MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d310e5014a5e7ff2f70ff4c015ae1560963ef6cde9a802228d13f3ab52ede6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	82d310e5014a5e7ff2f70ff4c015ae1560963ef6cde9a802228d13f3ab52ede6
SHA3-384 hash:	ac189b5da32a4807a7ad5e77379d1289e0488a962f5fdea1de67764353068829fff9c23c5e4ebfb995b3fa7966825336
SHA1 hash:	a079c5e7c805d87eecd6ea236a5d669bdc3d6689
MD5 hash:	ef1ae2b6658f2c642777b0be715ac390
humanhash:	solar-mockingbird-pizza-rugby
File name:	Shipment Document BL,INV and Packing List Attached.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	239'104 bytes
First seen:	2020-06-24 05:27:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:DSzG8U8phdhPUeMfwKufxmFKhUfr1RgnmDYfD2REMRXZvmnsi9GetgPsiybODEav:DcDU8rNMfwpxmFKguc4wjpB2HZy
Threatray	229 similar samples on MalwareBazaar
TLSH	8834BE0B37ACBA27C13C0AF588C16B4423B65AAA7292F6DD6CC476D464E77E109317C7
Reporter	abuse_ch
Tags:	DHL Downloader.Pony exe Pony

abuse_ch

Malspam distributing Downloader.Pony:

HELO: dhl.com
Sending IP: 37.49.224.204
From: DHL Express <noreply@dhl.com>
Subject: Shipment Document BL,INV and Packing List Attached
Attachment: Shipment Document BL,INV and Packing List Attached.exe

Pony C2:
http://linuxdeals.ru/site/eng/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/13385/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Detection:

pony

Link:

https://mwdb.cert.pl/sample/82d310e5014a5e7ff2f70ff4c015ae1560963ef6cde9a802228d13f3ab52ede6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-24 05:29:04 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qljrbzibjjph74xxb72mafnocvqjmpxwzxu2qarcruj7hk2s5xta._file

Result

Malware family:

pony

Score:

10/10

Tags:

discovery rat spyware stealer family:pony

Link:

https://tria.ge/reports/200624-54r2hwjd9a/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks for installed software on the system

Reads data files stored by FTP clients

Deletes itself

Reads user/profile data of web browsers

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

exe 82d310e5014a5e7ff2f70ff4c015ae1560963ef6cde9a802228d13f3ab52ede6

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/13385/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample