MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68d2d73272b19025d18d9e68a5da99816381a77a12228acdeadf074e68a119a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68d2d73272b19025d18d9e68a5da99816381a77a12228acdeadf074e68a119a6
SHA3-384 hash: ac49b2b994673fb983bf660abdf1d3df75752f46b53146c162b437a80f41f9e5a474cf5a5b7714625a0e609ef8cc4d84
SHA1 hash: 7112c87b4b67a457c42d0c17c9c213d7d434942a
MD5 hash: a9177f65efbeb6f0de615046fa59ed57
humanhash: cold-sodium-fix-artist
File name:PI_INV9376454875485744.PDF.exe
Download: download sample
Signature Pony
Create hunting rule
File size:290'304 bytes
First seen:2020-06-03 08:55:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:BzjY+oOnCdJPIpiDGgww+hmipKzzIHMC/t9NcEEk/t9NcE:FY+BnjAD33+hm+KzzGyoy
Threatray 203 similar samples on MalwareBazaar
TLSH 4354BE7FC4BE4E48CCC3E9F3AE6330CA48BF915A631A4EA3508D165D8B7A54D9481277
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Malspam distributing Pony:

HELO: hawier.com
Sending IP: 78.129.252.18
From: Lisa <bag@hawier.com>
Subject: 2 Orders Invoice Here In Our Alternative Email Attachment
Attachment: PI_INV9376454875485744.PDF.ARJ (contains "PI_INV9376454875485744.PDF.exe")

Pony C2:
http://94.102.54.77/store/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Rogue.0hr.20200603-1005.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 16:19:05 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndjnomtswgiclumntzuklwuzqfrydj32cirivtpk34du42fbdgta._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
2dba22bb151cb9c5e35304b1a6215374d6857898d217b721f9b5a6e8d973576d
Pony
6168fd7705599e810cba4c0954acb5cdfa8e03ae92ed679a9e538a09da08a7de
Pony
692edb91091b23c85b594f82921ee682aa25f1902d048e54fed4edafe0549e3f
Pony
70b3e86ab4bda10e5ccb441fb356f193ee69f709b9d827b8f1bfd0077a64316e
Pony
754b203cb7ca6224a217e4187151adb437574b95fe15fd1bb7ab887cffad8bce
Pony
b0f0758152599d38ebd0f485f435536f73819ae3fcdddbef8a182b8e06eaa01d
Pony
d1b6aaf16fc5e9ffbe13411dfbefe5c0c7dd222c727852da8fc9fb39a88ed2ae
Pony
e4b839be39665555c0637a45d7835cf5aed0633b9d3b3c72b0c3710555cf2eb0
Pony
ebadbebdb632cdc59b9333f56295ea99080248807a1d6f35c086159c8b2329e6
Pony
f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
Pony
+ 193 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony rat spyware stealer
Link:
https://tria.ge/reports/201109-c4jmngctaj/
Behaviour
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

arj 0903bba53f8ce5ed30f38f7af82f1eeba97a00b57ca386c2d8e4549bca2896d1

Pony

Executable exe 68d2d73272b19025d18d9e68a5da99816381a77a12228acdeadf074e68a119a6

(this sample)

  
Dropped by
MD5 64e66effac6b5a00a6d71f09a65c7f22
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0903bba53f8ce5ed30f38f7af82f1eeba97a00b57ca386c2d8e4549bca2896d1

Comments