MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ceb0152cfbe3f282e114c269fd46ba389057c8d9b984c70e10df08752b229669. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ceb0152cfbe3f282e114c269fd46ba389057c8d9b984c70e10df08752b229669
SHA3-384 hash: 23683e11d0d13cc65a31e9c9a5b72f6ea776f745900f09377680bf8bafd70ab9783c894a0b69f753e37779e7f288cd96
SHA1 hash: 60cf3cecd39d82c131c75eaeb2ed3353853419b5
MD5 hash: a5ab0b439dbe5a12f40eda7c020b1ee3
humanhash: dakota-island-carpet-fillet
File name:CEB0152CFBE3F282E114C269FD46BA389057C8D9B984C.exe
Download: download sample
Signature Pony
Create hunting rule
File size:192'512 bytes
First seen:2021-09-09 12:50:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b12106ae5eec0332cc0a8890a904b494 (1 x Pony)
ssdeep 3072:2bmrL4ngyIIVodQ6NYZYAC7+YOWVPeqrA2fd6EK8:2bmInPRodfYaTaC2t2F66
Threatray 320 similar samples on MalwareBazaar
TLSH T1B914D085E209B02CD9C2433196BA82B4973C9DA165011FB33EDD3E933C53BA2DE65B75
dhash icon f0684d6cdcccd8f0 (1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://msn.com/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://msn.com/gate.php https://threatfox.abuse.ch/ioc/218983/

Intelligence

File Origin
# of uploads :
1
# of downloads :
571
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CEB0152CFBE3F282E114C269FD46BA389057C8D9B984C.exe
Verdict:
No threats detected
Analysis date:
2021-09-09 12:51:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/887f5c25-d338-4d6a-b797-8165fe83c85d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186662/
Detection(s):
Win.Trojan.Ponystealer-9891803-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP POST request
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Brute forcing passwords of local accounts
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbfce7f0-4bdf-4653-9e94-e38fdcf8e2d0
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848090
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ceb0152cfbe3f282e114c269fd46ba389057c8d9b984c70e10df08752b229669/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2017-11-19 03:49:31 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2ybklh34pzifyiuyju72rv2hcifpsgzxgcmodqq34ehkkzcszuq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16
Pony
4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
Pony
504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f
Pony
a3411c5d36b751a2fac427e0132b30b683543013bfea2eb68fe66b7ca914d0eb
Pony
a87c76402548fdef67c57b5c17c18b9650f31afb1f5b57e1b8addea30b976ba5
Pony
ad1a08a8f15ac0b57f23c950aa111f54075bdd708c91fc47899947808ae6e086
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b85943771500d5874e0943b3e641a77bb4345d203e895a75db5f82c62db84b3a
Pony
d0439ade62a8cc3e52a07cded43c9453326cd427bd7d265d5e15dcf222deaa2c
Pony
e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0
Pony
+ 310 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210909-p3jrragbf3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
http://msn.com/gate.php
http://nwam1.fav.al/st/gate.php
Unpacked files
SH256 hash:
ec7b4f102bd85d3d36947cc6d55d3a477b88c8a77b8fe1d8810aeaaf63385f45
MD5 hash:
7ad0b88f4d8b459ad3531506d2fc56a1
SHA1 hash:
a25fc6338128a5ddb940c51de2f9edfcd13d3ea7
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/db089439-31a5-4901-b687-597da3c04213/
SH256 hash:
ceb0152cfbe3f282e114c269fd46ba389057c8d9b984c70e10df08752b229669
MD5 hash:
a5ab0b439dbe5a12f40eda7c020b1ee3
SHA1 hash:
60cf3cecd39d82c131c75eaeb2ed3353853419b5
Link:
https://www.unpac.me/results/db089439-31a5-4901-b687-597da3c04213/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ceb0152cfbe3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/ceb0152cfbe3f282e114c269fd46ba389057c8d9b984c70e10df08752b229669

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Fareit
Create hunting rule
Author:kevoreilly
Description:Fareit Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186662/

Comments