIncreaseQuotaPrivilege	2296	SGS.exe
Token: SeAssignPrimaryTokenPrivilege	2296	SGS.exe
Token: SeImpersonatePrivilege	2296	SGS.exe
Token: SeTcbPrivilege	2296	SGS.exe
Token: SeChangeNotifyPrivilege	2296	SGS.exe
Token: SeCreateTokenPrivilege	2296	SGS.exe
Token: SeBackupPrivilege	2296	SGS.exe
Token: SeRestorePrivilege	2296	SGS.exe
Token: SeIncreaseQuotaPrivilege	2296	SGS.exe
Token: SeAssignPrimaryTokenPrivilege	2296	SGS.exe
Token: SeImpersonatePrivilege	2296	SGS.exe
Token: SeTcbPrivilege	2296	SGS.exe
Token: SeChangeNotifyPrivilege	2296	SGS.exe
Token: SeCreateTokenPrivilege	2296	SGS.exe
Token: SeBackupPrivilege	2296	SGS.exe
Token: SeRestorePrivilege	2296	SGS.exe
Token: SeIncreaseQuotaPrivilege	2296	SGS.exe
Token: SeAssignPrimaryTokenPrivilege	2296	SGS.exe
Token: SeImpersonatePrivilege	2296	SGS.exe
Token: SeTcbPrivilege	2296	SGS.exe
Token: SeChangeNotifyPrivilege	2296	SGS.exe
Token: SeCreateTokenPrivilege	2296	SGS.exe
Token: SeBackupPrivilege	2296	SGS.exe
Token: SeRestorePrivilege	2296	SGS.exe
Token: SeIncreaseQuotaPrivilege	2296	SGS.exe
Token: SeAssignPrimaryTokenPrivilege	2296	SGS.exe
Token: SeImpersonatePrivilege	2296	SGS.exe
Token: SeTcbPrivilege	2296	SGS.exe
Token: SeChangeNotifyPrivilege	2296	SGS.exe
Token: SeCreateTokenPrivilege	2296	SGS.exe
Token: SeBackupPrivilege	2296	SGS.exe
Token: SeRestorePrivilege	2296	SGS.exe
Token: SeIncreaseQuotaPrivilege	2296	SGS.exe
Token: SeAssignPrimaryTokenPrivilege	2296	SGS.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
952	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
952	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 1340	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	97
PID 728 wrote to memory of 1340	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	97
PID 728 wrote to memory of 1340	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	97
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 728 wrote to memory of 952	728	17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe	98
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 1340 wrote to memory of 2296	1340	SGS.exe	103
PID 2296 wrote to memory of 1944	2296	SGS.exe	106
PID 2296 wrote to memory of 1944	2296	SGS.exe	106
PID 2296 wrote to memory of 1944	2296	SGS.exe	106

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	SGS.exe

C:\Users\Admin\AppData\Local\Temp\17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
"C:\Users\Admin\AppData\Local\Temp\17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728
- C:\Users\Admin\AppData\Local\Temp\SGS.exe
  "C:\Users\Admin\AppData\Local\Temp\SGS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\SGS.exe
    C:\Users\Admin\AppData\Local\Temp\SGS.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240676296.bat" "C:\Users\Admin\AppData\Local\Temp\SGS.exe" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- C:\Users\Admin\AppData\Local\Temp\17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
  C:\Users\Admin\AppData\Local\Temp\17bb66d25ec39d1818cc01e067ea7139eef15dcb24bce24840666eede661a3c3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240676296.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SGS.exe

Filesize
833KB

MD5
31b2f8c329a601b145e7e71a6d120a7b

SHA1
58487332c00cb299d67f14c288cbdf9aa9099e44

SHA256
f06d03375b253842a56748e5e49206147ab986e73b109392a36be672616c6b5d

SHA512
92021e862955ccec4ff72770cdd1a89d165f26c500a907dd078c4d665423b56736fa0a81cf5d50ab8da91807a18a762d2c307f3aa503187babb598674de3ac1c

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
166B

MD5
fb1561deaf3cc4f8aced48f1f58187e1

SHA1
f96bae60ae0d2de2cddf5987cb05b925bb69e51a

SHA256
2ed0efb9a9a54097a38c2da90c74256f058be9320d65cb9b14037c15138fbd51

SHA512
e7e4517b6fe1bc1001e287ae3da8ee8acf2dd4e7dacccb37f33de87a6eb0876c04b9144252366007421a214b59ca7376c247159a6d1be692065942926cadc437

Download Submit
memory/728-2-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/728-1-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/728-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/728-25-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/952-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-70-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-53-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-31-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1340-46-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1340-32-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1340-18-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2296-50-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/2296-51-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2296-38-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2296-40-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2296-45-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2296-39-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads