MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7
SHA3-384 hash: 0932296073f39219aa302a702be242338756c69f151650500979dcf1ddc0fa212105d5628efb7595dd7a42ff19980ff7
SHA1 hash: 22c1e09d27b9e49cc3dfaa75c131ac7c84989812
MD5 hash: aba35a8a61812fa4d0a9a2ff6baee993
humanhash: missouri-network-venus-fillet
File name:aba35a8a61812fa4d0a9a2ff6baee993.exe
Download: download sample
Signature Pony
Create hunting rule
File size:963'824 bytes
First seen:2021-10-17 07:10:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5848f78ca5ff36b407f5db856f760d4 (1 x Pony)
ssdeep 24576:b7wVfi40WlzdjSWnRikD7J5YreJ5y7KWS1MzDCy4JNkX:fGfb/gJKWSaiy4JE
Threatray 1'020 similar samples on MalwareBazaar
TLSH T19825E0733AC1C176E16215B15F75A722A578FAB049318E03FBD81ECC5BB69C1A239B07
File icon (PE):PE icon
dhash icon f0e8f0696d33b0e8 (1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://ikonsu.perlamour.com/metrika/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ikonsu.perlamour.com/metrika/gate.php https://threatfox.abuse.ch/ioc/234888/

Intelligence

File Origin
# of uploads :
1
# of downloads :
792
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aba35a8a61812fa4d0a9a2ff6baee993.exe
Verdict:
Malicious activity
Analysis date:
2021-10-17 07:18:57 UTC
Tags:
autoit trojan pony fareit stealer
Link:
https://app.any.run/tasks/20824ab4-b746-488f-aaf1-90b7c78c8196

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Ursnif3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197939/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Moving a file to the %temp% directory
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/616bcc909a5a1e91c5c2c867/reports/fa8d8f95-e467-49ed-9105-4e36d1c42d71/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6ca9d524-810a-43c0-8136-984870f6629a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/871723
Signature
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504151 Sample: r3jrtaIHW8.exe Startdate: 17/10/2021 Architecture: WINDOWS Score: 68 28 Multi AV Scanner detection for submitted file 2->28 30 Sigma detected: Suspect Svchost Activity 2->30 32 Sigma detected: Suspicious Svchost Process 2->32 9 r3jrtaIHW8.exe 8 2->9         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\rbpfkf.exe, PE32 9->24 dropped 12 cmd.exe 1 9->12         started        process5 process6 14 rbpfkf.exe 12->14         started        18 conhost.exe 12->18         started        file7 26 C:\Users\user~1\AppData\...\rbpfkf.exe (copy), PE32 14->26 dropped 34 Writes to foreign memory regions 14->34 36 Sample uses process hollowing technique 14->36 20 svchost.exe 14->20         started        signatures8 process9 process10 22 WerFault.exe 20->22         started       
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 00:53:31 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnzelvyhw5d6fm2bvcy3teh7ur366flkinomvwnk6w4q76ufaxlq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
148588102731dd9742cd698c882b48c4b49cbfdd868647a83a15a0cbb1f0c8ca
Pony
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572
Pony
4faf0330a092329562d8d79c71cb143e22af30b106a24d1ce37721f2af9d6598
Pony
5cc027a4132a6238c1c280b1000aef347ba72337e743b086a0bc69d7b5b76e3c
Pony
6876aa707adeeffbe08d86d26c6cf48b8d77d46c96f8ace28a523b0a846db38f
Pony
7b1f41c2637cb64002e085187d4c5fdecea9153e28207ebab8984473771919f9
Pony
99b13841abbf0c2bf736ab08e0e7f48cd28cab2e69eff60399de65e0eced2e68
Pony
a4d801e88635f298ec71796cafeaf6880547b35be5b8ee18aea59ed85e63ece6
Pony
d64217395d8a43cd86ae4f154bcfcb62755241a26e4bfbdd06f049fbbfa38fca
Pony
e88388bec3164944678627db062b753e76b6f7f710a9fabc43dfe69e7df2f366
Pony
+ 1'010 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony collection rat spyware stealer suricata upx
Link:
https://tria.ge/reports/211017-hzyceadcaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Executes dropped EXE
UPX packed file
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Config
C2 Extraction:
http://www.give-us-btc.com/metrika/gate.php
http://ikonsu.perlamour.com/metrika/gate.php
http://fygnu.50gege.com/metrika/gate.php
http://irool.vuxoq.com/metrika/gate.php
http://oophanoj.i63t.com/metrika/gate.php
http://eethoz.hordalandvbk.net/metrika/gate.php
Unpacked files
SH256 hash:
0bcc58f6ad43bbd5cc0b2d9143ba91aa69c1eb3558f386dc0733a0417330ba1a
MD5 hash:
57846ac1e97160e190a2ff57724191a9
SHA1 hash:
abad8a96dd5ba5a813e6ce78a9a3dc6a49060411
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/d17e8331-907a-4cc9-a293-cf6ddbe50b1e/
SH256 hash:
16ed9166fb8513439d0d279d459fc49a9c53a39960e82e0a7593fd348ec77903
MD5 hash:
ef1b3ece9efe066b1e132d559a5d03c6
SHA1 hash:
dae77a3b5481ec36e1f846c30b099ca13c9b0eb4
Link:
https://www.unpac.me/results/d17e8331-907a-4cc9-a293-cf6ddbe50b1e/
SH256 hash:
7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7
MD5 hash:
aba35a8a61812fa4d0a9a2ff6baee993
SHA1 hash:
22c1e09d27b9e49cc3dfaa75c131ac7c84989812
Link:
https://www.unpac.me/results/d17e8331-907a-4cc9-a293-cf6ddbe50b1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b7245d707b747e2b341a8b1b990ffa477ef156a435ccad9aaf5b90ffa8505d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197939/

Comments