MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad5c8c123499feb089f6e9786fce0163a1288ae800f7855eb125a54985716e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bad5c8c123499feb089f6e9786fce0163a1288ae800f7855eb125a54985716e9
SHA3-384 hash: cd76a5ee8df303381ccc530535a14a7fdeafc578c0db7270043f74c42faa8c2df5036d06129f76ba7a6d0729c7853d05
SHA1 hash: 0240f81635dec3c8e6c2bec5157788352b85fe60
MD5 hash: 1b7e5bf86c1689ee2e5cc4aa4835461b
humanhash: leopard-twelve-paris-sink
File name:BAD5C8C123499FEB089F6E9786FCE0163A1288AE800F7.exe
Download: download sample
Signature Pony
Create hunting rule
File size:450'560 bytes
First seen:2021-07-31 16:11:43 UTC
Last seen:2021-07-31 16:50:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a21cd025d47d3bc8a3d98d5c8ceed1e5 (1 x Pony)
ssdeep 3072:VF9V0c8E77SCJmQ6zxJlmHAazbnq6n1vGQEtG+qqB:3f0vE77Xx69JWAG1uSVq
TLSH T172A4C02E99F4665CED1CD4B434AA0AC5866D393B455CE88FFF15AF06B1B050AB328327
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://americar.rs/user1/pony/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://americar.rs/user1/pony/gate.php https://threatfox.abuse.ch/ioc/165163/

Intelligence

File Origin
# of uploads :
2
# of downloads :
916
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BAD5C8C123499FEB089F6E9786FCE0163A1288AE800F7.exe
Verdict:
No threats detected
Analysis date:
2021-07-31 16:17:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40129060-caa1-4e0d-98b0-4eb913f38450

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175487/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.25043.13640.13771.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/750453ee-c68a-4633-8a89-99a775e27881
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824935
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Drops PE files with a suspicious file extension
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457347 Sample: BAD5C8C123499FEB089F6E9786F... Startdate: 31/07/2021 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Potential malicious icon found 2->65 67 13 other signatures 2->67 10 BAD5C8C123499FEB089F6E9786FCE0163A1288AE800F7.exe 3 4 2->10         started        14 wscript.exe 1 2->14         started        16 wscript.exe 1 2->16         started        process3 file4 49 C:\Users\user\AppData\Local\...\filename.scr, PE32 10->49 dropped 51 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 10->51 dropped 87 Drops PE files with a suspicious file extension 10->87 18 wscript.exe 1 1 10->18         started        21 filename.scr 14->21         started        23 filename.scr 16->23         started        signatures5 process6 signatures7 69 Creates autostart registry keys with suspicious values (likely registry only malware) 18->69 25 filename.scr 18->25         started        28 filename.scr 21->28         started        31 filename.scr 14 23->31         started        process8 dnsIp9 73 Antivirus detection for dropped file 25->73 75 Detected unpacking (changes PE section rights) 25->75 77 Detected unpacking (overwrites its own PE header) 25->77 85 3 other signatures 25->85 33 filename.scr 1 14 25->33         started        57 americar.rs 28->57 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->79 81 Tries to harvest and steal ftp login credentials 28->81 83 Tries to harvest and steal browser information (history, passwords, etc) 28->83 37 cmd.exe 28->37         started        59 americar.rs 31->59 39 cmd.exe 31->39         started        signatures10 process11 dnsIp12 53 americar.rs 95.211.209.209, 49751, 49754, 49755 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 33->53 55 192.168.2.1 unknown unknown 33->55 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->71 41 cmd.exe 33->41         started        43 conhost.exe 37->43         started        45 conhost.exe 39->45         started        signatures13 process14 process15 47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bad5c8c123499feb089f6e9786fce0163a1288ae800f7855eb125a54985716e9/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2018-02-07 05:15:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlk4rqjdjgp6wce7n2lyn7hacy5bfcfoqahxqvplcjnfjgcxc3uq._file
Verdict:
unknown
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/210731-czgv25n7je/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Config
C2 Extraction:
http://americar.rs/user1/pony/gate.php
Unpacked files
SH256 hash:
bad5c8c123499feb089f6e9786fce0163a1288ae800f7855eb125a54985716e9
MD5 hash:
1b7e5bf86c1689ee2e5cc4aa4835461b
SHA1 hash:
0240f81635dec3c8e6c2bec5157788352b85fe60
Link:
https://www.unpac.me/results/4b5a33ef-e1c7-4641-bcb8-cd620f3d3ed7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/bad5c8c123499feb089f6e9786fce0163a1288ae800f7855eb125a54985716e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175487/

Comments