MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
SHA3-384 hash: d2d6fd87314e59799b76369266e7235b2793b5bdb76cd0cf5ee710405ebfed1122c99ae6c34e573921c3c1293d51664f
SHA1 hash: 5b2e6e541ea6f47e369291396a5d91564ece2eb8
MD5 hash: fe7bc3cd6512f31d48a58caf3e558fee
humanhash: seventeen-eighteen-india-montana
File name:2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
Download: download sample
Signature Pony
Create hunting rule
File size:476'079 bytes
First seen:2021-04-26 15:07:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c61e193ad83beb9c6707bb817822229 (5 x RedLineStealer, 1 x Pony, 1 x CoinMiner)
ssdeep 12288:jpRN/nV+NnqIbQv6YMtTojf0hxZnLBEWYWGS0C89BzA:jpT/nV+NqIRhyLUuWYVSIc
Threatray 241 similar samples on MalwareBazaar
TLSH 1FA412323FE2C0F9C5920A715986376509BAF7361B29DEC79F901C039E64AD2C77C296
Reporter Finch39487976
Tags:Pony Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
757
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 15:10:11 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/4750198c-d2c4-4f24-b382-0c692896986c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144390/
Detection(s):
Win.Malware.Vaultcrypt-7536195-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Moving a file to the %temp% directory
Creating a process from a recently created file
Launching a process
Searching for the window
Creating a file
Deleting a recently created file
Reading critical registry keys
DNS request
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Changing a file
Sending a UDP request
Possible injection to a system process
Creating a window
Creating a file in the %temp% directory
Running batch commands
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Connection attempt to an infection source
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Encrypting user's files
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698120
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to create processes via WMI
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Uses 7zip to decompress a password protected archive
Uses bcdedit to modify the Windows boot settings
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 397976 Sample: JbFCEJSOoj.exe Startdate: 26/04/2021 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 7 other signatures 2->90 9 JbFCEJSOoj.exe 5 4 2->9         started        13 cmd.exe 2->13         started        15 mshta.exe 2->15         started        process3 file4 66 C:\Users\user\AppData\Local\Temp\6D00D3EF97, 7-zip 9->66 dropped 68 C:\Users\user\AppData\Local\Temp\75BB57, PE32 9->68 dropped 98 Contains functionality to register a low level keyboard hook 9->98 100 Uses 7zip to decompress a password protected archive 9->100 17 6D00D3EF97.exe 9->17         started        20 7za.exe 3 9->20         started        23 WINWORD.EXE 250 31 9->23         started        34 2 other processes 9->34 102 May disable shadow drive data (uses vssadmin) 13->102 104 Deletes shadow drive data (may be related to ransomware) 13->104 106 Uses bcdedit to modify the Windows boot settings 13->106 26 conhost.exe 13->26         started        28 vssadmin.exe 13->28         started        30 bcdedit.exe 13->30         started        32 bcdedit.exe 13->32         started        signatures5 process6 dnsIp7 74 Antivirus detection for dropped file 17->74 76 Multi AV Scanner detection for dropped file 17->76 78 Machine Learning detection for dropped file 17->78 82 7 other signatures 17->82 36 6D00D3EF97.exe 239 46 17->36         started        54 C:\Users\user\AppData\...\6D00D3EF97.exe, PE32 20->54 dropped 56 C:\Users\user\AppData\...\6D00D3EF97.doc, Microsoft 20->56 dropped 41 conhost.exe 20->41         started        72 192.168.2.1 unknown unknown 23->72 80 Injects files into Windows application 23->80 43 conhost.exe 34->43         started        45 conhost.exe 34->45         started        file8 signatures9 process10 dnsIp11 70 gruzdom.ru 92.53.96.146, 49709, 49712, 49716 TIMEWEB-ASRU Russian Federation 36->70 58 C:\Users\user\Desktop\...