MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b
SHA3-384 hash: a6a82d0a9fb8428f255ad1417dc95fd9015f44ec6e2e4b190c87f3ea1ab69b532a5c3c31c15e38c6cf8f94ef4354f363
SHA1 hash: 8bd7c0570e0e59c058bdf9b53a67724d3b93ad5f
MD5 hash: d12142c55cba2f7f59a44f863fe8ac68
humanhash: table-nineteen-charlie-michigan
File name:e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b
Download: download sample
Signature Pony
Create hunting rule
File size:160'256 bytes
First seen:2020-11-14 18:03:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be19e18d6a8b41631d40059031a928bb (28 x Pony, 3 x Loki, 3 x NetWire)
ssdeep 3072:nPcOonNS/h5E5iufXKpBYTLeEh4LOuC8h5sTgoE8k3hw74qKgS:UOcSp5E5iIXKpBYTLVh1uXh5sbJk3hw+
Threatray 146 similar samples on MalwareBazaar
TLSH 8AF3028AAE057EA8E4455D39C1170EA25E657CD24862CD07193CFB2FBC734D0BC639AA
Reporter seifreed
Tags:Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
422
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Dropper.Bifrost-7643040-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Brute forcing passwords of local accounts
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535995
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:05:21 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4c3j4zfx2emqwgo4m7enq67ewhwagvxbruldtx55r43b6yeqpenq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
03b85c4d58c9c90abb09b3f96d4f22b554d90d5b3f12b84e6739515784cb7dc1
Pony
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
4d9ba9f2d2a2085cbdafebb0dc4b73058f45c4b86631d8fc11240e132a1e1d0d
Pony
4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
Pony
52bf411492eb6eb526cb654ab455b75fe57d2631af02c5865b61de70364e4935
Pony
841e400462718d0c71b30ac5c90768c409485806146ee50bfc2f866913ffcf49
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b2d579828599ae4e265f77899466dc005e7685b50dcbf6817388ea22d404ab2c
Pony
d01f1ad8b4e08a70621ab7d9907d551bc238a990737e45060252998c059bb0fa
Pony
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201114-es5ebdq93n/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b
MD5 hash:
d12142c55cba2f7f59a44f863fe8ac68
SHA1 hash:
8bd7c0570e0e59c058bdf9b53a67724d3b93ad5f
Link:
https://www.unpac.me/results/1d40b514-b65c-46dc-aa6c-4000f1e56e4d/
SH256 hash:
9f133a231775d96f86bff8947a20b6c0c7f761327e4c20be826ac04e1c8fae2e
MD5 hash:
4335c40af32d58d826f1e30c183aeee9
SHA1 hash:
37186f316db5587c752a539973c89189cf167bbd
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/1d40b514-b65c-46dc-aa6c-4000f1e56e4d/
Parent samples :
98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989
7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da
03b85c4d58c9c90abb09b3f96d4f22b554d90d5b3f12b84e6739515784cb7dc1
52bf411492eb6eb526cb654ab455b75fe57d2631af02c5865b61de70364e4935
ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb
e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bifrost
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments