MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b85943771500d5874e0943b3e641a77bb4345d203e895a75db5f82c62db84b3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b85943771500d5874e0943b3e641a77bb4345d203e895a75db5f82c62db84b3a
SHA3-384 hash: 11d0c809d550217883701db41fe4eaedf344eb936bef588aff277069e27565ef9bc3871f1c60b5737f17e57874c63222
SHA1 hash: 5504f3b55ea2efd950444f37d4aea5fe4f182528
MD5 hash: ed4680b2ba9679a7e6ee4df0796280ba
humanhash: montana-social-ink-ceiling
File name:B85943771500D5874E0943B3E641A77BB4345D203E895.exe
Download: download sample
Signature Pony
Create hunting rule
File size:552'960 bytes
First seen:2021-07-31 00:21:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 95be500ef2999d14d0976d7879c31367 (1 x Pony)
ssdeep 6144:UdPuWRovBQv6dI1kSphYBiuZbrhPOublOyCuC0bwn3YXZrFHdAJKb5QLtW8DlU6r:aABQUI1kSpPMbdPdTBA8Qb
Threatray 594 similar samples on MalwareBazaar
TLSH T1A5C41ADA4CE176B8E804B3B054109B8ACF7531163FA63356EA3FC90679CB9E485E39D4
dhash icon 4d5527d6c669374d (1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://greenoasis-int.com/Nn/panelnew/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://greenoasis-int.com/Nn/panelnew/gate.php https://threatfox.abuse.ch/ioc/164981/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'030
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B85943771500D5874E0943B3E641A77BB4345D203E895.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-31 00:23:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/19a19567-d38d-445f-b136-484b37ddba28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175396/
Detection(s):
Win.Malware.Fareit-6916215-0
Create hunting rule

Win.Malware.Fareit-6916266-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d0a284c-188e-4877-8b6a-584284716239
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824769
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b85943771500d5874e0943b3e641a77bb4345d203e895a75db5f82c62db84b3a/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2018-07-31 13:25:23 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbmug5yvadkyotqjioz6mqnhpo2dixjah2evu5o3l6bmmlnyjm5a._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
15aa1919120cf819c2c0386a0a6b8b71059fa669491016b06df0998a27eb32ff
Pony
59c17773776261d45122a0d067088654268ca71b329a6e9495105c500c12c8c1
Pony
5a8239ffd5e37023816296c83bf64261d7461cc373669a881a1b2284d767d1ed
Pony
67d1a8ba1ef2b9c0587be869cb25f66a800a64be803b7ef9efdb33e850449ac1
Pony
68629701b12d1300254ce04807b894fd8195bd36ce6b6ceebe5beba5d60cf5d3
Pony
88c63762f85d92709ec567c3a3de9363589c4dd8777e469e5722851c5d3ed5a3
Pony
948b5d4daa9864aae1297b9481a1bcee316f723af481e983dbff09fcd8a24563
Pony
b3aac3c1fed205d6c1e36f80475cdb4b243f6fb7b2d275f360867aa6dcec5fe8
Pony
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Pony
d3fc1e644cd5bf4cd9890d0a6ae300dc96fd8c72fc6455a329437cc69e4cf0a1
Pony
+ 584 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210731-sz1c4jkwt6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
http://greenoasis-int.com/Nn/panelnew/gate.php
Unpacked files
SH256 hash:
6f12d1e909cebefb9390a9342e5d4efea6d2f6c4a059632de6a5edb7187b7652
MD5 hash:
74a78a101e0c301c03962db9c8c6bb39
SHA1 hash:
1f9a0859aeaf4cf7bca49367c0b979f1f96bf2ce
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/a2c85269-66e6-45a0-94bf-84300dfb93db/
SH256 hash:
b85943771500d5874e0943b3e641a77bb4345d203e895a75db5f82c62db84b3a
MD5 hash:
ed4680b2ba9679a7e6ee4df0796280ba
SHA1 hash:
5504f3b55ea2efd950444f37d4aea5fe4f182528
Link:
https://www.unpac.me/results/a2c85269-66e6-45a0-94bf-84300dfb93db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b85943771500d5874e0943b3e641a77bb4345d203e895a75db5f82c62db84b3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Fareit
Create hunting rule
Author:kevoreilly
Description:Fareit Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175396/

Comments