MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
SHA3-384 hash: 4f17f35bfc67347e66e6723633f6c8566144d546f48586d06c6795a5b6621fff5ffa1e9bc21056d78ec0db86faf1f79c
SHA1 hash: 2f635c709a52ccae9c00a74864bad3c1fd18991a
MD5 hash: aa09b35809b0c229b78c7b0fd97ec85a
humanhash: hydrogen-beryllium-oregon-oscar
File name:Zayavka konec proshlogo mesyaca.exe
Download: download sample
Signature Pony
File size:1'431'056 bytes
First seen:2020-07-31 11:26:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 154b428147cb8c2ad589b541068db257
ssdeep 1536:/vGrJGA7RtVhTj55M5ISKMQ4fcNrvJSxJtJsV5SqSY+JfvHUSO+5v:/vKJT7RvhrH4fcNBUtuk7JfvHUSX5v
TLSH 69659042A2B7CF2DFF12A6379A24B2210E2F2CD142F0795DE4543B25DE7AA341E147E5
Reporter @abuse_ch
Tags:exe geo Pony RUS


Twitter
@abuse_ch
Malspam distributing Pony:

HELO: 1b.it-net.su
Sending IP: 176.107.248.116
From: Александра Зайцева <n.glazkova@1b.it-net.su>
Reply-To: Александра Зайцева <tarasovaek68@rambler.ru>
Subject: Возврат за этот месяц
Attachment: Zayavka konec proshlogo mesyaca.001 (contains "Zayavka konec proshlogo mesyaca.exe")

Pony C2:
http://45.61.138.109/p/z05857687.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
34
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Fareit Pony
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Yara detected aPLib compressed binary
Yara detected Fareit stealer
Yara detected Pony
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 11:28:08 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
pony
Score:
  10/10
Tags:
rat spyware stealer family:pony discovery
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Script User-Agent
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Deletes itself
Pony,Fareit
Threat name:
Kryptik
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

Executable exe 97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments