MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98d453901ee6fb09d8c12918bab13ef0edf65318285042ec4c58d630e0681ab0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98d453901ee6fb09d8c12918bab13ef0edf65318285042ec4c58d630e0681ab0
SHA3-384 hash: c3fa1ad9a84296af72b02359f1d27bf80a319fe6193e086079a657f219f994468c33693d0c3d09c5cfcef6c21f684a0c
SHA1 hash: 99fd1ded0729c47083cc727c22101942d4c357a0
MD5 hash: 59a4616de786ca040a9e7aea1fe49f5c
humanhash: maryland-victor-massachusetts-spaghetti
File name:98d453901ee6fb09d8c12918bab13ef0edf65318285042ec4c58d630e0681ab0
Download: download sample
Signature Pony
Create hunting rule
File size:245'760 bytes
First seen:2020-11-10 11:43:27 UTC
Last seen:2024-07-24 19:26:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4d362ad01807ba6008d79ab2c7cad0ed (9 x Pony)
ssdeep 6144:REIT8NERVTq0k0WS2yJ2oFxPg/TpYjRu:iIT8iRVTrJds/Tp4Ru
Threatray 128 similar samples on MalwareBazaar
TLSH 5B34D142E54C6DD5E2755B30E0234E7B0EF3EC2949608E6B2D69F61E3DB6840B1621BF
Reporter seifreed
Tags:Pony

Intelligence

File Origin
# of uploads :
2
# of downloads :
544
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Dropper.Bifrost-7643040-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528383
Signature
Antivirus / Scanner detection for submitted sample
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98d453901ee6fb09d8c12918bab13ef0edf65318285042ec4c58d630e0681ab0/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 12:38:58 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdkfhea6435qtwgbfemlvmj66dw7muyyfbief3cmldldbydidkya._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
4d9ba9f2d2a2085cbdafebb0dc4b73058f45c4b86631d8fc11240e132a1e1d0d
Pony
4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
841e400462718d0c71b30ac5c90768c409485806146ee50bfc2f866913ffcf49
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b2d579828599ae4e265f77899466dc005e7685b50dcbf6817388ea22d404ab2c
Pony
d01f1ad8b4e08a70621ab7d9907d551bc238a990737e45060252998c059bb0fa
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201110-h25ehb8mfa/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments