MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
SHA3-384 hash:	385ebc82aee8f93dd8637b0ed72e8a5b3913320014781d787e0ae6765c31272718d5cd9e3ee495188f1f84d3cd42576a
SHA1 hash:	9234b6b4b4c2bf0ab2a8737f94e7a989f9083bce
MD5 hash:	b95219bcaa42d45a467dddb752dde333
humanhash:	rugby-california-saturn-dakota
File name:	Rincian Perbankan dan Transfer Formulir Aplikasi_pdf.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	517'120 bytes
First seen:	2020-05-06 10:45:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ff5d38f8ce7becc9e2b75dea8647115f (7 x AgentTesla, 2 x Loki, 1 x FormBook)
ssdeep	12288:+UXBVVN+jL7n5fsr+7YHQp6JCkvOgUn4qLZ7VqO9UmZWx:+e3VNy75YzIPeOpnVJPUmZs
Threatray	138 similar samples on MalwareBazaar
TLSH	28B4BF36F6F04437D273263C9C5B56A4A83ABE503E29D8472BE8DD4C5F397823865293
Reporter	abuse_ch
Tags:	Citibank Downloader.Pony exe Pony

abuse_ch

Malspam distributing Downloader.Pony:

HELO: mail-gate5.qwords.net
Sending IP: 43.252.136.13
From: Citibank <janto.huang@beton.co.id>
Subject: ٹی ٹی ٹرانزیکشن کی ادائیگی کے بارے میں اطلاع سے انکار - "واپسی دفتر کو دوبارہ رد" کیا گیا - BATK16xxxxxxxxxxxx
Attachment: Rincian Perbankan dan Transfer Formulir Aplikasi_pdf.gz (contains "Rincian Perbankan dan Transfer Formulir Aplikasi_pdf.exe")

Pony C2:
http://imaad-international.org/miracle/panelnew/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.BorlandDelphi-1

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.Nanocore.23.31273.12919.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-06 11:54:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wjbakoklsk3b4qcy4mfjiuukungpg6z5smgddf6zd4z7r7ixht2a._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony discovery rat spyware stealer

Link:

https://tria.ge/reports/201109-8d4fg4l3tj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz 3690c82ee5cd4896e05585a9b871541b545631dab62f5de0abd48054c93bdc09

Pony

exe b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4

(this sample)

Dropped by

MD5 bcbe822e4f2b748f772301cc59030fd7

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3690c82ee5cd4896e05585a9b871541b545631dab62f5de0abd48054c93bdc09

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample