MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b75fbd9dfbac78202ef539539ffa34bf1c457a791b1117576da6c418fe054a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash:	7b75fbd9dfbac78202ef539539ffa34bf1c457a791b1117576da6c418fe054a1
SHA3-384 hash:	bf9c4f9b64351221d6bbb933446d33f4abbc43c0aa7031d2df5de39d07beca1e272e9daa74ba497b2146ec6894ddc371
SHA1 hash:	294d5a1d23b3b06f70b5dc9d5dbe53312efd9977
MD5 hash:	d9ecc50713fc85a36de062d0994c978b
humanhash:	aspen-angel-maine-bulldog
File name:	7B75FBD9DFBAC78202EF539539FFA34BF1C457A791B11.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	189'944 bytes
First seen:	2022-02-27 08:10:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1857747c043cb479846bd5be2b04d87f (1 x Pony)
ssdeep	3072:O07il5QXF4HG2GlD8xL6Ht/YgnY1QscjZGtCtwPuu:O0E82YD8At/YyY7YtwP7
Threatray	5'866 similar samples on MalwareBazaar
TLSH	T1B204D0E97A645137E27E8AB2C12D50EDF451796F3B02CE5FA3CA4F0D04A2AC2B4B111D
File icon (PE):
dhash icon	c1d9dcdcb6b8cece (2 x Pony)
Reporter	abuse_ch
Tags:	exe Pony signed

Code Signing Certificate

Organisation:	99818423945557345441449878765547442456928866767918827368261976484851898342761913594992196975363836497319382637632569255628795451453624967647616715124687429
Issuer:	99818423945557345441449878765547442456928866767918827368261976484851898342761913594992196975363836497319382637632569255628795451453624967647616715124687429
Algorithm:	sha1WithRSA
Valid from:	2013-01-23T18:13:02Z
Valid to:	2039-12-31T23:59:59Z
Serial number:	513182281b0733b84a75e4e4b9cb7ef6
Thumbprint Algorithm:	SHA256
Thumbprint:	ca9ee2d05cea944f5d9f9d2766f162468a47f082aff478e9913a210dac9dd6b7
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Pony C2:
http://66.228.61.192/ponyz/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://66.228.61.192/ponyz/gate.php	https://threatfox.abuse.ch/ioc/391113/

Intelligence

File Origin

# of uploads :

# of downloads :

1'529

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/245039/

Detection(s):

SecuriteInfo.com.Win32.Karagany.18794.31464.22150.UNOFFICIAL

Win.Dropper.Fareit-9902448-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Reading critical registry keys

DNS request

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7502/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit hlux karagany overlay pony rogue zbot

Link:

https://www.filescan.io/uploads/621b3218dfdfa8501c649c02/reports/e0a9aba9-0fb7-41af-afe3-035c34ba3339/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c588830c-6b2c-450e-9c02-c81317fd59a6

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/946879

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found C&C like URL pattern

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b75fbd9dfbac78202ef539539ffa34bf1c457a791b1117576da6c418fe054a1/

Threat name:

Win32.Trojan.Zeus

Status:

Malicious

First seen:

2013-02-12 12:27:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

40 of 43 (93.02%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pn27xwo7xldyeaxpkoktt75djpy4iv5hsgyrc5lw3jwedd7aksqq._file

Verdict:

malicious

Label(s):

pony

Pony

1806d28090fbacfecd7f998105128105b92830e971b79948697a3f0210ee30bc

Pony

2e3628b613ef186e1d6723613336045bf60b7ec1aea2b01a2ae2267068b89d63

Pony

500454df4886817c66d4430d00ca28fe3bc0509f1fdd5e0863a151e50c591109

Pony

8feae03951203fbfdf623c8dfadad2cdc10560bc11e28c1fc134492a764833a6

Pony

a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b

Pony

+ 5'856 additional samples on MalwareBazaar

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony collection discovery rat spyware stealer suricata

Link:

https://tria.ge/reports/220227-j29znadccm/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

outlook_win_path

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

suricata: ET MALWARE Fareit/Pony Downloader Checkin 2

suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Malware Config

C2 Extraction:

http://13.LOMERDASTER.NET/ponyz/gate.php
http://13.ZABAKARVESTER.NET/ponyz/gate.php
http://66.228.61.192/ponyz/gate.php

Unpacked files

SH256 hash:

31c974dfee07ddd273ec933b15f852d7eab2117d4b779a32d3094264baaa1f72

MD5 hash:

941ec1dcd9cebab1685c61ef1f535eb3

SHA1 hash:

e0c52db3e8682e03ae7411a681e6f2f0d0230e12

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/5d5fbcd5-4db4-4d6c-a3e2-a8d2f0f1416a/

SH256 hash:

7b75fbd9dfbac78202ef539539ffa34bf1c457a791b1117576da6c418fe054a1

MD5 hash:

d9ecc50713fc85a36de062d0994c978b

SHA1 hash:

294d5a1d23b3b06f70b5dc9d5dbe53312efd9977

Link:

https://www.unpac.me/results/5d5fbcd5-4db4-4d6c-a3e2-a8d2f0f1416a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/7b75fbd9dfbac78202ef539539ffa34bf1c457a791b1117576da6c418fe054a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Fareit Create hunting rule
Author:	kevoreilly
Description:	Fareit Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	win_pony_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/245039/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample