MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2213dfa0542f7e14d95cfaaa34db8431f4ccdecf0e584d529597d441a263e40b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2213dfa0542f7e14d95cfaaa34db8431f4ccdecf0e584d529597d441a263e40b
SHA3-384 hash: c4a9857cd386f163d0b46810c0cc6b9e40aff3206ad31586f2ce55a197db5bda2fa8fe568f5ecdec30e893961d3b8014
SHA1 hash: 84d22970938665c406e33e58376376bdfde08682
MD5 hash: b2eda99aad21d20d9462d24957c8ce2c
humanhash: hotel-mobile-hydrogen-river
File name:2213dfa0542f7e14d95cfaaa34db8431f4ccdecf0e584d529597d441a263e40b
Download: download sample
Signature Pony
Create hunting rule
File size:107'616 bytes
First seen:2020-11-14 18:14:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb780fb71176fed73021b3dfc46af303 (6 x Pony)
ssdeep 3072:o0C+7uOwhv6jKh48D7zOXbUEbp4h+vT/m9flq7:5CoMlcKV/Wa6gl6
Threatray 146 similar samples on MalwareBazaar
TLSH D5B302C1A3C801E8E0F619715C46A7AB14F26F474D66AE5E0203B53CAE99AC3D537A37
Reporter seifreed
Tags:Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Zbot-9759666-0
Create hunting rule

Win.Packed.Zbot-9760003-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Reading critical registry keys
DNS request
Connection attempt
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535623
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2213dfa0542f7e14d95cfaaa34db8431f4ccdecf0e584d529597d441a263e40b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:16:53 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eij57icuf57bjwk47kvdjw4egh2mzxwpbzme2uuvs7keditd4qfq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
4d9ba9f2d2a2085cbdafebb0dc4b73058f45c4b86631d8fc11240e132a1e1d0d
Pony
4fb8dc37db10133ce52d868244771f6232f6ef9deb20fd4354af1ef3b36e2149
Pony
5592f091a845c7e32d8c66d5efa561fa9d0ce09c88a54927f8f43ca31373cf93
Pony
76f96173c9f07ead9a330ac935b73f5f695933f7b014bd4b51c13695119f3cec
Pony
87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8
Pony
9026e9b714998846a26087ed7f5a276b1399204a1e34d469571a7301ce720931
Pony
b01bb1b0f8138c7ce50860cd5218554d6b049d0862ec48a4e2076c6e6e309bed
Pony
cf857e8a28a380c5e001013c6fd13a67f02782a84829801b12079048e8d86cf0
Pony
d0b6573a025d5d79dd2a5f627702b12f36b87a95c156be1826bb552a27c9003b
Pony
e4b839be39665555c0637a45d7835cf5aed0633b9d3b3c72b0c3710555cf2eb0
Pony
+ 136 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/201114-wcas9cmsme/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
2213dfa0542f7e14d95cfaaa34db8431f4ccdecf0e584d529597d441a263e40b
MD5 hash:
b2eda99aad21d20d9462d24957c8ce2c
SHA1 hash:
84d22970938665c406e33e58376376bdfde08682
Link:
https://www.unpac.me/results/7e67a8ba-cac1-4fe7-a3ca-06c7d6546dde/
SH256 hash:
27d533f455b09a705568f2d880afd34e7b8e027c603ba986da6d34b76b157950
MD5 hash:
d51ab7f7eea608b2379bf81116ecd06b
SHA1 hash:
eb0772e525de657a7affc76cecef73403c3f8209
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/7e67a8ba-cac1-4fe7-a3ca-06c7d6546dde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Reveton
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2213dfa0542f7e14d95cfaaa34db8431f4ccdecf0e584d529597d441a263e40b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pony
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Pony
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments