MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f
SHA3-384 hash: eac24ccaa9a97327f35f92c0961344a28ea37246b1510772a61c111b428de97ed862f26a483777f154467128a5f77cea
SHA1 hash: 0212aee8b15b9b0060ee0e5fd738e25b76950268
MD5 hash: 51437bb88a6cd60bd970e35ed88160df
humanhash: high-venus-lemon-connecticut
File name:NEW PURCHASE ORDER REF#00127.exe
Download: download sample
Signature Pony
Create hunting rule
File size:765'952 bytes
First seen:2021-04-15 19:30:07 UTC
Last seen:2021-04-15 20:52:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:fXWV/Kg2o0gpZoez5AuKHY9GnLv1BuRH6pZA7W7oU17aOk18DPfI4k95DfcaVkbS:fXaKg2JaZNaYa2uosoaZk+hkMa
Threatray 841 similar samples on MalwareBazaar
TLSH 11F48C983614B6DFC85BCE32C9A45C74AA616167D30BC607A01F11EC9E4DA97FF281F2
Reporter abuse_ch
Tags:exe Pony

Intelligence

File Origin
# of uploads :
2
# of downloads :
507
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW PURCHASE ORDER REF#00127.exe
Verdict:
Malicious activity
Analysis date:
2021-04-15 19:41:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69c9a961-b097-481b-8aa1-e99e977e1998

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/135423/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.658.18288.4055.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
DNS request
Running batch commands
Stealing user critical data
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/678272
Signature
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 19:30:16 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbfvljxjh7h2zgwcbp6fdqwbc3s62o6zy2tmwnxpzvqwdu7mdyxq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
4d9ba9f2d2a2085cbdafebb0dc4b73058f45c4b86631d8fc11240e132a1e1d0d
Pony
4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
Pony
52bf411492eb6eb526cb654ab455b75fe57d2631af02c5865b61de70364e4935
Pony
841e400462718d0c71b30ac5c90768c409485806146ee50bfc2f866913ffcf49
Pony
88c63762f85d92709ec567c3a3de9363589c4dd8777e469e5722851c5d3ed5a3
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b2d579828599ae4e265f77899466dc005e7685b50dcbf6817388ea22d404ab2c
Pony
d01f1ad8b4e08a70621ab7d9907d551bc238a990737e45060252998c059bb0fa
Pony
e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b
Pony
+ 831 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210415-c5n5l6nw46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
5aceed31b97329b68bfaf530c87438e2ea7675e40dd09712bc551da1ae7b869b
MD5 hash:
f3f3e53261222cb1c477cd0b6e83efde
SHA1 hash:
7f7309265ab910ff91e0120abc56ed084d2d710c
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/0891894b-9b1f-45ae-bba1-26e632d3b5cf/
Parent samples :
504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f
a87c76402548fdef67c57b5c17c18b9650f31afb1f5b57e1b8addea30b976ba5
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/0891894b-9b1f-45ae-bba1-26e632d3b5cf/
SH256 hash:
9a97efcd95755742acbb48a680e003a2ff50cfee7ddb9aa04a6923852d57512f
MD5 hash:
8e95bfe9cc4e81ed7b6563c9948ff372
SHA1 hash:
10304dba68c0aa4dd9d806d4424ed38ae460e94a
Link:
https://www.unpac.me/results/0891894b-9b1f-45ae-bba1-26e632d3b5cf/
SH256 hash:
504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f
MD5 hash:
51437bb88a6cd60bd970e35ed88160df
SHA1 hash:
0212aee8b15b9b0060ee0e5fd738e25b76950268
Link:
https://www.unpac.me/results/0891894b-9b1f-45ae-bba1-26e632d3b5cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/135423/

Comments