MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd
SHA3-384 hash: b7ae1f6e3fe6ae55ad48cd3cb1e8b992b3eacba4d72732b12ea78229702f0a3746459f0639b2061a468ba95596d11c63
SHA1 hash: 5d9be0d0d4ed3a0218fd1ce798b0a481d3071a3b
MD5 hash: e5c256225260164779c75864d76ce8ee
humanhash: nine-leopard-don-whiskey
File name:E5C256225260164779C75864D76CE8EE.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'613'824 bytes
First seen:2021-03-27 21:15:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:ckCcD9mvI+m1XZ5Vf6o4za2eiUkZcZ530DJvadJukvIi0p/w7SFejQ:N5GmP596Pza2jcZ52af5SkSR
Threatray 479 similar samples on MalwareBazaar
TLSH EE75D012B3DDC364CBB29173BD2A77056FBB78615531BE5BAF880C39AD10171221E6A3
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://mitrateknik.co.id/rooftop/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://mitrateknik.co.id/rooftop/gate.php https://threatfox.abuse.ch/ioc/5608/

Intelligence

File Origin
# of uploads :
1
# of downloads :
577
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
E5C256225260164779C75864D76CE8EE.exe
Verdict:
Malicious activity
Analysis date:
2021-03-27 21:18:17 UTC
Tags:
trojan pony fareit autoit stealer
Link:
https://app.any.run/tasks/27ff49bc-6401-4944-b3fe-db4ad82ecc92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127295/
Detection(s):
Win.Dropper.Autoit-6688753-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Deleting a recently created file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Launching a process
Reading critical registry keys
DNS request
Connection attempt
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7140f3f0-a291-4ebe-a0c6-6b821996e184
Result
Threat name:
Fareit Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655964
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Fareit stealer
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-03-23 16:43:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbim2hxkyvfrifaomiyvmqytg6g7etbqrrgzezatocvkdmdfwp6q._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
005aaa381c59d33ccd4fb5977d8feffb5cd8bd4ebe9adaaf8d8835f6d80f3779
Pony
2335eadece5eb55aabe38bce2894f0c88f7305140613f3b6cfd92877d4fac7a4
Pony
366acc456557b3cdde45aab1a390af9fbfedaeb1b5c6ffee5d88cb845bb41ede
Pony
4a9ce779e44c3f68bbf02edcfbe5a072b980e6b61ce466506e1492f3139ae06e
Pony
b3feec059ff8a39d9ff93a950a3e1e1da7b464097db715a3e47e4284f3f21191
Pony
b7e84af79c21fe219a0c4f0e8b0588d3970306c43e4e14df93a8ab5cbe2734e8
Pony
c3d21bb1ea24e0ce6baf55c4a61e4f37157d0c9c5ba1e687594d506760cce70e
Pony
c59af2ee272506bca1bc74970cb777553b1923aaf2f210e411f6933a41ef0d35
Pony
e27dba7ca57f716250070e14a6fc137a5df01af26ea53a2138764d1e9190f45e
Pony
e400fef46e21fbd7191240230a5fab9326de9baf0fbebfef8883e5c2662862a1
Pony
+ 469 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony rat spyware stealer
Link:
https://tria.ge/reports/210327-f48mk5fxh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Executes dropped EXE
Pony,Fareit
Unpacked files
SH256 hash:
90b8514e75345254f258e51a5e226a4a3aa4ae65aafcbeed772a8951c0028702
MD5 hash:
efd4338b1b16d1146067992c9e41b603
SHA1 hash:
198957898ab695a34620190a6ef869e63ac8eb50
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/a874079c-e1e8-44d2-9989-18dfcd13a806/
SH256 hash:
6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd
MD5 hash:
e5c256225260164779c75864d76ce8ee
SHA1 hash:
5d9be0d0d4ed3a0218fd1ce798b0a481d3071a3b
Link:
https://www.unpac.me/results/a874079c-e1e8-44d2-9989-18dfcd13a806/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Strictor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127295/

Comments