\QNCYCDFIJJ.docx, data 36->58 dropped 60 C:\Users\user\Desktop\...EGWXUHVUG.pdf, data 36->60 dropped 62 C:\Users\user\DesktopOWRVPQCCS.jpg, data 36->62 dropped 64 2 other files (1 malicious) 36->64 dropped 92 Uses bcdedit to modify the Windows boot settings 36->92 94 Tries to harvest and steal browser information (history, passwords, etc) 36->94 96 Modifies existing user documents (likely ransomware behavior) 36->96 47 WMIC.exe 36->47         started        50 mshta.exe 14 36->50         started        file12 signatures13 process14 signatures15 108 Creates processes via WMI 47->108 52 conhost.exe 47->52         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2016-08-19 19:51:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7nz7kepuiecla6tfekmhbrvefqe3uzcddbgudzv4akbxi2ubc3q._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
430032941fdecfc49abdef2ede2ffe04c66b99df498a2739005c726cea9ea183
Pony
65163c2a5608d66d615a284943d5ebf811a78e6ecebec47835b4680a19d07518
Pony
8e164388aa881f7f4e8ad09602a3ffc52cdd8be2e30308deea4fc9ae1d4651f9
Pony
92faf07c3b1c36d62291a830b547492b1c610ed042400c4764c631f728c17579
Pony
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
Pony
a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5
Pony
b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d
Pony
c41afec81d70066b62ddbfae7e4ec8aca49d0cc3618241aa2605d35d3250bd98
Pony
e9faa7dce8d4693ebef2e9f47d3af496323b887e7733e38eca4e40a937cd1dfe
Pony
fa8e5817b7a1e2a8129b1c6df41ccc378b6e44372de4c27edba38d6a9d1d40d1
Pony
+ 231 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:crypvault family:pony discovery evasion ransomware rat spyware stealer upx
Link:
https://tria.ge/reports/210426-nx8gmpflse/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Deletes shadow copies
Modifies boot configuration data using bcdedit
CrypVault
Pony,Fareit
Process spawned unexpected child process
Unpacked files
SH256 hash:
91c9d7d2f7f9628d13fbc224383d03b0dfc51c0f8a0c004fa88a38f18e64348c
MD5 hash:
92d74a2f90f3a5fb56ae05b1e9996393
SHA1 hash:
6fda20ec6aa401df1dabebb82f8173d9f7cff6f9
Detections:
win_nitol_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
Parent samples :
89ba6ca01979a51dd5e8fee7d80e8d69322531ba357750a79d8aaceb5a3163c7
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
09421ff53504cf75091ab714967521b7d55f0975b2ca08d7887bf6fb000c1b82
ac2362bfb043929f138f0ed947f81fa8444fd87b2301ecaa9a837e86f6eca690
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
1dffdc569c0107c0f2e102f0da4fb60ac3ad59c5697e822f68548e681a384ad9
SH256 hash:
9d988c2baf5a255c71292244a2073d03293bedfb7406d28254fc4f2cd3c315ee
MD5 hash:
b985fa5cea2051bd861f612e5a3c7446
SHA1 hash:
5c9f2e4943e756d644bfbc5f151d86f4542531a0
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
SH256 hash:
9b283ab8a5b322c7828c99ecae0522b74eeb22801d5cfe64300a91fc0b6a02b1
MD5 hash:
c12dd43f9a049b8e18ec8cbd278c6e75
SHA1 hash:
ae37c04a1bce88b524882df0f3c21f65db243831
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
SH256 hash:
3694c1ad69841de2aeed0d87bfd056bfa3165be90b066f5097c1dafe8b126526
MD5 hash:
54c99bd547512c5663d0e4cd30ff72e3
SHA1 hash:
58e5ae2a425180a27d03c0052d3e20dc46594ab2
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
SH256 hash:
9ac43b38ac3534535c41c9eca87a831a11cc4e19566b40f3ecab582bee56c9f1
MD5 hash:
ae91e475f1c774a58023219715c73ab1
SHA1 hash:
3c20eb252fdf5ea99e0e13bce1532810123ca600
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
SH256 hash:
7d8719271bc4c808c4dda5cd5c942538be5ffd72ea36973e30c19a39f31f1794
MD5 hash:
c3c60140829a2256c346be58ce109d21
SHA1 hash:
484719600ef42163f59dd59c3e806be2da6ffe61
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
SH256 hash:
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
MD5 hash:
fe7bc3cd6512f31d48a58caf3e558fee
SHA1 hash:
5b2e6e541ea6f47e369291396a5d91564ece2eb8
Link:
https://www.unpac.me/results/9b6d0bd8-b7b3-4cca-bd46-5aa71808404f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144390/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-26 16:11:00 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
14) [C0017] Process Micro-objective::Create Process
15) [C0038] Process Micro-objective::Create Thread
16) [C0054] Process Micro-objective::Resume Thread
17) [C0018] Process Micro-objective::Terminate Process