pony | d9e636a642af1edfbad5cb3048cc8d140905bff9ebf177b2bd8fe83cb60f320b | Triage

Submit
Reports

Overview

overview

Static

static

3

P_Invoice_...df.exe

windows7-x64

P_Invoice_...df.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_7abf66c3d1eee37866fb437033bb88d0
Size

105KB
Sample

250104-va9elaxqhw
MD5

7abf66c3d1eee37866fb437033bb88d0
SHA1

d7fd0b56161f93ac18fd18ef5ceef30b810d1467
SHA256

d9e636a642af1edfbad5cb3048cc8d140905bff9ebf177b2bd8fe83cb60f320b
SHA512

8b2545361279902bf0a4fe58369b6af2f57b4102bcc199f03fe6413566273ee8864303afc03d770b69143685d4e7b32c4c667b221f106eda480eccaf14ba084d
SSDEEP

3072:aylZkeBOgTGG4Y/kMPW3dPVagctpOWDKOCa:NlAACkmPBcto8r

Score

10^/10

pony collection credential_access discovery rat spyware stealer upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

P_Invoice_01833-pdf.exe

Resource

win7-20240903-en

pony collection credential_access discovery rat spyware stealer upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

P_Invoice_01833-pdf.exe

Resource

win10v2004-20241007-en

pony collection credential_access discovery rat spyware stealer upx

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

pony

C2

http://acesimavicumbilaxuz.net/sazi21/gate.php

Targets

- Target
  
  P_Invoice_01833-pdf.exe
- Size
  
  322KB
- MD5
  
  276cdadf22ef7203d0b03f5133bdb0c8
- SHA1
  
  83ff2e02c8f7e38ae4f2241dc0af3cb15af30d38
- SHA256
  
  6f174a651234c0ccb6d0d5d35eaba8e6ad6e01781cd71c44cbb297e7f1cfce65
- SHA512
  
  35dde2bdea50e5d9de9c818afab1c34ed19612c6fb87591ac3ad73bf0dd9a9082ecb65b24fd2cf964d708a5f81e664072e5a9e3695f586859c3bb8ae946752db
- SSDEEP
  
  3072:239RyRxwOaoKNaV2gukAY4Y/wMPW3dPVjg5k/rTI/VHWL:tyWmPqi/PI1
Score

10^/10

pony collection credential_access discovery rat spyware stealer upx
- Pony family
  pony
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ponycollectioncredential_accessdiscoveryratspywarestealerupx

behavioral2

ponycollectioncredential_accessdiscoveryratspywarestealerupx

© 2018-2025

Terms | Privacy