MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd
SHA3-384 hash:	6bf28c8c46a3d99719143213e2e11bd6678bd0297af4842aac1f053b61296ec157185e3818657208c5e4257311410745
SHA1 hash:	fe4047d63747d290e487c0f9e151fe54e907f587
MD5 hash:	eaf383fbc24c44cfd1fcb20ec077ec5d
humanhash:	fanta-nitrogen-oranges-magazine
File name:	CCMA Case GAJB00138471-21.pdf.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	914'944 bytes
First seen:	2021-02-23 07:23:12 UTC
Last seen:	2021-02-23 08:45:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:+upIKVkmtJQ3Krcrlhiz6021uysLaiJNR4WUKq4NzfbdEoC:+mIjKrcBgp2Iy5CRcKqkfG
Threatray	206 similar samples on MalwareBazaar
TLSH	12158C14B75CABA9CC2B6E77E4171C0042E44B632631FABB29DD5FC51720733E96EA21
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Malspam distributing unidentified malware:

HELO: faxoshe.com
Sending IP: 199.217.117.132
From: casemngt@ccma.org.za
Subject: New Case Activated: CCMA Case GAJB00138471-21 (GAJB) is Scheduled for 'Arbitration' for Fri 26-February-2021 10:00am
Attachment: CCMA Case GAJB00138471-21.pdf.gz (contains "CCMA Case GAJB00138471-21.pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/118509/

Detection(s):

SecuriteInfo.com.Troj.MSIL-HPV.9286.30561.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Reading critical registry keys

Sending an HTTP POST request

Sending an HTTP GET request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Brute forcing passwords of local accounts

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Lokibot Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/614957

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Detected Lokibot Info Stealer

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-02-23 06:09:11 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dgpqpdutkihygzsmfwidxvaz7tizdgmixbxpfu3nf53vepnok3oq._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony discovery rat spyware stealer

Link:

https://tria.ge/reports/210223-lgqyhmrtq6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Unpacked files

SH256 hash:

199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd

MD5 hash:

eaf383fbc24c44cfd1fcb20ec077ec5d

SHA1 hash:

fe4047d63747d290e487c0f9e151fe54e907f587

Link:

https://www.unpac.me/results/bbb8f032-5396-4f39-972b-dd4c1b2b4958/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz 50bb049513a5f6621414db73ee3bd16d18d65a3c16532f075a9c8782b3d31366

Pony

exe 199f078e93520f83664c2d903bd419fcd1919988b86ef2d36d2f77523dae56dd

(this sample)

Dropped by

MD5 5d9a837d753a89f873d92e7707a7b869

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/118509/

Dropped by

SHA256 50bb049513a5f6621414db73ee3bd16d18d65a3c16532f075a9c8782b3d31366

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample