MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f87315426d5c09fa7d6438b921520d47360d97ecef5cfbe9c018fcfd1a4ff3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 13


Intelligence 13 IOCs 3 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8f87315426d5c09fa7d6438b921520d47360d97ecef5cfbe9c018fcfd1a4ff3
SHA3-384 hash: 493c5e0c1f572941042f2c00c69aa5d213c5680ecdbaf350c7fa99becd30c43063737d0232f755f8c96c8f188c0df8e8
SHA1 hash: f68bb374e2fb63e4e85a75e383ca3562c19070bd
MD5 hash: 584dd1634c947174914132fc24b6c194
humanhash: four-burger-freddie-music
File name:584DD1634C947174914132FC24B6C194.exe
Download: download sample
Signature Pony
Create hunting rule
File size:90'864 bytes
First seen:2021-04-04 06:40:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 728afd0aeb7539a2a721ececf5f36865 (12 x Pony)
ssdeep 1536:x3V3e8KytqTZkYu5SCvaDBzgM+5zu9kS24zxAkOg8WTvMEI2VkzZ36:9dOy+ubiDBzv+1H4OgYEIv36
Threatray 208 similar samples on MalwareBazaar
TLSH 29931903F480E0F1D1A22AB17BC11771EBF99F6978768D5EEF8D49856DB22977B12002
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://esig.net63.net/default.php?qX1B8hI9kYK3jy71fT2K78BloL3fciCkBxbsj

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://esig.net63.net/default.php?qX1B8hI9kYK3jy71fT2K78BloL3fciCkBxbsj https://threatfox.abuse.ch/ioc/6711/
http://turbosquad.bplaced.net/default.php?RFxhrjW6tdFInmHK7L3FQrbmXZagX https://threatfox.abuse.ch/ioc/6712/
http://marxveix.site11.com/default.php?n4csJnyIei2htyvcdX64g16xQVkCYKQd https://threatfox.abuse.ch/ioc/6713/

Intelligence

File Origin
# of uploads :
1
# of downloads :
761
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
584DD1634C947174914132FC24B6C194.exe
Verdict:
Malicious activity
Analysis date:
2021-04-04 06:43:21 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/df1fbc04-0fb9-41a6-a4c0-1b02e871ba7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132068/
Detection(s):
Win.Trojan.PonyStealer-9831667-0
Create hunting rule

Win.Trojan.Fareit-403
Create hunting rule

Win.Trojan.Agent-1140471
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
DNS request
Sending a UDP request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4a77789-ddd0-458f-b414-d622108d7ea8
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665502
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8f87315426d5c09fa7d6438b921520d47360d97ecef5cfbe9c018fcfd1a4ff3/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 06:27:00 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vd4hgfkcnvoat6t5mq4lsiksbvdtmdmx5txvz67jyampz7i2j7zq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0999db34e8587ca82c53264b3a8ba8bb45e456705d32f514f2eb414b4e0a2a4b
Pony
15009bbe320d77a38e4341a5e160baec142a96f86c730a33dae9a1487399c78c
Pony
161516f819327d2d1f5266d2c83200421250ef83423f84a36faa145489ec8b8f
Pony
35e72d33b6d99055c41dffe0e882a540be6564a26c5651d04f8b72017e1d4149
Pony
4158f02184aa6973b288d0b4b8d30f0974433ece1e75e42dcaa7e37dd64a0446
Pony
5ee70bdf6cfa9c2742889a7c724fa6940e40c64d6ab420303ea6e031ae3d6ce4
Pony
918762466acf2b1623dc7e360c7245252385fad4587c00211cf6a71ad6efb19d
Pony
977c4348075fea725b12f615548b5c586ad1abbaa00c9c51b972278f46adacc5
Pony
9a958183f582a673caa1e13e96217d8077e01523772ee075b61f162771a4be53
Pony
eed5d5dfd2424a2adca76ba2cc894f311baf9379615fd06a8ed581f92dea5024
Pony
+ 198 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210404-b2k61a1ka2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
a8f87315426d5c09fa7d6438b921520d47360d97ecef5cfbe9c018fcfd1a4ff3
MD5 hash:
584dd1634c947174914132fc24b6c194
SHA1 hash:
f68bb374e2fb63e4e85a75e383ca3562c19070bd
Detections:
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
Link:
https://www.unpac.me/results/53cc980b-2f2c-47a6-a044-bff725016cf1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8f87315426d5c09fa7d6438b921520d47360d97ecef5cfbe9c018fcfd1a4ff3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:pony
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Pony
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132068/

Comments