MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
SHA3-384 hash:	b31bb7840f39e0fbe5d334b11677f94df303e3a00fa6b5029f0f481d4721bf81d496eac3869b91f8545c03583697a87f
SHA1 hash:	23d9e1a55a0e59c14f3a8fd97f97e1b014b2aec8
MD5 hash:	17ad204779010648c0ff58bed23f6201
humanhash:	aspen-sink-vegan-butter
File name:	TOY.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	672'256 bytes
First seen:	2020-06-25 12:57:24 UTC
Last seen:	2020-06-25 13:51:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a80cd992960ca4e7ba926088f846b1f3 (7 x AgentTesla, 4 x Loki, 2 x Formbook)
ssdeep	12288:aEQTcW9T920/5/6oPR0ht9hl9a05wJVfQLeU7Q6ZOvZv:bEcQ207R0R3FurYLeP6ZOvd
Threatray	140 similar samples on MalwareBazaar
TLSH	EFE49E36E2E14433D127167C9E2F7378AC3ABE107D28A9C77BE44C4C9E3A6953465293
Reporter	abuse_ch
Tags:	Downloader.Pony exe Pony

abuse_ch

Malspam distributing Downloader.Pony:

HELO: 45.95.169.81
Sending IP: 45.95.169.81
From: "Abhilash R" <info@mcleeria.com>
Subject: RFQ: Capentary Equipment A927P040P100.
Attachment: NEW PO A927P040P100.zip (contains "TOY.exe")

Pony C2:
http://globalex.uz/rot/panelnew/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

434

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/14297/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Brute forcing passwords of local accounts

Detection:

pony

Link:

https://mwdb.cert.pl/sample/23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-06-25 13:37:13 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eprxk4jb74naybj5fxdgmunnryqvenzxesuashcwu75oea2adsvq._file

Result

Malware family:

pony

Score:

10/10

Tags:

discovery rat spyware stealer family:pony

Link:

https://tria.ge/reports/200625-kag2274sx6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Checks for installed software on the system

Reads data files stored by FTP clients

Deletes itself

Reads user/profile data of web browsers

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

zip 1c8364adfa80ba53c4eba17d1af721858d6b8c230bb511fda09dec1c6b8384e3

Pony

exe 23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab

(this sample)

Dropped by

MD5 8c5177d7cee48ab7864e699d99e329b6

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/14297/

Dropped by

SHA256 1c8364adfa80ba53c4eba17d1af721858d6b8c230bb511fda09dec1c6b8384e3

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample