MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b
SHA3-384 hash:	552387ba5dd82166dc2d04e3bfa2bf71f2e1952474c87ecafe58c273855eeea7e94da45f454e1bea993f14abfd4687d7
SHA1 hash:	5aaa226cf2ac18d2c764eb92ad039b1194d8d84d
MD5 hash:	f722e10139c756045fa58967de25e843
humanhash:	earth-march-harry-bulldog
File name:	A925C633C9DF9CC480F6093E1925807E01E98529DBBEB.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	2'975'744 bytes
First seen:	2021-12-24 22:25:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	49152:0S6n0CfpC654aDxM6oLeVe+ps+sYIfgtPkze:0L0Chv54a+6tlC+k
Threatray	320 similar samples on MalwareBazaar
TLSH	T1F5D5334578478338C6CB2333B7B79A11DA9C278EB188BC55C564A3197E8327DFD8968C
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://4drcf3vc3vr34vrc.net78.net/Panel/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://4drcf3vc3vr34vrc.net78.net/Panel/gate.php	https://threatfox.abuse.ch/ioc/286024/

Intelligence

File Origin

# of uploads :

# of downloads :

653

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

A925C633C9DF9CC480F6093E1925807E01E98529DBBEB.exe

Verdict:

Malicious activity

Analysis date:

2021-12-24 22:27:09 UTC

Tags:

trojan pony fareit stealer

Link:

https://app.any.run/tasks/33f15a2f-dd17-45b1-905a-426102a4f48f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Pony

Link:

https://www.capesandbox.com/analysis/216262/

Detection(s):

Win.Packed.Generic-7400169-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

DNS request

Launching a process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

darkkomet fareit obfuscated packed razy

Link:

https://www.filescan.io/uploads/61c64900ec6c6c14a9f03075/reports/39804837-1a72-407a-9e7c-368744c4bfe5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/51acdc29-5392-4834-b6fe-bc94abec60da

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/912601

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

pony

Link:

https://mwdb.cert.pl/sample/a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2014-12-07 15:29:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ves4mm6j36omjahwbe7bsjmapya6tbjj3o7lntom2jesba5ekanq._file

Verdict:

malicious

Label(s):

pony

Pony

2ce7ad2edfed9bf00a5df059bc2e83d4e5570765d1ce3b512926a32ba458b1b6

Pony

2f156f7150ef3b1c8d0ebe2427e20452bad0e3ab31c30e17e200308cf0efa78c

Pony

52baad9dab220788130ca691baaed3a1f22cc68d913e217bc09f29c2ae822e81

Pony

b4df12afe9fd5cc5daf567c7c8fcde4345e4e3c027d6af9f2bf701c67cb6889e

Pony

de01f8656150bf82da3fd183e012c5a0023fe5f750d7a12e8767de06d9cf6fa8

Pony

+ 310 additional samples on MalwareBazaar

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony collection rat spyware stealer upx

Link:

https://tria.ge/reports/211224-2chszsfdh6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Uses the VBS compiler for execution

UPX packed file

Pony,Fareit

Malware Config

C2 Extraction:

http://4drcf3vc3vr34vrc.net78.net/Panel/gate.php

Unpacked files

SH256 hash:

019f806ed48ada626dce02d790c0e9df841c3a35d01cd170c9702da3160e8551

MD5 hash:

a965ba75fc7899bacfbad4ec47282cd2

SHA1 hash:

54f55322696472fab10a43f9e4faaf17917e6785

Link:

https://www.unpac.me/results/f65260c6-620a-406f-976b-4967998b4290/

SH256 hash:

610bc47fae918a95c17184aa378e1d0261504aab5de8d89da7eb89f684acfab3

MD5 hash:

c221406692e8c7d5335573b05371cb61

SHA1 hash:

7dceaf9ceebdf41bcbcb70a72105d694c0f6bd37

Link:

https://www.unpac.me/results/f65260c6-620a-406f-976b-4967998b4290/

SH256 hash:

a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b

MD5 hash:

f722e10139c756045fa58967de25e843

SHA1 hash:

5aaa226cf2ac18d2c764eb92ad039b1194d8d84d

Link:

https://www.unpac.me/results/f65260c6-620a-406f-976b-4967998b4290/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/216262/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample