MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b5b880307bbb0233d7acf9685b9ef0d596657c4a52b6096f998689d743ec168. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b5b880307bbb0233d7acf9685b9ef0d596657c4a52b6096f998689d743ec168
SHA3-384 hash: 6afd2d9c51f680939abab9d414b33b497fd9dda430295ecf705cf8390abc0f28bd1241789453b1a1218f63f3c2232e88
SHA1 hash: da00155621e459ecbb2b7cebe8ca4e2137b4ee76
MD5 hash: 807e68132cc9f6def300da6cd8c6417c
humanhash: white-saturn-steak-lemon
File name:2.exe
Download: download sample
Signature Pony
Create hunting rule
File size:64'512 bytes
First seen:2020-07-13 17:04:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c8d0faaba7100f6226c5829432da484 (2 x Pony)
ssdeep 1536:KGrapS29TFN0IHai973OETMYMPv/VMPq1:frapS29JN0IHai973O9YqKPq1
Threatray 74 similar samples on MalwareBazaar
TLSH C7537BA7D191E832D0B5477051D9AE06D9F95FB978BB4883E32401D6ACF42D6B72C2C3
Reporter James_inthe_box
Tags:exe Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25487/
Detection(s):
Win.Trojan.Generic-6296801-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Detection:
evil-pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b5b880307bbb0233d7acf9685b9ef0d596657c4a52b6096f998689d743ec168/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 17:03:54 UTC
File Type:
PE (Exe)
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1c08cf3dcf465a4a90850cd256d29d681c7f618ff7ec94d1d43529ee679f62f3
Pony
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
Pony
70f8a912b0343b177f6c04ea6a642dd85f68044728e5481e86cfe8311ed86e21
Pony
90039768c0de73c07a511aa6eb560df1e33f41bbe3b6753ddbcf6ffc07711169
Pony
a1c08ff292231d8890ef8ef9f89d0f2b980d310d0f20b9b87498f855fda1512a
Pony
a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea
Pony
a3b71dfc0235bd33cd7d9d05db130acc2d4d4852522279aab9ceb5ea9f3d0ca9
Pony
bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
Pony
d01f1ad8b4e08a70621ab7d9907d551bc238a990737e45060252998c059bb0fa
Pony
e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d
Pony
+ 64 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200713-mpf6mmlphs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_evilpony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/25487/

Comments