MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10718fa900718988ee7184286ac5b75520fc90c5da245ca0bd8c13b3bcaa1120. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	10718fa900718988ee7184286ac5b75520fc90c5da245ca0bd8c13b3bcaa1120
SHA3-384 hash:	91ba13fb85e7ed5f30844093fb683544a1216a9aeda421b07c35d255c9a24e8219cb27e0c0ab5c150175eac989557615
SHA1 hash:	2f891213d454023418020892aca8a378e3f9ef9f
MD5 hash:	1b0803611d7f441a5a4eeda64fb05ccc
humanhash:	earth-low-minnesota-queen
File name:	10718FA900718988EE7184286AC5B75520FC90C5DA245.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	194'107 bytes
First seen:	2021-06-11 21:15:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fd61eafe142870d6d0380163804a642 (39 x GuLoader, 6 x RemcosRAT, 4 x AgentTesla)
ssdeep	3072:/voooSX4qZ1YzI0qDN6aAaqlWEWDk6w/5dlmRQM63CgtyTxpOdDLBgDaji+ePkbA:xZX4qwUDNFRqlWEWPw/5dc/6vyFp+DF8
TLSH	3314020266E09423D6978E714BDAF236EEF6B6D51638026F33108FF82961790661F397
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://22autumns.com/wp-admin/network/.about/privacy/exec/cache.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://22autumns.com/wp-admin/network/.about/privacy/exec/cache.php	https://threatfox.abuse.ch/ioc/98913/

Intelligence

File Origin

# of uploads :

# of downloads :

704

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

10718FA900718988EE7184286AC5B75520FC90C5DA245.exe

Verdict:

No threats detected

Analysis date:

2021-06-11 21:17:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5f4b3364-df90-47c7-9edf-3f51434fc71b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/166195/

Detection(s):

Win.Trojan.Nemesis-6972284-0

Win.Ransomware.Cerber-9168467-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Reading critical registry keys

DNS request

Sending a UDP request

Connection attempt

Sending an HTTP POST request

Stealing user critical data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8c533c54-81c8-4862-b5a2-f2c80a4ca7c5

Result

Threat name:

Lokibot Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/801076

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Detected Lokibot Info Stealer

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

pony

Link:

https://mwdb.cert.pl/sample/10718fa900718988ee7184286ac5b75520fc90c5da245ca0bd8c13b3bcaa1120/

Threat name:

Win32.Trojan.Makoob

Status:

Malicious

First seen:

2018-11-06 09:07:59 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cbyy7kiaogeyr3trqqugvrnxkuqpzegf3isfzif5rqj3hpfkceqa._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony discovery rat spyware stealer

Link:

https://tria.ge/reports/210611-mgq74metd2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Malware Config

C2 Extraction:

http://22autumns.com/wp-admin/network/.about/privacy/exec/cache.php

Unpacked files

SH256 hash:

26c33bb4c44111aa4a7b2bf4527c02fbc9bc5b49c5c15819a331608d22db08c9

MD5 hash:

deaa46c3a2efbc2a27d08634acd16abd

SHA1 hash:

f6081cc897c428b69a1f0e7c1715993dfcb59c62

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/0f2910ec-8ec9-4656-a17b-52b36ab15794/

SH256 hash:

a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

MD5 hash:

75ed96254fbf894e42058062b4b4f0d1

SHA1 hash:

996503f1383b49021eb3427bc28d13b5bbd11977

Link:

https://www.unpac.me/results/0f2910ec-8ec9-4656-a17b-52b36ab15794/

SH256 hash:

02291264eb8339c5b94f254a3cd58924033212f8e94af438784b8734f96682df

MD5 hash:

811da0f9997289e18871a2aa576587cd

SHA1 hash:

c7151b8e152a8c4192194427489954d6a80873a1

Link:

https://www.unpac.me/results/0f2910ec-8ec9-4656-a17b-52b36ab15794/

SH256 hash:

10718fa900718988ee7184286ac5b75520fc90c5da245ca0bd8c13b3bcaa1120

MD5 hash:

1b0803611d7f441a5a4eeda64fb05ccc

SHA1 hash:

2f891213d454023418020892aca8a378e3f9ef9f

Link:

https://www.unpac.me/results/0f2910ec-8ec9-4656-a17b-52b36ab15794/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/10718fa900718988ee7184286ac5b75520fc90c5da245ca0bd8c13b3bcaa1120

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/166195/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample