MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 044ead01325ba352582421e78cce54811b6075e28486a8d1f4a9542da786f228. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 044ead01325ba352582421e78cce54811b6075e28486a8d1f4a9542da786f228
SHA3-384 hash: e4a30bd8bd6505de3c1571e6499472b7090c89955e81f309073033596f73ae3ad8de5962b9a8705808f89493962f4f3e
SHA1 hash: 4a1dc801a5f2bb0b71e5668dc0cce7e3cdac8b03
MD5 hash: e39ed02fe8b90dbcb8ca4e6d7c164554
humanhash: low-crazy-nebraska-three
File name:gunzipped
Download: download sample
Signature Pony
Create hunting rule
File size:807'936 bytes
First seen:2020-06-15 07:43:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 154500a06625191fc7a83b12527a2611 (2 x AgentTesla, 2 x Loki, 1 x HawkEye)
ssdeep 12288:CJ4tm5gnkBj0aY0JQvcX6mBnK0KdQNEyYXH9tze+olulMYL:T+gnMYaYmQvInKlU4XnzeYZL
Threatray 129 similar samples on MalwareBazaar
TLSH 04055A12E2B0FD36C1F6153B8D47F6789C2EBE10192879463BEFB848BE395817515B82
Reporter abuse_ch
Tags:Downloader.Pony Pony


Avatar
abuse_ch
Malspam distributing Downloader.Pony:

HELO: staging.maykenbel.com
Sending IP: 195.12.49.182
From: Rafał Gąsior <rafal.gasior@astoria.pl>
Reply-To: Rafał Gąsior <rafal.gasior@astoria-pl.com>
Subject: RE: URGENT-Confirm Account Details/SOA Feb-May
Attachment: Document Copy.gz (contains "gunzipped")

Pony C2:
http://shinhan-vina.com.vn/hh/panelnew/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10289/
Detection(s):
Win.Malware.Smdd-6922230-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Injector.EMHC.21704.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInjector
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 07:45:05 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=arhk2ajslorvewbeehtyztsuqenwa5pcqsdkrupuvfkc3j4g6iua._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
40bcf1b92cac08e72eb025659bb892a41926ebd655f448ff5544ece312986987
Pony
49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
82c531ee47fd52c78ed90b259be7908208ae6657a75643fce70df85eb0cd64a3
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 119 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/201109-6p4tr5l47n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz 67e7ed3551603dbb12c09c7b37bb6c1d45188436e9c6683d986064dad9649a4f

Pony

Executable exe 044ead01325ba352582421e78cce54811b6075e28486a8d1f4a9542da786f228

(this sample)

  
Dropped by
MD5 b1e06b3820fa0dd6b4f150b6ba21cc08
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 67e7ed3551603dbb12c09c7b37bb6c1d45188436e9c6683d986064dad9649a4f
Cape
Cape
https://www.capesandbox.com/analysis/10289/

Comments