MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563
SHA3-384 hash:	df3d4ffec478f98b12279fdacd1673e1fedf74ea4e6880c7e6397323ffc1aeb457d577b6c39f0bb8b52d370c225b640e
SHA1 hash:	f998219a53ca9f5c4b8913ff57e57daf5ba5a36b
MD5 hash:	55e58f6bc0d2771796680fd89bdab05d
humanhash:	whiskey-golf-arkansas-mississippi
File name:	948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563
Download:	download sample
Signature	Pony Create hunting rule
File size:	139'776 bytes
First seen:	2020-11-12 14:13:52 UTC
Last seen:	2024-07-24 19:12:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	be19e18d6a8b41631d40059031a928bb (28 x Pony, 3 x Loki, 3 x NetWire)
ssdeep	3072:MoTv/p/6pTho4yEPhXzpqq/c+tPtdHVWcw:BTn4o4yKzb/ztV
Threatray	138 similar samples on MalwareBazaar
TLSH	0FD3126920CC046CD44ED83158E65EE2F36FADC0882D197B1FE1FF277A76A0A1472935
Reporter	seifreed
Tags:	Pony

Intelligence

File Origin

# of uploads :

# of downloads :

388

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-4

Win.Malware.Fareit-9790210-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Reading critical registry keys

DNS request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Enabling autorun by creating a file

Sending an HTTP GET request to an infection source

Brute forcing passwords of local accounts

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-11-12 14:15:48 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ssfv2tnktbskvyjjpokidin45yyw64r26sa6ta6374e7zwfcivrq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201112-bag7gn8g3x/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563

MD5 hash:

55e58f6bc0d2771796680fd89bdab05d

SHA1 hash:

f998219a53ca9f5c4b8913ff57e57daf5ba5a36b

Link:

https://www.unpac.me/results/ab8ed7c4-a67e-413b-bbd5-a943cb2e505e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tofsee

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample