MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4
SHA3-384 hash:	6b20dfcea06efba23a2855f5cb0bfb4267d09833b1d192a6d87467dbbd350180d03d83af2aba8a34c9a481f8121aa8fe
SHA1 hash:	f138ad065f6c9abb958dfd51ad49b6d257c7374f
MD5 hash:	019dca54574bf78871054ffd3be6bfd8
humanhash:	utah-comet-texas-mango
File name:	412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4
Download:	download sample
Signature	Pony Create hunting rule
File size:	143'360 bytes
First seen:	2020-11-14 18:07:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	47092391c2cd3e100e05d3a1b20cac3f (3 x Pony)
ssdeep	3072:sSm2UfoReqI4fmTyRYQvUtRahliFlbLfW/0rA/DTZdUxyE2HYDZh:sd2UwMQUnX/nE0rQThE2H
TLSH	B1E31266CD5B64F3CB95D7379E24D4F4968BEC846320EEBB12847B2B5231960E323463
Reporter	seifreed
Tags:	Pony

Intelligence

File Origin

# of uploads :

# of downloads :

443

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Fareit-6881542-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Lokibot Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/535862

Signature

Antivirus / Scanner detection for submitted sample

Detected Lokibot Info Stealer

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-11-14 18:10:16 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ievuhuugifqlkk2b5ghpe2zwrgglrw4m5x6a7iduh5uwkdm6qlka._file

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/201114-dx865f3sw2/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4

MD5 hash:

019dca54574bf78871054ffd3be6bfd8

SHA1 hash:

f138ad065f6c9abb958dfd51ad49b6d257c7374f

Link:

https://www.unpac.me/results/8bca831f-a1d8-44d1-8d98-a5937c679b04/

SH256 hash:

cd6544b991ffe2ac5771dee07d402ac00a382ede1365f9810f5be176637f9c82

MD5 hash:

2047a36ac092ffc64a0322f4b6fa37ab

SHA1 hash:

bb2665d9e51af378cd632ddf4148498b53ddba62

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/8bca831f-a1d8-44d1-8d98-a5937c679b04/

Parent samples :

92dd50589b21721bb8b73217b21be6a6c51f6fca5cb19ebea9a0913cfaa7baa8
412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tofsee

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/412b43d2864160b52b41e98ef26b36898cb8db8cedfc0fa0743f69650d9e82d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample