MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
SHA3-384 hash: 482224579fc2b236b0f896a24c1ebe85ac169f213f670f540817b95adb91bde34a48242751e92960c78b5b511510cbe0
SHA1 hash: 4cbddc4bb7db82fbb0c7781d0e07ad1b0279e8af
MD5 hash: bd1c429c2ea9b2c200470e0859761692
humanhash: orange-tango-echo-lima
File name:QWA.exe
Download: download sample
Signature Pony
Create hunting rule
File size:900'608 bytes
First seen:2020-06-12 06:49:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bf1c4365cee407b2c3a1c3c78c5d36f (11 x AgentTesla, 3 x Pony, 2 x Loki)
ssdeep 12288:8OkBSWyhJEwYQZk6eqphpau3dP7AXC4bQqUwGeWTvFnr1Vu0qdRgzN5rjFL:TiSzviQZk6eqFJUCMG7drS0qd2Nb
Threatray 137 similar samples on MalwareBazaar
TLSH 34157C26F2934433D17E263C9D5B5379982ABD102D28D9463BF78E4E5F3C68239342A7
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Malspam distributing Pony:

HELO: hu.hubtimeap.live
Sending IP: 45.95.171.242
From: Charmunda Pharma Mchinery LTD <albright5@hotmail.com>
Subject: Re: Urgent PO for June A129673 Chamunda Pharma Machinery,LTD.
Attachment: Chamunda Pharma PO A129673 _pdf.zip (contains "QWA.exe")

Pony C2:
http://shinhan-vina.com.vn/hd/panelnew/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9113/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

SecuriteInfo.com.Variant.Strictor.245818.10883.3329.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 04:50:55 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=64iwopwdd6ee4wizftbwbocb57a4o6ynbnaxq67kkqsk4uqptgeq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
044ead01325ba352582421e78cce54811b6075e28486a8d1f4a9542da786f228
Pony
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
40bcf1b92cac08e72eb025659bb892a41926ebd655f448ff5544ece312986987
Pony
49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
82c531ee47fd52c78ed90b259be7908208ae6657a75643fce70df85eb0cd64a3
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 127 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/201109-3rmj8h8jbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

zip 16692ab38663ca618f3c522177c8732abe93fe4377b498940579d829eee65027

Pony

Executable exe f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989

(this sample)

  
Dropped by
MD5 57f2ba065b0ce36fae72e7851cf41710
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 16692ab38663ca618f3c522177c8732abe93fe4377b498940579d829eee65027
Cape
Cape
https://www.capesandbox.com/analysis/9113/

Comments