MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff
SHA3-384 hash: 26a4281bf4d8531f7081a9600fdfbf9327b90e1cbfb4aee315a6749b08f49171a781f32fb67335a046fb291235459c60
SHA1 hash: f6ec05879fb51f9f1fdd9771d206bdd5ec4a17ce
MD5 hash: f50c60a10a65fe50c644ee5d20091e14
humanhash: equal-snake-oxygen-mobile
File name:crimgroup(2).exe
Download: download sample
Signature Pony
Create hunting rule
File size:229'376 bytes
First seen:2021-05-07 05:14:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash faef5c0f1f3bbb03196a71e2093fd2a1 (1 x Pony)
ssdeep 1536:sCy4svmF6Z+tHWFbOuTI+6DvLZjyrSGC+3LzejnlcAKmNJvgIXMkJ2rtx7yARkzl:Nmj+sTI+6zOSd+Xerlcm3X9Wtx7jk1F
Threatray 2'465 similar samples on MalwareBazaar
TLSH 1624CF121518CDB5F13D6A31DE24BFF9EB24BC219977A7C61D6917182FA1AACC70CE80
Reporter starsSk87264403

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/152421/
Detection(s):
Win.Dropper.Kovter-7669962-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/715557
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2017-04-05 00:58:56 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0999db34e8587ca82c53264b3a8ba8bb45e456705d32f514f2eb414b4e0a2a4b
Pony
59c17773776261d45122a0d067088654268ca71b329a6e9495105c500c12c8c1
Pony
5a8239ffd5e37023816296c83bf64261d7461cc373669a881a1b2284d767d1ed
Pony
68629701b12d1300254ce04807b894fd8195bd36ce6b6ceebe5beba5d60cf5d3
Pony
93e31993de213880948286b0b8d7246d5870a234307d94e799170357074a4e83
Pony
948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563
Pony
9e7bc04d9b7a15b73175902e3c8cd0f245353bb88dfe0a68d122616255aed42f
Pony
b3aac3c1fed205d6c1e36f80475cdb4b243f6fb7b2d275f360867aa6dcec5fe8
Pony
c03e3bce572790d7ccf28cba0491718fa7631a931025af868a81762df983c1ed
Pony
e92c7e2ceed0d482eea30de0378244a9a245b1300d28561225c42940b2406e41
Pony
+ 2'455 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210507-82dkt1yman/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
28b2f304714fcc123e503f5de311706e6c0cceed4a463d145fdc4da75f959fa1
MD5 hash:
256786930aad81fa1420702364d1a120
SHA1 hash:
8423ee8579c86c930ec1fa3ba7abd3828288ea17
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/c79a6c1e-d3d5-467b-afbe-00e8c7cab99c/
Parent samples :
15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff
42e5cfad2bd613db15b7ad6421bfe787e495f4e8374ec464afcc8a3bd6660db6
SH256 hash:
15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff
MD5 hash:
f50c60a10a65fe50c644ee5d20091e14
SHA1 hash:
f6ec05879fb51f9f1fdd9771d206bdd5ec4a17ce
Link:
https://www.unpac.me/results/c79a6c1e-d3d5-467b-afbe-00e8c7cab99c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
GuLoader
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Pony

Executable exe 15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/152421/
  
URLhaus
https://urlhaus.abuse.ch/url/250596/
  
Delivery method
Distributed via web download

Comments