MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9a5b131c7a3323ae280684b70ca4892d7b82ca6c599e2290915bab798c34600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9a5b131c7a3323ae280684b70ca4892d7b82ca6c599e2290915bab798c34600
SHA3-384 hash: bee0379cf10a11ed252be04b1157aa392db448858d07dcee43e388e44433cb0efde81fd56b6ff162a8b7f82b88a94f47
SHA1 hash: a5e54d054e59114c4552efc46348c404f3493ded
MD5 hash: 8b998aaa2064a24bcd8122d956c59c66
humanhash: mockingbird-carolina-king-aspen
File name:D9A5B131C7A3323AE280684B70CA4892D7B82CA6C599E.exe
Download: download sample
Signature Pony
Create hunting rule
File size:504'320 bytes
First seen:2021-11-09 12:31:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f3102f07e26b726eba70d83959b07e4 (1 x Pony, 1 x Loki)
ssdeep 12288:wbBXXg52RKby7Fp8Bt7h4E/N43GD/+esTCmY:w1Q5UKe7Hkt4ElTDW2mY
Threatray 368 similar samples on MalwareBazaar
TLSH T193B41291AADBE6F9CBA6893A47716B0B07CCFC271C75C0A6DA1DF3C830B20E57921515
File icon (PE):PE icon
dhash icon 27d0d8d6d6d8f023 (1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://oveysrostami.ir/pony/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://oveysrostami.ir/pony/gate.php https://threatfox.abuse.ch/ioc/246035/

Intelligence

File Origin
# of uploads :
1
# of downloads :
599
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/204476/
Detection(s):
PUA.Win.Packer.AsprotectSke-6
Create hunting rule

PUA.Win.Packer.AsprotectSke-1
Create hunting rule

PUA.Win.Packer.AsprotectSke-4
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

PUA.Win.Packer.AsprotectSke-5
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/618a6a44175442ca93a911fb/reports/a4b2471d-c52e-40aa-b369-85b50a9aa4d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f895fd9b-569f-4cd8-923c-faef05102758
Result
Threat name:
Fareit Pony
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/885973
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Checks if UnHackMe application is installed (likely to disable it)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected Fareit stealer
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 518446 Sample: D9A5B131C7A3323AE280684B70C... Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 14 other signatures 2->42 8 D9A5B131C7A3323AE280684B70CA4892D7B82CA6C599E.exe 3 2->8         started        12 D9A5B131C7A3323AE280684B70CA4892D7B82CA6C599E.exe 1 2->12         started        process3 file4 28 D9A5B131C7A3323AE2...92D7B82CA6C599E.exe, PE32 8->28 dropped 30 D9A5B131C7A3323AE2...exe:Zone.Identifier, ASCII 8->30 dropped 44 Detected unpacking (changes PE section rights) 8->44 46 Detected unpacking (overwrites its own PE header) 8->46 48 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 8->48 54 2 other signatures 8->54 14 D9A5B131C7A3323AE280684B70CA4892D7B82CA6C599E.exe 1 14 8->14         started        50 Checks if UnHackMe application is installed (likely to disable it) 12->50 52 Injects a PE file into a foreign processes 12->52 18 D9A5B131C7A3323AE280684B70CA4892D7B82CA6C599E.exe 14 12->18         started        signatures5 process6 dnsIp7 32 104.21.86.27, 443, 49755, 49757 CLOUDFLARENETUS United States 14->32 34 oveysrostami.ir 172.67.214.61, 443, 49754, 49756 CLOUDFLARENETUS United States 14->34 20 cmd.exe 1 14->20         started        56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->56 58 Tries to harvest and steal ftp login credentials 18->58 60 Tries to harvest and steal browser information (history, passwords, etc) 18->60 22 cmd.exe 1 18->22         started        signatures8 process9 process10 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started       
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9a5b131c7a3323ae280684b70ca4892d7b82ca6c599e2290915bab798c34600/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2017-12-06 01:47:30 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3gs3cmohumzdvyuanbfxbssisll3qlfgywm6ekijcw5lpggdiyaa._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0073ac21688a76d58b1da9bdf08989053248d9f941a69c70655d021b68459d08
Pony
2fdb85c7a0a29e78f22e3b994c5835178f6b54162f4d72a224d9ac9d40c3b60f
Pony
417b4a38fff2e60e2a4178bd99f6a7c41e3e1ddd6c4a1384982c7907e952b671
Pony
6850cd1eeac54b14140e6231564313378df24c308c4d92641370aaa1b065b3fd
Pony
784f22f31bacf9e57c6162d31282e75fde015c4a74f6b126a9255c4a38be8a38
Pony
89ba6ca01979a51dd5e8fee7d80e8d69322531ba357750a79d8aaceb5a3163c7
Pony
9b440cf6d2e182fc01815a943cf8aee5738329211a8231738e811247e9b897df
Pony
d2edc352a2a157c1ac51e314039ca894958635959d905900755992eed6a13256
Pony
f4bf1d1294fcdebf960a81bc8bdf14edb488c4d844a90ab100a1d5354f8cd443
Pony
+ 358 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony bootkit collection discovery persistence rat spyware stealer suricata
Link:
https://tria.ge/reports/211109-pql2cacceq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Deletes itself
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
suricata: ET MALWARE Pony Loader default URI struct
Malware Config
C2 Extraction:
http://oveysrostami.ir/pony/gate.php
Unpacked files
SH256 hash:
45cd940fe9ca862727e7594c2312b36a65b810e20c57476af0f7c9a27fdae282
MD5 hash:
0289f2c46b684ec7189f0fe480b6fc3f
SHA1 hash:
b6e1c7cb9f9f331ee4a5bfc385383e36dd0c56a4
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/2cbf4428-ee5f-4200-bd76-1b48dcb96d1b/
SH256 hash:
2f4116c67a6ca8e4aee1d18b621dcec08a25ef7c1b252b19234f4c59c8c9b7d1
MD5 hash:
824428de9a8089a92221bf4f7178fe08
SHA1 hash:
7947a486105d3fd3637ca2337787b90d92f05f76
Detections:
win_dbatloader_g1
Create hunting rule
win_biodata_auto
Create hunting rule
Link:
https://www.unpac.me/results/2cbf4428-ee5f-4200-bd76-1b48dcb96d1b/
SH256 hash:
d9a5b131c7a3323ae280684b70ca4892d7b82ca6c599e2290915bab798c34600
MD5 hash:
8b998aaa2064a24bcd8122d956c59c66
SHA1 hash:
a5e54d054e59114c4552efc46348c404f3493ded
Link:
https://www.unpac.me/results/2cbf4428-ee5f-4200-bd76-1b48dcb96d1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d9a5b131c7a3323ae280684b70ca4892d7b82ca6c599e2290915bab798c34600

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/204476/

Comments