MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b9e2afc2febeca968e097691ac3083accffcd997d124bcf552f79e358f938d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 14


Intelligence 14 IOCs 2 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b9e2afc2febeca968e097691ac3083accffcd997d124bcf552f79e358f938d6
SHA3-384 hash: 0bb6ffb22e846017a01847bfed559ef5e82799fffca026b1f6ac0f7b760b04ba42cbb33ab3e4368b9d2014999b3040dc
SHA1 hash: 03ff16a274602bb116f7b605b9dffc2cda1175ba
MD5 hash: 0448faa149ee8def7cf123b3befdcf10
humanhash: spring-nitrogen-mirror-pip
File name:1B9E2AFC2FEBECA968E097691AC3083ACCFFCD997D124.exe
Download: download sample
Signature Pony
Create hunting rule
File size:44'544 bytes
First seen:2022-04-25 17:31:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a94c625e08ec1199aca75e12dfcceeb (1 x Pony)
ssdeep 768:cX+/qizI56JoYnW0WeaJghrGT+/eSd+LxZ6fmzih7CpiWogF0Dx1GXLneq:gVizI8Ci3aKt9/9dKK17CpBr0nGbv
Threatray 7'965 similar samples on MalwareBazaar
TLSH T1FA13F1C7C0161D99EEB44D39F390245E09B69D721730DDAFFA9424A229411E3B6FBA23
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
17.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4505/5/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://zinwebtrustx.in/ifr/z.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://zinwebtrustx.in/ifr/z.php https://threatfox.abuse.ch/ioc/533112/
http://homesoft-eq.in/ifr/z.php https://threatfox.abuse.ch/ioc/533113/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266519/
Detection(s):
Win.Trojan.Agent-438520
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Reading critical registry keys
DNS request
Sending a custom TCP request
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit jorik packed rogue zbot
Link:
https://www.filescan.io/uploads/6266db1cd0223acc86f07733/reports/79c607cd-8e19-4715-8b4a-31122b298df6/overview
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/156273aa-84f6-433c-a047-7472450bf227
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982652
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: File Created with System Process Name
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615136 Sample: 1B9E2AFC2FEBECA968E097691AC... Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 10 other signatures 2->73 14 1B9E2AFC2FEBECA968E097691AC3083ACCFFCD997D124.exe 2->14         started        process3 signatures4 99 Detected unpacking (changes PE section rights) 14->99 101 Detected unpacking (overwrites its own PE header) 14->101 103 Drops PE files to the user root directory 14->103 105 Injects a PE file into a foreign processes 14->105 17 1B9E2AFC2FEBECA968E097691AC3083ACCFFCD997D124.exe 1 5 14->17         started        20 crrss.exe 14->20         started        process5 file6 59 C:\Windows\SysWOW64\crrss.exe, PE32 17->59 dropped 61 C:\Users\user\winlogon.exe, PE32 17->61 dropped 63 C:\Users\user\ss.exe, PE32 17->63 dropped 22 crrss.exe 17->22         started        25 ss.exe 1 17->25         started        28 crrss.exe 20->28         started        process7 dnsIp8 79 Antivirus detection for dropped file 22->79 81 Multi AV Scanner detection for dropped file 22->81 83 Detected unpacking (changes PE section rights) 22->83 85 Detected unpacking (overwrites its own PE header) 22->85 30 crrss.exe 22->30         started        65 zinwebtrustx.in 172.105.157.192, 49793, 80 LINODE-APLinodeLLCUS United States 25->65 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->87 89 Machine Learning detection for dropped file 25->89 91 Tries to harvest and steal ftp login credentials 25->91 93 Tries to harvest and steal browser information (history, passwords, etc) 25->93 95 Injects a PE file into a foreign processes 28->95 32 crrss.exe 28->32         started        signatures9 process10 process11 34 crrss.exe 30->34         started        37 crrss.exe 32->37         started        signatures12 75 Injects a PE file into a foreign processes 34->75 39 crrss.exe 34->39         started        41 crrss.exe 37->41         started        process13 process14 43 crrss.exe 39->43         started        46 crrss.exe 41->46         started        signatures15 97 Injects a PE file into a foreign processes 43->97 48 crrss.exe 43->48         started        50 crrss.exe 46->50         started        process16 process17 52 crrss.exe 48->52         started        55 crrss.exe 50->55         started        signatures18 77 Injects a PE file into a foreign processes 52->77 57 crrss.exe 52->57         started        process19
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1b9e2afc2febeca968e097691ac3083accffcd997d124bcf552f79e358f938d6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2012-08-29 14:50:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dopcv7bp5pwks2has5urvqyihlgp7tmzpujext2vf546gwhzhdla._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
1784ce67ee3eb4e8cd430be5f5c9e1a4ab8d0ce7df1728ac1b6b073be46a1e4c
Pony
293e1fe2ef7e22411a0768e627d3c9127bf0e5f2b12765ef68a177c731e6a49a
Pony
681567e74b733e2ee8062632ab20563f457ea376f1fa6eab8f1135240530c75e
Pony
a925c633c9df9cc480f6093e1925807e01e98529dbbeb6cdccd2492083a4501b
Pony
ac2362bfb043929f138f0ed947f81fa8444fd87b2301ecaa9a837e86f6eca690
Pony
f88de8b3ada41e2dd897a08968021b048ec433d375910cecfc277dbb9d6f2cbb
Pony
+ 7'955 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer upx
Link:
https://tria.ge/reports/220425-v39wtscgf5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Pony,Fareit
Unpacked files
SH256 hash:
02679382e64774a208950dd70880d59779f07dc3437888303767edd0771cc46a
MD5 hash:
7a88922307b360b07d4856c23d6c00a0
SHA1 hash:
12cf5a3884d4502deb6b847bfd3743f591466edb
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e215dd9-5fb8-45c4-8788-67c3997f0896/
SH256 hash:
a86d923cb52a8b71b2f778bec62531acf04c0998444a462192b75eb3e7e4e882
MD5 hash:
c4a42bf6df17e02ce0a95d208146eea2
SHA1 hash:
2c193ac62012669d3d9f19decd9fa402732413df
Detections:
win_opachki_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e215dd9-5fb8-45c4-8788-67c3997f0896/
SH256 hash:
1b9e2afc2febeca968e097691ac3083accffcd997d124bcf552f79e358f938d6
MD5 hash:
0448faa149ee8def7cf123b3befdcf10
SHA1 hash:
03ff16a274602bb116f7b605b9dffc2cda1175ba
Link:
https://www.unpac.me/results/1e215dd9-5fb8-45c4-8788-67c3997f0896/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b9e2afc2feb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/1b9e2afc2febeca968e097691ac3083accffcd997d124bcf552f79e358f938d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:pdb2
Create hunting rule
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266519/

Comments