MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13
SHA3-384 hash: b6bd3309aeb13d6d69d445b2f57cfb27c11a0c1f429561d2b635249aa9214d668016f9f27c2a3c6466363dcf2b6eac70
SHA1 hash: 71ff3a7b9b9648cc5fe69d4f2f6c2f4ea10f6dd1
MD5 hash: 4e8e6e2c2a35ba5ac2b93903584b473f
humanhash: hamper-moon-muppet-grey
File name:NewOrder.exe
Download: download sample
Signature Pony
Create hunting rule
File size:506'368 bytes
First seen:2022-05-03 15:55:53 UTC
Last seen:2022-05-04 06:05:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:72L2Ij3h+k1Bqc/AifGE4Y+cIoguimQbiQs5U+:72p3Bm2leEneuiD45U+
Threatray 8'939 similar samples on MalwareBazaar
TLSH T1FDB40110B12BDBA9D27157F17631529023F26ABF7090E2187CD067CBB662F791E40EA7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://goodservices.co.vu/https://goodservices.co.vu/hcox/panel/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://goodservices.co.vu/https://goodservices.co.vu/hcox/panel/gate.php https://threatfox.abuse.ch/ioc/547974/

Intelligence

File Origin
# of uploads :
4
# of downloads :
1'300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
pony
Create hunting rule
ID:
1
File name:
NewOrder.exe
Verdict:
Malicious activity
Analysis date:
2022-05-03 16:04:19 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/b2b83894-d11a-46b3-b3d8-3896dc2af02a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268462/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.22356.25230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627150952b32b1c37c8d0bc3/reports/643efc0d-2f3b-43ba-8299-1331587967ff/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f15120e-c633-42cd-aae0-08536a0f9bee
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987259
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 619755 Sample: NewOrder.exe Startdate: 03/05/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 8 other signatures 2->46 8 NewOrder.exe 7 2->8         started        process3 file4 28 C:\Users\user\AppData\...\ivxcAULnQtwes.exe, PE32 8->28 dropped 30 C:\...\ivxcAULnQtwes.exe:Zone.Identifier, ASCII 8->30 dropped 32 C:\Users\user\AppData\Local\...\tmp7EDC.tmp, XML 8->32 dropped 34 C:\Users\user\AppData\...34ewOrder.exe.log, ASCII 8->34 dropped 48 Detected Lokibot Info Stealer 8->48 50 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 8->50 52 Tries to steal Mail credentials (via file registry) 8->52 54 3 other signatures 8->54 12 NewOrder.exe 1 14 8->12         started        16 powershell.exe 23 8->16         started        18 schtasks.exe 1 8->18         started        signatures5 process6 dnsIp7 36 chibuzorbaby.com 142.4.0.135, 443, 49791 UNIFIEDLAYER-AS-1US United States 12->36 38 goodservices.co.vu 12->38 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->56 58 Tries to harvest and steal ftp login credentials 12->58 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 20 cmd.exe 1 12->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        signatures8 process9 process10 26 conhost.exe 20->26         started       
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-03 15:56:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnmk4ecfdhedtpiamfcq7cgbjt4apx56u7srew4syr3bdhvqlmjq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0d55e24824b5419c5f3e7c21d5045a7fd6df32ce1df65166dbac2684dc88b22c
Pony
199f2dc4388a96b80edc0881ac6e70b33833ddb801d15a53981e0ce7624fe371
Pony
1b6db2ff76f4564310210b20e13118f37c92e1ef46541b1aec6b5a98be598ae4
Pony
54f4ec503268ddc6c926d59ab37dadd1455c9cab3ba3947d1aa3c58fa6aca308
Pony
9f0d6dab633b09660746f682d40076a10ecd1abe72e3503205d8b8f770176df6
Pony
a297bc0c90017b32dd1636f86f068b0b6c21c6e1eb1ead92c23eec4b0195177e
Pony
a5453a830d01639ad537320c94e68565341328c872a8f2d3456221a0bec6f3e9
Pony
c03a011a4101ad9965d7e7f5d3471adedc1960125a3a52928e9052cb8c971b94
Pony
+ 8'929 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony collection discovery rat spyware stealer suricata
Link:
https://tria.ge/reports/220503-tdb3tscfcq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 3
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
Malware Config
C2 Extraction:
https://goodservices.co.vu/https://goodservices.co.vu/hcox/panel/gate.php
Unpacked files
SH256 hash:
39e7de1c3ee581442c745788e106f87f5e20bd60c771d67375ab013da0d38939
MD5 hash:
8a8997cad27fa8c66a422821b8fa75e7
SHA1 hash:
f82dac9699d9be7ded52e68bce5c010037619178
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/2b46068a-1c03-4e1a-8416-8ba0d09dbffa/
SH256 hash:
10081af817f0fa61fe24a43849e7edd9938d8a3e404a4b418d177a8e17fa5035
MD5 hash:
b98cd94030c0182d2e7f9066dcf7abe7
SHA1 hash:
4ea2b56138f8869f7b53f958916ef9ea2f54d695
Link:
https://www.unpac.me/results/2b46068a-1c03-4e1a-8416-8ba0d09dbffa/
SH256 hash:
044e6e22943ac21887eaef4daf70bc43b8d7b54b7160ecc2e0b6ff77a6832a99
MD5 hash:
0512fe61b5e75a5aa25f0c17882292cd
SHA1 hash:
3b05ecfbb15a15fd46a9d9b588620454b6361745
Link:
https://www.unpac.me/results/2b46068a-1c03-4e1a-8416-8ba0d09dbffa/
SH256 hash:
da8da27111aa1ec4650878f570caa882293cbd34849b1b0271d58f33db7d30a0
MD5 hash:
54c900cceba6911acf548e996c0223fc
SHA1 hash:
32bf0a4a94bd6f59279490a3ad43ba4b9edd38af
Link:
https://www.unpac.me/results/2b46068a-1c03-4e1a-8416-8ba0d09dbffa/
SH256 hash:
75de885180e6ec5e7ae6e3f5c380bc6c0e67ccb7817c36910876db0b40fa64cd
MD5 hash:
4302d2ff90843a9872e0e0d3771a015d
SHA1 hash:
bdf90a80c63d0d8804ff098114cb51bf751add33
Link:
https://www.unpac.me/results/2b46068a-1c03-4e1a-8416-8ba0d09dbffa/
SH256 hash:
1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13
MD5 hash:
4e8e6e2c2a35ba5ac2b93903584b473f
SHA1 hash:
71ff3a7b9b9648cc5fe69d4f2f6c2f4ea10f6dd1
Link:
https://www.unpac.me/results/2b46068a-1c03-4e1a-8416-8ba0d09dbffa/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1358ae104519/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

7z 794ca4bef2dcc3039eadbc20996ca00ecfb324746436b2a383018e174f1e1250

Pony

Executable exe 1358ae104519c839bd0061450f88c14cf807dfbea7e5125b92c476119eb05b13

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/268462/
  
Dropped by
SHA256 794ca4bef2dcc3039eadbc20996ca00ecfb324746436b2a383018e174f1e1250
  
Dropped by
MD5 abe48b2b23d2a7596a8653e4c10ada80

Comments