MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0
SHA3-384 hash: 40492b16cc92912ad3332c1beeec979ce0284f17c50af980a8a617b8fc7a76d09a6ed90dbc6c4f18750b7d89f57d113b
SHA1 hash: 1522854c3a819ad2c9b1c22c813ce9b8717ff745
MD5 hash: 901ef6ea0a94551fd5d6d3b1495e9aa9
humanhash: mango-seventeen-bacon-ceiling
File name:gunzipped.exe
Download: download sample
Signature Pony
Create hunting rule
File size:916'992 bytes
First seen:2021-04-27 10:41:29 UTC
Last seen:2021-04-27 12:00:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RGfpyJBrLVvBtybNxFxhPRGeLByjfjuGCgvxwr:SpyJBZGNphPRPLByjfa
Threatray 74 similar samples on MalwareBazaar
TLSH 05156C1033E89636D8FE5332E43085078BBAFD56B7B9E74F6981B5A919B37804D407A3
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://45.133.1.49/SHASDY/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.133.1.49/SHASDY/gate.php https://threatfox.abuse.ch/ioc/16019/

Intelligence

File Origin
# of uploads :
3
# of downloads :
514
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped.exe
Verdict:
No threats detected
Analysis date:
2021-04-27 10:43:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba8999bb-1bbf-40d9-8ff2-0fb117fe483c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144527/
Detection(s):
SecuriteInfo.com.Artemis901EF6EA0A94.21486.15950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Fareit Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/698857
Signature
.NET source code contains potential unpacker
Found C&C like URL pattern
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Fareit stealer
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0/
Threat name:
ByteCode-MSIL.Trojan.SpyEye
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 10:42:15 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cy637fkvrtjirgipw3tnqrsd3b42x4r6rjmrbtovslluyjhx7pia._file
Verdict:
unknown
Similar samples:
0c2e617efd564557bce2248bb25254d7c5a091eba9529e48cadca43517431596
Pony
0d6f912181bf01b2197d8501f5b38f6c009c6c4a4e76fa6e0b3d2d4efe05bfbb
Pony
40773de06176ad60a969f29e1034064ea20c67192922285319045afc91b6c3e0
Pony
754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a
Pony
a9a3bb0f7160512839169fd9095821469bbfd54228b6c4c7dc9da4a53cafffb9
Pony
b3c6ea8a1d611c88699d927c3f6c84d213b596d8d4220618b3ed4dc1bc5f5fe4
Pony
b97325f4b5fe4deebe1fe18519b55cbb2e55f97a84f1aa6d96c464a26982d719
Pony
edc06b40f56182a3097a869414dd97ae1f7d14d6ba5698ae29f1ced7c5c659ec
Pony
eff2bda9797c042cbae44c8aed29b31b853733c0676a687dc62676752197c05d
Pony
fb91f67073fef8d391ccb08c31183ff2ff00e8a8ca0f71fb5bfce17fb0ddbd26
Pony
+ 64 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210427-8cf52c2ftx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
bb9d8d04a982066d8f0a3dda9330679ddf7b525e2b79e33ac7c6f8c12f2f2c95
MD5 hash:
3ead956d0a0a1b0d296511194aa4b41a
SHA1 hash:
bbfdfd9e1615aa1e1e3fa6c53815989d9fefe7d1
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/9a3f5b83-53f7-4048-9fdc-5509c926b3a4/
SH256 hash:
4e5a6892d18cedcdb2c8c64b90d68850a4f0c5c8a6b75be7bd3319af741dbdd6
MD5 hash:
52a82c578a7a20774d2e050c1b621e17
SHA1 hash:
ae63184af7b7086c77bebaa7b93d8fec6b7cd35e
Link:
https://www.unpac.me/results/9a3f5b83-53f7-4048-9fdc-5509c926b3a4/
SH256 hash:
1c0436c756ab832abb43c0e1448c5c7bad814911d14b7bd5c2d1be4762a7e6f6
MD5 hash:
b9df4e0c6a9d5f0231be3c8ed0060f54
SHA1 hash:
7d856514947ba7e751840c2c424498c68d95abe7
Link:
https://www.unpac.me/results/9a3f5b83-53f7-4048-9fdc-5509c926b3a4/
SH256 hash:
962a23a75385cd63f9758b9e2bb6ba0bdd665e67c7b9719279eb01774ad79438
MD5 hash:
60f773f435be07e90adb51afb596d330
SHA1 hash:
3c9b6d1528c257cbfcdb9c4854dc7cdbadd8cfb4
Link:
https://www.unpac.me/results/9a3f5b83-53f7-4048-9fdc-5509c926b3a4/
SH256 hash:
163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0
MD5 hash:
901ef6ea0a94551fd5d6d3b1495e9aa9
SHA1 hash:
1522854c3a819ad2c9b1c22c813ce9b8717ff745
Link:
https://www.unpac.me/results/9a3f5b83-53f7-4048-9fdc-5509c926b3a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/163dbf95558cd288990fb6e6d84643d879abf23e8a5910cdd592d74c24f7fbd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144527/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-27 11:04:24 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program