MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
SHA3-384 hash: 3d47433695b1421bd7dd6f5b782aca475af99e02b2e55cacd553c5b17321146222db748c8c3c404c0801357c7d49d161
SHA1 hash: 477dc12f213dd05a15b61207926b478d3a0d04c7
MD5 hash: fd442753c3895d868eed72f7854e2fba
humanhash: beryllium-beer-blue-emma
File name:AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
Download: download sample
Signature Pony
Create hunting rule
File size:455'338 bytes
First seen:2021-05-08 12:15:31 UTC
Last seen:2021-05-08 13:02:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d1577d864d2da06952f7affd8635371 (10 x Gamaredon, 4 x UltraVNC, 3 x QuasarRAT)
ssdeep 12288:ZAHiKgHgZ1mWryniKSojf0hxZnLBEWYWGS0C89BzI:ZACKRZEZn3xLUuWYVSI0
Threatray 257 similar samples on MalwareBazaar
TLSH 8EA41222FBD285F6E096027149922BA982BDD6BD032DCCC35B984D459FA4DD6D33F207
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://oknoff52.ru/api/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://oknoff52.ru/api/ https://threatfox.abuse.ch/ioc/33203/

Intelligence

File Origin
# of uploads :
3
# of downloads :
592
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153182/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen.60255.18954.3983.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Moving a file to the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Deleting a recently created file
Reading critical registry keys
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Changing a file
DNS request
Connection attempt
Sending an HTTP POST request
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Creating a file in the mass storage device
Deleting volume shadow copies
Preventing system recovery
Enabling autorun by creating a file
Encrypting user's files
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/718516
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to create processes via WMI
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Deletes shadow drive data (may be related to ransomware)
Found malware configuration
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Drops script at startup location
Sigma detected: Modification of Boot Configuration
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: WannaCry Ransomware
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses 7zip to decompress a password protected archive
Uses bcdedit to modify the Windows boot settings
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408189 Sample: AADDE71205336CCDD048F0B5029... Startdate: 08/05/2021 Architecture: WINDOWS Score: 100 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Sigma detected: WannaCry Ransomware 2->87 89 Found malware configuration 2->89 91 13 other signatures 2->91 9 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 5 4 2->9         started        13 cmd.exe 2->13         started        15 mshta.exe 2->15         started        process3 file4 69 C:\Users\user\AppData\Local\Temp\2D4F861D8D, 7-zip 9->69 dropped 71 C:\Users\user\AppData\Local\Temp\CF8C8F, PE32 9->71 dropped 103 Contains functionality to register a low level keyboard hook 9->103 105 Uses 7zip to decompress a password protected archive 9->105 17 2D4F861D8D.exe 9->17         started        20 7za.exe 3 9->20         started        23 WINWORD.EXE 254 32 9->23         started        33 6 other processes 9->33 107 May disable shadow drive data (uses vssadmin) 13->107 109 Deletes shadow drive data (may be related to ransomware) 13->109 111 Uses bcdedit to modify the Windows boot settings 13->111 25 conhost.exe 13->25         started        27 vssadmin.exe 13->27         started        29 bcdedit.exe 13->29         started        31 bcdedit.exe 13->31         started        signatures5 process6 file7 75 Antivirus detection for dropped file 17->75 77 Multi AV Scanner detection for dropped file 17->77 79 Machine Learning detection for dropped file 17->79 83 6 other signatures 17->83 35 2D4F861D8D.exe 239 46 17->35         started        57 C:\Users\user\AppData\...\2D4F861D8D.exe, PE32 20->57 dropped 59 C:\Users\user\AppData\...\2D4F861D8D.doc, Microsoft 20->59 dropped 40 conhost.exe 20->40         started        81 Injects files into Windows application 23->81 42 conhost.exe 33->42         started        44 conhost.exe 33->44         started        46 conhost.exe 33->46         started        48 3 other processes 33->48 signatures8 process9 dnsIp10 73 oknoff52.ru 87.236.16.148, 49746, 49749, 49750 BEGET-ASRU Russian Federation 35->73 61 C:\Users\user\Documents\...\UOOJJOZIRH.pdf, amd 35->61 dropped 63 C:\Users\user\Desktop\...\ZTGJILHXQB.docx, data 35->63 dropped 65 C:\Users\user\Desktop\WKXEWIOTXI.xlsx, data 35->65 dropped 67 2 other malicious files 35->67 dropped 95 Tries to steal Mail credentials (via file access) 35->95 97 Uses bcdedit to modify the Windows boot settings 35->97 99 Tries to harvest and steal browser information (history, passwords, etc) 35->99 101 Modifies existing user documents (likely ransomware behavior) 35->101 50 WMIC.exe 35->50         started        53 mshta.exe 35->53         started        file11 signatures12 process13 signatures14 93 Creates processes via WMI 50->93 55 conhost.exe 50->55         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2016-08-02 12:51:40 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlo6oeqfgnwm3uci6c2qfg7mxpgqhz2barpua2zpvam3scmasiba._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
