MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f987bb8c8f01c7c6d78d03aef0062b01fffd332860f3f7e9e29710466062dc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f987bb8c8f01c7c6d78d03aef0062b01fffd332860f3f7e9e29710466062dc2
SHA3-384 hash: d6d607d77304101ae1de4698ea42ede4c63b917c300a8f5d25bd94dff4d502b5f728d5cefb047fbdf4d52a20e2b6cc79
SHA1 hash: cd56c415be598974425c8dcc5e6d9a8bb090b14f
MD5 hash: 4bbc22b28abf463d2e2ef300c7cad6dd
humanhash: eighteen-seven-sixteen-fourteen
File name:3F987BB8C8F01C7C6D78D03AEF0062B01FFFD332860F3.exe
Download: download sample
Signature Pony
Create hunting rule
File size:643'072 bytes
First seen:2021-06-24 23:37:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 945fedf714de2cd8dd1ca13976d1e8fc (1 x Pony)
ssdeep 12288:S7hxx/GrQygvgbSaQFG9gDd/elZBMv6QwctVfyYdb:YT0rQTvgR902NNc3b
Threatray 252 similar samples on MalwareBazaar
TLSH 21D47CE2BBA444B2C1E2127A4C6F53BE58F77D10F929144A27F43F6C7B3838125561AE
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://jox1.usa.cc/capt22/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://jox1.usa.cc/capt22/gate.php https://threatfox.abuse.ch/ioc/153526/

Intelligence

File Origin
# of uploads :
1
# of downloads :
512
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Inquiry 2040789510.DOC
Verdict:
Malicious activity
Analysis date:
2018-09-17 18:37:21 UTC
Tags:
exploit CVE-2017-11882
Link:
https://app.any.run/tasks/165f1910-43f0-43a8-98a6-a879b663791b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168175/
Detection(s):
PUA.Win.Packer.BorlandDelphi-1
Create hunting rule

Win.Malware.Generic-6688125-0
Create hunting rule

Win.Malware.Generic-6688214-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c036dea-1526-4fbd-a013-148fdee869dd
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807825
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440236 Sample: 3F987BB8C8F01C7C6D78D03AEF0... Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 6 other signatures 2->36 7 3F987BB8C8F01C7C6D78D03AEF0062B01FFFD332860F3.exe 4 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 26 C:\Users\user\AppData\...\explorre.exe, PE32 7->26 dropped 28 C:\Users\...\explorre.exe:Zone.Identifier, ASCII 7->28 dropped 44 Creates files in alternative data streams (ADS) 7->44 46 Contains functionality to detect sleep reduction / modifications 7->46 13 explorre.exe 1 7->13         started        16 explorre.exe 1 11->16         started        signatures5 process6 file7 48 Antivirus detection for dropped file 13->48 50 Multi AV Scanner detection for dropped file 13->50 52 Tries to steal Mail credentials (via file registry) 13->52 56 3 other signatures 13->56 19 explorre.exe 1 12 13->19         started        24 C:\Users\user\AppData\Roaming\...\wordd.vbs, ASCII 16->24 dropped 54 Maps a DLL or memory area into another process 16->54 22 explorre.exe 12 16->22         started        signatures8 process9 signatures10 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->38 40 Tries to harvest and steal ftp login credentials 22->40 42 Tries to harvest and steal browser information (history, passwords, etc) 22->42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f987bb8c8f01c7c6d78d03aef0062b01fffd332860f3f7e9e29710466062dc2/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2018-09-19 03:02:16 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h6mhxogi6aohy3ly2a5o6adcwap77uzsqyht67u6ffyqizqgfxba._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
Pony
4d9ba9f2d2a2085cbdafebb0dc4b73058f45c4b86631d8fc11240e132a1e1d0d
Pony
4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210624-e72j2c27bs/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
3f987bb8c8f01c7c6d78d03aef0062b01fffd332860f3f7e9e29710466062dc2
MD5 hash:
4bbc22b28abf463d2e2ef300c7cad6dd
SHA1 hash:
cd56c415be598974425c8dcc5e6d9a8bb090b14f
Link:
https://www.unpac.me/results/74b4409d-5a23-4b4d-8d34-643b30399a48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3f987bb8c8f01c7c6d78d03aef0062b01fffd332860f3f7e9e29710466062dc2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168175/

Comments