MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479
SHA3-384 hash: ef9ef0ca5c3500a776348dbbc2e337a2df1f28a8451dd855d2f55c61c3362c4571c7ec88c13055c0d3f0ec72a2678edc
SHA1 hash: 65db800b3cc554136177620691c31f594a7f8bb6
MD5 hash: da23a8bbc232d363f877100244825381
humanhash: venus-bakerloo-violet-colorado
File name:091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479
Download: download sample
Signature Pony
Create hunting rule
File size:588'288 bytes
First seen:2020-11-15 22:56:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae39f2e1fd8e138e6db0871a4edbc740 (4 x Pony)
ssdeep 12288:ITTnnPIOjfQFsHamNV5Z/sq0qPCb1M/+BbXuDU:IT7jfhftZ/sq0qPQeI
TLSH 39C49E26B2B09437C1226A7D880B5BAC6425FE213E1D7E866FF51D0C9F397413D1A29F
Reporter seifreed
Tags:Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Fareit-7643055-1
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Brute forcing passwords of local accounts
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/537904
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Detected Lokibot Info Stealer
Detected unpacking (changes PE section rights)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 318050 Sample: ubvk0T4ceG Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 56 www.funfreecasinogames.com 2->56 58 funfreecasinogames.com 2->58 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 5 other signatures 2->80 13 ubvk0T4ceG.exe 2->13         started        signatures3 process4 signatures5 94 Detected unpacking (changes PE section rights) 13->94 96 Detected Lokibot Info Stealer 13->96 98 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 13->98 100 3 other signatures 13->100 16 ubvk0T4ceG.exe 13->16         started        18 ubvk0T4ceG.exe 1 14 13->18         started        process6 dnsIp7 22 ubvk0T4ceG.exe 16->22         started        60 funfreecasinogames.com 108.61.29.35, 49720, 49732, 49741 AS-CHOOPAUS United States 18->60 62 www.funfreecasinogames.com 18->62 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->82 25 cmd.exe 1 18->25         started        signatures8 process9 signatures10 86 Maps a DLL or memory area into another process 22->86 27 ubvk0T4ceG.exe 22->27         started        29 ubvk0T4ceG.exe 14 22->29         started        33 conhost.exe 25->33         started        process11 dnsIp12 35 ubvk0T4ceG.exe 27->35         started        68 www.funfreecasinogames.com 29->68 70 funfreecasinogames.com 29->70 72 192.168.2.1 unknown unknown 29->72 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->102 38 cmd.exe 1 29->38         started        signatures13 process14 signatures15 84 Maps a DLL or memory area into another process 35->84 40 ubvk0T4ceG.exe 14 35->40         started        44 ubvk0T4ceG.exe 35->44         started        46 conhost.exe 38->46         started        process16 dnsIp17 64 www.funfreecasinogames.com 40->64 66 funfreecasinogames.com 40->66 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->88 90 Tries to harvest and steal ftp login credentials 40->90 92 Tries to harvest and steal browser information (history, passwords, etc) 40->92 48 cmd.exe 40->48         started        50 ubvk0T4ceG.exe 44->50         started        signatures18 process19 process20 52 conhost.exe 48->52         started        54 ubvk0T4ceG.exe 50->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:58:16 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=beo7fvikh4pphnfm46mrg7xm62febbzsmnkatlwq736njddnwr4q._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201115-y2lslgj51n/
Unpacked files
SH256 hash:
091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479
MD5 hash:
da23a8bbc232d363f877100244825381
SHA1 hash:
65db800b3cc554136177620691c31f594a7f8bb6
Link:
https://www.unpac.me/results/ea696ccf-4fc6-4413-88e7-dc7118eb65f9/
SH256 hash:
778160c69455ae5dd5388ec57e2c3388eec81a24a9537e8076f343294d6acb8a
MD5 hash:
8090481e4789f3f361388dc80f327312
SHA1 hash:
156f278c61abe310f2b8234c01ebc508950fe314
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea696ccf-4fc6-4413-88e7-dc7118eb65f9/
Parent samples :
5592f091a845c7e32d8c66d5efa561fa9d0ce09c88a54927f8f43ca31373cf93
0d1de7409f5d91b199b669e067151bcc5789ede5f80daa3e961b43e21609901f
091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479
60dbd25b16ab3e850b59d57cb96eb19f557cae3cef5c7e2fdd8919c70a5ab81e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/091df2d50a3f1ef3b4ace799137eecf68a408732635409aed0fefcd48c6db479

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments