MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00
SHA3-384 hash: 64ecfb4519560260a71164b41ba8f0d57bac3f43b425f5ee4bda62abf01566ca7cce53e9fe930c83128e1256de62d2b8
SHA1 hash: c902a31d3ab532a1a1fcbb8b51a8516a9703a6ef
MD5 hash: 4e5556b10c33c8bcd2a381880926a29a
humanhash: louisiana-mockingbird-four-table
File name:Skany 07.07.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'164'816 bytes
First seen:2020-07-07 06:56:48 UTC
Last seen:2020-07-07 08:20:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fa52130d18b37b01473a3661c6ba5803 (1 x Pony)
ssdeep 3072:7eNTuo0ILAuHv5B6YK/5AhNSiMM+WSz48H5jodUtElYcrgx+ICPKGy3yLs3/Bb8:7MuGUYv5MN5ILMUctodUtEluji
Threatray 153 similar samples on MalwareBazaar
TLSH D045910573A7DD55FDB63A399A3689B4483AFC51EDB0CA6F32D03D0F3861A809875362
Reporter jarumlus
Tags:Pony

Intelligence

File Origin
# of uploads :
2
# of downloads :
454
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21870/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APV.8488.20105.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a file in the %temp% directory
Sending an HTTP GET request
Launching a process
Searching for the window
Creating a file
Reading critical registry keys
Launching a service
Creating a window
Creating a process with a hidden window
Moving a file to the %temp% directory
Deleting a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Sending an HTTP POST request
Possible injection to a system process
Stealing user critical data
Setting a global event handler for the keyboard
Enabling autorun with Startup directory
Brute forcing passwords of local accounts
Deleting of the original file
Result
Threat name:
Fareit Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/383669
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 06:58:06 UTC
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aridmi4wbbf6shi6i4kvwwxxg7cq2netcvujxrjy6cob54czhmaa._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
4188d06ab94a8883fd4864b3690168649de6f1ae86d8b2c6a2778f7f46a60e02
Pony
4bb2312117a9cca54bbb57f052f7a012d1971b1895fee03e35f6b657ac506bd1
Pony
7cf72bae10afa79e537315303bc0ffd4ab5159102347818158796b4a05692403
Pony
9be6e55ff75a4a8571940411678d521216fc0bd61cbe9d049e10dfd41bdd73fc
Pony
9da2fc8e17dff51ad3de4ef9ff78d4196bd530a4aaa8e3c07e81e56df7a5c241
Pony
cb8b6228dc596af613b8a5fb2b0ac79326ec4265ca8f4f5dc796f9b8fa4d287e
Pony
d67bc999b9c89a4c2ccd9832b42accf936e6b4403d27226c8de973ec0987d945
Pony
e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf
Pony
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
Pony
fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b
Pony
+ 143 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
spyware discovery rat stealer family:pony
Link:
https://tria.ge/reports/200707-54q49la2ln/
Behaviour
Suspicious use of WriteProcessMemory
Script User-Agent
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Checks for installed software on the system
Accesses cryptocurrency wallets, possible credential harvesting
Reads data files stored by FTP clients
Deletes itself
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

rar 88141dd92a32e37cab5b60b9cac28a0430771e094d22b871e0b1289352ac6b4b

Pony

Executable exe 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00

(this sample)

  
Dropped by
MD5 1051e28ec795c3e6f489cd59c06eb23b
  
Dropped by
SHA256 88141dd92a32e37cab5b60b9cac28a0430771e094d22b871e0b1289352ac6b4b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/21870/

Comments