MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1
SHA3-384 hash: bc9e80980780ae2f8578252a69b1ba4b68bbb9080598a69ef7c9137fc4f99f8a551ec27a3cc4c67d9d1a87b02f75d01a
SHA1 hash: 0addb140b908fd95f1efdc26e9b90975d1b55b9f
MD5 hash: 5530e8dcb60d0dcc68fe18810bb9e53c
humanhash: virginia-tennessee-double-fourteen
File name:5530E8DCB60D0DCC68FE18810BB9E53C.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'703'936 bytes
First seen:2021-07-21 21:00:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e0949dfb15fa89be19c9b90d78b6864 (3 x Pony)
ssdeep 12288:04TZJHtqPRx+9Bvw6VjWVmzafcWf/rKpHGAcKEZUiX:0mJHjDpiNnGpHGFPZUi
Threatray 305 similar samples on MalwareBazaar
TLSH T1C375C01317E3BA3FF25A167B0CE801A871467B727EA3CE43B925A8F7815644D335468B
dhash icon 71e8f4f2d2f4f871 (2 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://lokipanelhosting.cf/ax/pony/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://lokipanelhosting.cf/ax/pony/gate.php https://threatfox.abuse.ch/ioc/161788/

Intelligence

File Origin
# of uploads :
1
# of downloads :
600
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5530E8DCB60D0DCC68FE18810BB9E53C.exe
Verdict:
No threats detected
Analysis date:
2021-07-21 21:05:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa64df83-4348-4061-a657-35d2d43cfc8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173174/
Detection(s):
Win.Downloader.LokiBot-9165134-0
Create hunting rule

Win.Trojan.Ponystealer-9843674-0
Create hunting rule

Win.Dropper.Formbook-9875973-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gorgon Group
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/918db7af-015f-4567-9740-8d9deb319921
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819778
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452186 Sample: 0YT47uyQpq.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 9 other signatures 2->40 8 0YT47uyQpq.exe 3 4 2->8         started        12 wscript.exe 1 2->12         started        14 wscript.exe 1 2->14         started        process3 file4 28 C:\Users\user\AppData\Local\...\filename.scr, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 8->30 dropped 48 Drops PE files with a suspicious file extension 8->48 16 wscript.exe 1 1 8->16         started        19 filename.scr 12->19         started        21 filename.scr 14->21         started        signatures5 process6 signatures7 32 Creates autostart registry keys with suspicious values (likely registry only malware) 16->32 23 filename.scr 16->23         started        process8 signatures9 42 Antivirus detection for dropped file 23->42 44 Multi AV Scanner detection for dropped file 23->44 46 Machine Learning detection for dropped file 23->46 26 filename.scr 23->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 21:23:00 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=etynsiwq3pjamr7gzcoynmo6y2vmemligpjtrxhz52t574fbykyq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
15009bbe320d77a38e4341a5e160baec142a96f86c730a33dae9a1487399c78c
Pony
4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b
Pony
5dbfd22543849bd392e080c351227f31137993f23ee7ac5a3184322e43d73745
Pony
607976ecb6ae8202d98ff52def53ce73ece753a830bf55d9c638c10bbe06574c
Pony
88c63762f85d92709ec567c3a3de9363589c4dd8777e469e5722851c5d3ed5a3
Pony
92dd50589b21721bb8b73217b21be6a6c51f6fca5cb19ebea9a0913cfaa7baa8
Pony
9e7bc04d9b7a15b73175902e3c8cd0f245353bb88dfe0a68d122616255aed42f
Pony
bd05dc94a9ebcfd40d288bc0afc811bc21024f43b31c51bee50cad75abceed06
Pony
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Pony
+ 295 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210721-erv9hkqw4n/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1
MD5 hash:
5530e8dcb60d0dcc68fe18810bb9e53c
SHA1 hash:
0addb140b908fd95f1efdc26e9b90975d1b55b9f
Link:
https://www.unpac.me/results/6bb38597-060e-4195-9a3c-368fb3384ddd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/24f0d922d0dbd20647e6c89d86b1dec6aac2316833d338dcf9eea7dff0a1c2b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173174/

Comments