MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910
SHA3-384 hash: 64d905262f13b2cfd1ddac38a480ce47f4242b335c984ff084a9d1fa5e9d1ccb128f2b56d01df948368093d77e6fbe35
SHA1 hash: e6b7c6ec096825d85916625a635917b0b2181ec0
MD5 hash: 8842ab4d1c104bca252908f93d85094e
humanhash: twenty-pasta-equal-nevada
File name:Shipment Airway Bill_pdf.exe
Download: download sample
Signature Pony
Create hunting rule
File size:959'488 bytes
First seen:2020-08-31 05:51:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73ae1eef07955a270fc7a7f873444c85 (16 x AgentTesla, 8 x MassLogger, 5 x Loki)
ssdeep 12288:4R/MXPsQjiTiCAeeJpWkjumgIvSQCutDEVFbtir4247AQrns/brpwCO43:OQvrCXEucruic247nrns/PaNa
Threatray 111 similar samples on MalwareBazaar
TLSH E3157C62E2924437D5732A3B9C5B57B4DC3ABE00FD2868467BE9DD4C4F3928138352A7
Reporter abuse_ch
Tags:DHL exe Pony


Avatar
abuse_ch
Malspam distributing Pony:

HELO: bears.unisonplatform.com
Sending IP: 162.219.249.125
From: DHL EXPRESS <worldwide@dhl.com>
Subject: DHL Express Consignment Notification: You have A Package With Us
Attachment: Shipment Airway Bill_pdf.gz (contains "Shipment Airway Bill_pdf.exe")

Pony C2:
http://blueair.com.vn/scott/panelnew/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
600
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53256/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

PUA.Win.Adware.Webalta-6879873-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader34.29944.17906.10656.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Stealing user critical data
Brute forcing passwords of local accounts
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454872
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279813 Sample: Shipment Airway Bill_pdf.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Detected unpacking (changes PE section rights) 2->22 24 7 other signatures 2->24 8 Shipment Airway Bill_pdf.exe 2->8         started        process3 signatures4 26 Maps a DLL or memory area into another process 8->26 11 Shipment Airway Bill_pdf.exe 1 14 8->11         started        process5 signatures6 28 Tries to harvest and steal ftp login credentials 11->28 14 cmd.exe 1 11->14         started        process7 process8 16 conhost.exe 14->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910/
Threat name:
Win32.Trojan.Smartassembly
Create hunting rule
Status:
Malicious
First seen:
2020-08-30 22:42:42 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xysxj37uccy3mmsvze7yfy4yyufxv4hximlynze3dxesf65vveia._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
044ead01325ba352582421e78cce54811b6075e28486a8d1f4a9542da786f228
Pony
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
40bcf1b92cac08e72eb025659bb892a41926ebd655f448ff5544ece312986987
Pony
49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
82c531ee47fd52c78ed90b259be7908208ae6657a75643fce70df85eb0cd64a3
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 101 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
discovery rat spyware stealer family:pony
Link:
https://tria.ge/reports/200831-8tftbeph7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz 75e1a052a1de345db43373fdda76ed662483bb87c9f797cbcc0c1229f45a969e

Pony

Executable exe be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910

(this sample)

  
Dropped by
MD5 053312e213f457589b1943ac99456506
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53256/
  
Dropped by
SHA256 75e1a052a1de345db43373fdda76ed662483bb87c9f797cbcc0c1229f45a969e

Comments