MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc121cbe39b515a72d06957465a60ecf9b30b2d81a3f357e14b011e25e390f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	bc121cbe39b515a72d06957465a60ecf9b30b2d81a3f357e14b011e25e390f0e
SHA3-384 hash:	5e47706503076e3b46d9167836ffdf2b1e87905245737ebb51883b1ce33be46ddd1e7be19f6fac27cccc8e50ca122df1
SHA1 hash:	98ec952b82a300183b773015622536479a369c46
MD5 hash:	78af9e62c06db81b034761cb6ef8a2de
humanhash:	delta-six-pip-delaware
File name:	78AF9E62C06DB81B034761CB6EF8A2DE.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	147'696 bytes
First seen:	2021-04-04 13:45:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fbd6938c50afc31ca41f76baaa5e6876 (1 x Pony)
ssdeep	3072:vy6VEp3CpEyx0sw/GYix0Un3TIppJdGLUi/:PVEas/EMuJ/
Threatray	209 similar samples on MalwareBazaar
TLSH	1EE3D021179C8B30C0B30578267996BF28A66D71177F44BBAB90382C9F712C3657AF97
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://74.91.117.215/ponys/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://74.91.117.215/ponys/gate.php	https://threatfox.abuse.ch/ioc/6746/

Intelligence

File Origin

# of uploads :

# of downloads :

690

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

78AF9E62C06DB81B034761CB6EF8A2DE.exe

Verdict:

Malicious activity

Analysis date:

2021-04-04 13:46:39 UTC

Tags:

trojan pony fareit stealer

Link:

https://app.any.run/tasks/011b1b9b-0d3d-4c98-b069-846f51f5623b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Pony

Link:

https://www.capesandbox.com/analysis/132092/

Detection(s):

Win.Trojan.Tepfer-79

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Reading critical registry keys

Connection attempt

Sending an HTTP POST request

Sending a UDP request

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3d6f799-9102-4dcd-84be-3cc400111b99

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/665581

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Found C&C like URL pattern

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Zeus

Status:

Malicious

First seen:

2021-03-31 06:37:35 UTC

AV detection:

43 of 48 (89.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xqjbzprzwuk2oligsv2gljqoz6ntbmwydi7tk7quwai6exrzb4ha._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:cobaltstrike family:pony discovery rat spyware stealer

Link:

https://tria.ge/reports/210404-mqa7sl1t9j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Unpacked files

SH256 hash:

762d0fd372f882c53f951b9fc12089c797e9ab9cefccca7a0e341eb8b7a0d2d5

MD5 hash:

35508d23acca7ebb6d54afd8ee17a9b2

SHA1 hash:

762c0ad5074b5fe8674de19ec41a4f36d7037e4a

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/96eb685c-fb28-4671-a1bd-da3bdb05150f/

SH256 hash:

bc121cbe39b515a72d06957465a60ecf9b30b2d81a3f357e14b011e25e390f0e

MD5 hash:

78af9e62c06db81b034761cb6ef8a2de

SHA1 hash:

98ec952b82a300183b773015622536479a369c46

Link:

https://www.unpac.me/results/96eb685c-fb28-4671-a1bd-da3bdb05150f/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/132092/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample