MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989
SHA3-384 hash:	7cf25239f47609d5f7d9c34eea14bc7f86bc1b722c70932c01bf9b5f45f15f4060d2c89239e8c5c8ac162f289f8aee49
SHA1 hash:	e8788b50f21a7e9fff5dc1ab6885c22056609732
MD5 hash:	0c12d7636d23886c3975c415286c7765
humanhash:	undress-saturn-pasta-red
File name:	98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989
Download:	download sample
Signature	Pony Create hunting rule
File size:	246'784 bytes
First seen:	2020-11-10 11:30:50 UTC
Last seen:	2024-07-24 19:24:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4d362ad01807ba6008d79ab2c7cad0ed (9 x Pony)
ssdeep	3072:eVshAo4qKg56qCIMVPmTEJBw3DCGULUnSKA5GZou8t3hw74qKgS:eVshAEKkLCIMV7JWCZUxSBTt3hwLK
TLSH	9634F11B7F08DAA4F4991E3848079AF97D23ECD24A904F5B711EFB2E3C702827953569
Reporter	seifreed
Tags:	Pony

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-4

Win.Dropper.Bifrost-7643040-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Brute forcing passwords of local accounts

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/529174

Signature

Antivirus / Scanner detection for submitted sample

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-11-11 00:05:11 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tb3xvio2vguatglayjls44yr4bd4dj2mqedmjaybik4ne2kyfgeq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/201110-5avqfe93hx/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989

MD5 hash:

0c12d7636d23886c3975c415286c7765

SHA1 hash:

e8788b50f21a7e9fff5dc1ab6885c22056609732

Link:

https://www.unpac.me/results/abdd55c2-19f5-405a-9ed3-9f6d27f3f8dc/

SH256 hash:

e54077067acad11826812ecccfcd1d128f84fbbdecd05ab6c10890c88158f4af

MD5 hash:

dd0e575fbf0d58316ce271a8111b5905

SHA1 hash:

1f9cd6b06b878c498df53c729899e2a3b2e46ba9

Link:

https://www.unpac.me/results/abdd55c2-19f5-405a-9ed3-9f6d27f3f8dc/

SH256 hash:

9f133a231775d96f86bff8947a20b6c0c7f761327e4c20be826ac04e1c8fae2e

MD5 hash:

4335c40af32d58d826f1e30c183aeee9

SHA1 hash:

37186f316db5587c752a539973c89189cf167bbd

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/abdd55c2-19f5-405a-9ed3-9f6d27f3f8dc/

Parent samples :

98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989
7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da
03b85c4d58c9c90abb09b3f96d4f22b554d90d5b3f12b84e6739515784cb7dc1
52bf411492eb6eb526cb654ab455b75fe57d2631af02c5865b61de70364e4935
ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb
e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample