MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb
SHA3-384 hash:	340437b0ea75340e4499e1f6915903d4a5a0657a66d279c7b2aca04573a8cc39fb69eced39723422032174bf54310396
SHA1 hash:	a1c3fd6f7f2eb0cedeb1d20487c3cc670a3766d7
MD5 hash:	ccd624add9ca0ae92d83610ea3221ae6
humanhash:	burger-asparagus-delaware-apart
File name:	ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb
Download:	download sample
Signature	Pony Create hunting rule
File size:	246'784 bytes
First seen:	2020-11-14 17:57:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4d362ad01807ba6008d79ab2c7cad0ed (9 x Pony)
ssdeep	3072:eVshAo4qKg56qCIMVPmTEJBw3DCGULUnSKAEjZou8t3hw74qKgS:eVshAEKkLCIMV7JWCZUxnSTt3hwLK
TLSH	3734F11B7F08DAA4F4991E3848079AFA7D23ECD24A904F5B311DFB2E3C712827953569
Reporter	seifreed
Tags:	Pony

Intelligence

File Origin

# of uploads :

# of downloads :

420

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-4

Win.Dropper.Bifrost-7643040-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Brute forcing passwords of local accounts

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/536168

Signature

Antivirus / Scanner detection for submitted sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2020-11-14 17:58:36 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5j563uy5qejd3mjz76pssrts73ehrkwxjq5l6niazdawstm7l7vq._file

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/201114-apav54zx1s/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb

MD5 hash:

ccd624add9ca0ae92d83610ea3221ae6

SHA1 hash:

a1c3fd6f7f2eb0cedeb1d20487c3cc670a3766d7

Link:

https://www.unpac.me/results/4abea167-47f2-46f6-ad95-ce34820f0716/

SH256 hash:

e15efb66c9904a7c6cf46f12eef8f41f87926b625ae44bd0ee71297d1f0fe22b

MD5 hash:

b6c7e01309f60a5409b81146c1085a5f

SHA1 hash:

f5da48949290481ed5b6c8ffa9b152e782b21910

Link:

https://www.unpac.me/results/4abea167-47f2-46f6-ad95-ce34820f0716/

SH256 hash:

9f133a231775d96f86bff8947a20b6c0c7f761327e4c20be826ac04e1c8fae2e

MD5 hash:

4335c40af32d58d826f1e30c183aeee9

SHA1 hash:

37186f316db5587c752a539973c89189cf167bbd

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/4abea167-47f2-46f6-ad95-ce34820f0716/

Parent samples :

98777aa1daa9a8099960c2572e7311e047c1a74c8106c4830142b8d269582989
7c8be129bca653133554930e5ff2f231de7029948d064d78c01e5aebcd8b14da
03b85c4d58c9c90abb09b3f96d4f22b554d90d5b3f12b84e6739515784cb7dc1
52bf411492eb6eb526cb654ab455b75fe57d2631af02c5865b61de70364e4935
ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb
e0b69e64b7d1190b19dc67c8d87be4b1ec0356e18d1639dfbd8f361f6090791b

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

XPACK

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea7bedd31d81123db139ff9f294672fec878aad74c3abf3500c8c1694d9f5feb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample