MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4c832a4bab387a6be05fd993db79a632ee26ebab14ccc137701a66e25551943. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4c832a4bab387a6be05fd993db79a632ee26ebab14ccc137701a66e25551943
SHA3-384 hash: c03ec94a16c562144b672ac591a63bf310b983cdeb4e04ccfdb9b34dd03bfd88739d98346c08297b114454320cece188
SHA1 hash: b60297d0da087346e1c2b2e82c9fcbbc49cabb0c
MD5 hash: 7ec0f30d1c2f86377600e90b23b6f630
humanhash: ohio-paris-edward-mountain
File name:D4C832A4BAB387A6BE05FD993DB79A632EE26EBAB14CC.exe
Download: download sample
Signature Pony
Create hunting rule
File size:405'504 bytes
First seen:2021-09-24 02:46:00 UTC
Last seen:2021-09-24 04:04:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac947488f30da0c6a390446aa752ed19 (1 x Pony)
ssdeep 6144:E/fACBAqmaixzxpeh7W+RNIjbuSvljbuIAPi:EXAjdaixzEW+Rn
Threatray 1'960 similar samples on MalwareBazaar
TLSH T1B284F18EDFD83589D108D4B15D6781A369A26EA61AF3DFD31805FC2EAE3C0437E84176
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://melaniedoutey.org/sa1/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://melaniedoutey.org/sa1/gate.php https://threatfox.abuse.ch/ioc/226118/

Intelligence

File Origin
# of uploads :
2
# of downloads :
541
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
D4C832A4BAB387A6BE05FD993DB79A632EE26EBAB14CC.exe
Verdict:
No threats detected
Analysis date:
2021-09-24 02:47:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89a14e31-35ac-416b-834f-23eb4e75ea9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190928/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.21526.16951.25490.UNOFFICIAL
Create hunting rule

Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f67e794-afd2-4084-a208-38645f696ace
Result
Threat name:
Fareit Pony
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/857029
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Fareit stealer
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489456 Sample: D4C832A4BAB387A6BE05FD993DB... Startdate: 24/09/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Potential malicious icon found 2->46 48 Found malware configuration 2->48 50 12 other signatures 2->50 8 D4C832A4BAB387A6BE05FD993DB79A632EE26EBAB14CC.exe 3 4 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 1 2->13         started        process3 file4 34 C:\Users\user\AppData\Local\...\filename.bat, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 8->36 dropped 15 wscript.exe 1 1 8->15         started        18 filename.bat 1 11->18         started        20 filename.bat 1 13->20         started        process5 signatures6 66 Creates autostart registry keys with suspicious values (likely registry only malware) 15->66 22 filename.bat 1 15->22         started        25 filename.bat 18->25         started        28 filename.bat 20->28         started        process7 dnsIp8 52 Antivirus detection for dropped file 22->52 54 Multi AV Scanner detection for dropped file 22->54 56 Detected unpacking (changes PE section rights) 22->56 64 3 other signatures 22->64 30 filename.bat 1 12 22->30         started        38 melaniedoutey.org 25->38 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->58 60 Tries to harvest and steal ftp login credentials 25->60 62 Tries to harvest and steal browser information (history, passwords, etc) 25->62 40 melaniedoutey.org 28->40 signatures9 process10 dnsIp11 42 melaniedoutey.org 94.130.207.188, 49751, 49752, 49753 HETZNER-ASDE Germany 30->42 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->68 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4c832a4bab387a6be05fd993db79a632ee26ebab14ccc137701a66e25551943/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2018-02-08 00:58:05 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2tedfjf2wod2npqf7wmt3n42mmxoe3v2wfgmye3xagtg4jkvdfbq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0073ac21688a76d58b1da9bdf08989053248d9f941a69c70655d021b68459d08
Pony
1044ec442e3ba7fa846a958f7ce9d7280ae1a72ec79787fd9982397a93ff2b24
Pony
65163c2a5608d66d615a284943d5ebf811a78e6ecebec47835b4680a19d07518
Pony
8e164388aa881f7f4e8ad09602a3ffc52cdd8be2e30308deea4fc9ae1d4651f9
Pony
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
Pony
9b440cf6d2e182fc01815a943cf8aee5738329211a8231738e811247e9b897df
Pony
b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d
Pony
b9cfacce31ac73f06fe0f6ed3393024fd2503881ff7dba105031a1fd0c932083
Pony
d6f1a499de309d8f7bf2d59907d08fb2d81a5b21172c7215e08396cdfe31213a
Pony
ed958e670c221b6804af79109d13bbaf46507004f098cfab8a9ac3cf4ac1a6e1
Pony
+ 1'950 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/210924-c9bcqsffan/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Malware Config
C2 Extraction:
http://melaniedoutey.org/sa1/gate.php
Unpacked files
SH256 hash:
d4c832a4bab387a6be05fd993db79a632ee26ebab14ccc137701a66e25551943
MD5 hash:
7ec0f30d1c2f86377600e90b23b6f630
SHA1 hash:
b60297d0da087346e1c2b2e82c9fcbbc49cabb0c
Link:
https://www.unpac.me/results/79b75ee6-1e50-4b36-8d2f-384a0d0fb66e/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d4c832a4bab3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/d4c832a4bab387a6be05fd993db79a632ee26ebab14ccc137701a66e25551943

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190928/

Comments