MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da
SHA3-384 hash:	c905276da82a5544b973a606460267f1232cfb41b58a8e7ffccfc5e38adfe9609ee942442725c9e85369cf3ce1aee8a5
SHA1 hash:	1c93f25e9447e0147245d390c9c16c1c2c9d73b8
MD5 hash:	f92aa4ab0f1b9a68ae6b3d6a1f9857ea
humanhash:	ink-montana-pasta-uniform
File name:	7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da
Download:	download sample
Signature	Pony Create hunting rule
File size:	204'800 bytes
First seen:	2020-11-10 11:31:24 UTC
Last seen:	2024-07-24 16:37:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4d362ad01807ba6008d79ab2c7cad0ed (9 x Pony)
ssdeep	3072:0shAo4qKg56qCIMVPmTEJBw3DCGULUnSKAygj4qKgXYhc:0shAEKkLCIMV7JWCZUxN4KYYhc
TLSH	8314F11A7B09D5A4E4891E3848079AF97D23FCD14A904F5B711EFB2E3C703837953699
Reporter	seifreed
Tags:	Pony

Intelligence

File Origin

# of uploads :

# of downloads :

381

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Bifrost-7643040-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Reading critical registry keys

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Brute forcing passwords of local accounts

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/529147

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-11-11 00:05:33 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=psf6ckn4uzjrgnkusmhf74xsghphakmurude26gadznoxtmlctna._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201110-6s7rhevldj/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da

MD5 hash:

f92aa4ab0f1b9a68ae6b3d6a1f9857ea

SHA1 hash:

1c93f25e9447e0147245d390c9c16c1c2c9d73b8

Link:

https://www.unpac.me/results/6b30ade7-ac0e-435d-8453-b1d79af27343/

SH256 hash:

ff93c4e85baa9804536d0fbb1037183ae7c50486c87618906d146f5c081d5492

MD5 hash:

51e85bfcef4c4e2ae3e1944335b640d5

SHA1 hash:

cb35bf1e680146010c2bfc8ecbf93ab2f2d9c648

Link:

https://www.unpac.me/results/6b30ade7-ac0e-435d-8453-b1d79af27343/

SH256 hash:

9f133a231775d96f86bff8947a20b6c0c7f761327e4c20be826ac04e1c8fae2e

MD5 hash:

4335c40af32d58d826f1e30c183aeee9

SHA1 hash:

37186f316db5587c752a539973c89189cf167bbd

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/6b30ade7-ac0e-435d-8453-b1d79af27343/

Parent samples :

98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989
7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da
03b85c4d58c9c90abb09b3f96d4f22b554d90d5b3f12b84e6739515784cb7dc1
52bf411492eb6eb526cb654ab455b75fe57d2631af02c5865b61de70364e4935
ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb
e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample