MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b440cf6d2e182fc01815a943cf8aee5738329211a8231738e811247e9b897df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b440cf6d2e182fc01815a943cf8aee5738329211a8231738e811247e9b897df
SHA3-384 hash: e35feb58d14d028d58b62cb412adf3982f5caba168f68e693d37e64c3a5c0a76cc7f6b18d395be422f6a7a18d22787f4
SHA1 hash: ae6ad509b323b3a7b20480449b5108fec42d1ecf
MD5 hash: 0a4014770a742383ac79ba80c0bba19c
humanhash: item-september-carpet-fifteen
File name:9B440CF6D2E182FC01815A943CF8AEE5738329211A823.exe
Download: download sample
Signature Pony
Create hunting rule
File size:208'896 bytes
First seen:2021-05-15 21:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5bcfd9a4613671fc04e4b9a679dec7 (1 x Pony)
ssdeep 3072:uHikauqLiGpDQMNzuo05jAbgbtpAO1p6g4eFHhr6:AikxqNNzusbeprL69e9h
Threatray 586 similar samples on MalwareBazaar
TLSH FA141819E520FF7AE431647241D31561C6945838CBDD6A37FFC339A5A9EABF2310C826
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://saol-net.com/uber/panel/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://saol-net.com/uber/panel/gate.php https://threatfox.abuse.ch/ioc/43111/

Intelligence

File Origin
# of uploads :
1
# of downloads :
586
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9B440CF6D2E182FC01815A943CF8AEE5738329211A823.exe
Verdict:
No threats detected
Analysis date:
2021-05-15 21:52:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d2d71c6-2c3a-4087-b212-239b783a42fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157457/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Fareit Pony
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/782872
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Fareit stealer
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b440cf6d2e182fc01815a943cf8aee5738329211a8231738e811247e9b897df/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2016-04-12 01:25:51 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tncaz5ws4gbpyamblkkdz6fo4vzygkjbdkbdc44oqejep2nys7pq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
1634877a9b5ed327df9f36c7a26455662e2458c6aea53095af3bb15b24e8057a
Pony
2335eadece5eb55aabe38bce2894f0c88f7305140613f3b6cfd92877d4fac7a4
Pony
6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd
Pony
89ba6ca01979a51dd5e8fee7d80e8d69322531ba357750a79d8aaceb5a3163c7
Pony
8f696db90b2556c709e3dfd34fa977ca160939bb2cd2feb0d3718b33baa6cb0a
Pony
b3feec059ff8a39d9ff93a950a3e1e1da7b464097db715a3e47e4284f3f21191
Pony
bb8092fb1fe474f0b7ac56df60cf32c9935a9c84c492998a6fdc54a682ab283d
Pony
ce8a5b2ba476610b8cf3332cd6d63abfa5d6266ebdfa088f0e0599efdc7c9ec7
Pony
e400fef46e21fbd7191240230a5fab9326de9baf0fbebfef8883e5c2662862a1
Pony
efe947e0a8842997d152af946ef0293a972cc11662f3c62a8461bc4a07427669
Pony
+ 576 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210515-4dtfamx2gs/
Behaviour
Suspicious use of SetWindowsHookEx
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b440cf6d2e182fc01815a943cf8aee5738329211a8231738e811247e9b897df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157457/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-15 21:59:13 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0019] Data Micro-objective::Check String