MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b
SHA3-384 hash: b999f444a258f5473de672b1e14b95dfedaf4781f5c08b401b1f78d32a7fc04fd9e5ed54ecf97ee569081aac7a2c5d47
SHA1 hash: a6435df5e83ee3a5275573bacf3bf904527b078f
MD5 hash: 781709456e8a8f881b013e0fc185f9db
humanhash: yankee-don-berlin-red
File name:781709456E8A8F881B013E0FC185F9DB.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'703'936 bytes
First seen:2021-07-20 22:01:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e0949dfb15fa89be19c9b90d78b6864 (3 x Pony)
ssdeep 12288:C4TZJHtqPRx+9Bvw6VjWVmzafcWf/rKpHGAcKEZUiX:CmJHjDpiNnGpHGFPZUi
Threatray 292 similar samples on MalwareBazaar
TLSH T18475C01317E3BA3FF25A167B0CE801A871467B727EA3CE43B925A8F7815644D335468B
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://lokipanelhosting.cf/ax/pony/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://lokipanelhosting.cf/ax/pony/gate.php https://threatfox.abuse.ch/ioc/161788/

Intelligence

File Origin
# of uploads :
1
# of downloads :
606
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
781709456E8A8F881B013E0FC185F9DB.exe
Verdict:
No threats detected
Analysis date:
2021-07-20 22:03:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b0b7b593-7132-4648-86d6-003910f21b0c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172897/
Detection(s):
Win.Downloader.LokiBot-9165134-0
Create hunting rule

Win.Trojan.Ponystealer-9843674-0
Create hunting rule

Win.Dropper.Formbook-9875973-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gorgon Group
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27353d7a-0bbd-438c-b397-2bc9144e3383
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/819234
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with a suspicious file extension
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 451645 Sample: lUMslCpXjb.exe Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 37 lokipanelhosting.cf 2->37 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 11 other signatures 2->49 9 lUMslCpXjb.exe 3 4 2->9         started        13 wscript.exe 1 2->13         started        15 wscript.exe 1 2->15         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\filename.scr, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 9->35 dropped 59 Drops PE files with a suspicious file extension 9->59 17 wscript.exe 1 1 9->17         started        20 filename.scr 13->20         started        22 filename.scr 15->22         started        signatures6 process7 signatures8 41 Creates autostart registry keys with suspicious values (likely registry only malware) 17->41 24 filename.scr 17->24         started        27 filename.scr 20->27         started        process9 signatures10 51 Antivirus detection for dropped file 24->51 53 Multi AV Scanner detection for dropped file 24->53 55 Detected unpacking (changes PE section rights) 24->55 57 3 other signatures 24->57 29 filename.scr 1 12 24->29         started        process11 dnsIp12 39 lokipanelhosting.cf 195.20.55.155, 49746, 49748, 80 VFMNL-ASAmsterdamLocationBGPSetupNL Netherlands 29->39 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->61 63 Tries to harvest and steal ftp login credentials 29->63 65 Tries to harvest and steal browser information (history, passwords, etc) 29->65 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 23:18:00 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j65sag5ms4wcipjzf4izdz3oc3kw4aof5phkn2bg5tdsg3sq2n5q._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
15009bbe320d77a38e4341a5e160baec142a96f86c730a33dae9a1487399c78c
Pony
5dbfd22543849bd392e080c351227f31137993f23ee7ac5a3184322e43d73745
Pony
607976ecb6ae8202d98ff52def53ce73ece753a830bf55d9c638c10bbe06574c
Pony
757031344cc71050e625abd7d6e413e07c506d539f834835413ca1b656898b34
Pony
88c63762f85d92709ec567c3a3de9363589c4dd8777e469e5722851c5d3ed5a3
Pony
9e7bc04d9b7a15b73175902e3c8cd0f245353bb88dfe0a68d122616255aed42f
Pony
c03e3bce572790d7ccf28cba0491718fa7631a931025af868a81762df983c1ed
Pony
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Pony
d3fc1e644cd5bf4cd9890d0a6ae300dc96fd8c72fc6455a329437cc69e4cf0a1
Pony
e06424448f76d743640e518b0fec78a025fee0856f6afa507e077e5dcc118e3c
Pony
+ 282 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210720-lj4w7gwd7j/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b
MD5 hash:
781709456e8a8f881b013e0fc185f9db
SHA1 hash:
a6435df5e83ee3a5275573bacf3bf904527b078f
Link:
https://www.unpac.me/results/3eb8036e-79be-4798-9fd2-27dc3e406d53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172897/

Comments