1d7e33495c34ce660440ae520f50370ecafe31802eef47fd454b90a1a8c66d13
Pony
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
Pony
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
Pony
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
Pony
7eb6c877d1a6affaad00507e3c50d476b0099d09a3320f90d7bdaa6dd1c98571
Pony
92e530fa9601b80190668eb15bad89205d4b8d95a53ae8d297273b1b0b1d9aae
Pony
9fc5081ba3c1a4473ac1ffa3d653096afa16684a3e819ce6745bc22d38bb97f9
Pony
e33456c26d161b3464acdc104271289dced8f4e5f5b35786635ec111501c1405
Pony
e7d2deba4fccbea79ffa209ebe0ce49f98aecfb340c8d6ec3ea1773cb12cb07e
Pony
f67199b0786c1f42961d5324ec4e6b698f39b3fc480863e2fe489c6dec72da60
Pony
+ 247 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:crypvault family:pony discovery evasion ransomware rat spyware stealer upx
Link:
https://tria.ge/reports/210508-2mcd3c4yze/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Deletes shadow copies
Modifies boot configuration data using bcdedit
CrypVault
Pony,Fareit
Process spawned unexpected child process
Unpacked files
SH256 hash:
91c9d7d2f7f9628d13fbc224383d03b0dfc51c0f8a0c004fa88a38f18e64348c
MD5 hash:
92d74a2f90f3a5fb56ae05b1e9996393
SHA1 hash:
6fda20ec6aa401df1dabebb82f8173d9f7cff6f9
Detections:
win_nitol_auto
Create hunting rule
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
Parent samples :
89ba6ca01979a51dd5e8fee7d80e8d69322531ba357750a79d8aaceb5a3163c7
2fdb9fa88fa2082583d32914c3863521604dd32218c26a0f35e0141ba35408b7
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
09421ff53504cf75091ab714967521b7d55f0975b2ca08d7887bf6fb000c1b82
ac2362bfb043929f138f0ed947f81fa8444fd87b2301ecaa9a837e86f6eca690
d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758
5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e
1dffdc569c0107c0f2e102f0da4fb60ac3ad59c5697e822f68548e681a384ad9
SH256 hash:
881c5013ee060c1ffb8078ce712fecd2f2f15a77edf5f727b7daab52f5c02cde
MD5 hash:
00c1976856799d313ebf4b7c2217d1ff
SHA1 hash:
28b666fbd4f61628b596b30d2de43aacb287b50a
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
SH256 hash:
06d94b0f9548b01722fbf7a9ba4f259aae48ac82a709027c134867f764fb0024
MD5 hash:
25e37998b09561a3e9723898e65b4886
SHA1 hash:
2bb0cc3232f1128d220f00cfe7685d196971d217
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
SH256 hash:
9ac43b38ac3534535c41c9eca87a831a11cc4e19566b40f3ecab582bee56c9f1
MD5 hash:
ae91e475f1c774a58023219715c73ab1
SHA1 hash:
3c20eb252fdf5ea99e0e13bce1532810123ca600
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
SH256 hash:
cf038afec7c2b0bae795a7f65f7f62eaec8bf0963c1b9f67dfdc27134bf1720f
MD5 hash:
2022e582a46f288955b28b2f57f8bcee
SHA1 hash:
0ae1d03416ee327dee8a9bf68258ab7737811a82
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
SH256 hash:
91d4ad15d0d1ac15d1aa873dc7a266ae942f153b8091241dc7fab8b3ff179e54
MD5 hash:
95e2a22a964aee515e7e8e075a60d4d6
SHA1 hash:
70e495f93861f2d74f79247b6c4375dec24c6d5b
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
SH256 hash:
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
MD5 hash:
fd442753c3895d868eed72f7854e2fba
SHA1 hash:
477dc12f213dd05a15b61207926b478d3a0d04c7
Link:
https://www.unpac.me/results/97f25de4-e335-41ed-bd6b-6c3d9911f153/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:pony
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Pony
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153182/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-08 13:02:53 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0002.001] Collection::Application Hook
1) [F0002.002] Collection::Polling
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0049] File System Micro-objective::Get File Attributes
9) [C0051] File System Micro-objective::Read File
10) [C0050] File System Micro-objective::Set File Attributes
11) [C0052] File System Micro-objective::Writes File
12) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
13) [C0017] Process Micro-objective::Create Process
14) [C0038] Process Micro-objective::Create Thread
15) [C0054] Process Micro-objective::Resume Thread
16) [C0018] Process Micro-objective::Terminate Process