MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d70353ef02fee85ccd47fac8dc0f1f7d4308910e314960e73755a5cc177487c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Pony


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments

SHA256 hash: 1d70353ef02fee85ccd47fac8dc0f1f7d4308910e314960e73755a5cc177487c
SHA3-384 hash: a185f44783b57c02a90ba8a3c1b01e6a051d64b6bf77d2cbc45e8b3f323848e7ac0411d929fb481641f72efa8c6cf4a4
SHA1 hash: 9dfa88981910b984797357b1a5b49a9f4eca1d89
MD5 hash: b1eda95aab23cd1b67fd8a053ede78bf
humanhash: spring-magnesium-batman-mango
File name:1D70353EF02FEE85CCD47FAC8DC0F1F7D4308910E3149.exe
Download: download sample
Signature Pony
File size:733'696 bytes
First seen:2023-02-11 19:40:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 283a5de6e66ca2f468390d6cb2dd5af9 (1 x Pony)
ssdeep 12288:ZCiiQ2Xk7rSa3j/lgScDZi27JoVy2kbFhpgOzrMg+esTCmUceA:ciJXea3ZcDY272VsFor2m
TLSH T1FBF42283F9CC1DEEDB5448B942BB1BF38B1582B3253037BB74E5116C989931DAA600D6
TrID 45.6% (.SCR) Windows screen saver (13097/50/3)
15.6% (.EXE) Win32 Executable (generic) (4505/5/1)
10.4% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
7.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eee292aea6d4ecd4 (1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://tavana-es.com/myman/gate.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
1D70353EF02FEE85CCD47FAC8DC0F1F7D4308910E3149.exe
Verdict:
Malicious activity
Analysis date:
2023-02-11 19:41:25 UTC
Tags:
trojan pony fareit stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
Reading critical registry keys
DNS request
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Brute forcing passwords of local accounts
Gathering data
Result
Threat name:
DBatLoader
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Signature
Antivirus / Scanner detection for submitted sample
Checks if UnHackMe application is installed (likely to disable it)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Yara detected DBatLoader
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Fareit
Status:
Malicious
First seen:
2017-03-20 23:15:29 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:pony bootkit collection discovery persistence rat spyware stealer
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
http://tavana-es.com/myman/gate.php
Unpacked files
SH256 hash:
a298682ac7afc438e4e137e2a76c874afa7b8948038d2583b23ccd367ec65cc4
MD5 hash:
d240c85ad7bfca91490f1d6e528d8add
SHA1 hash:
1d9d5d92f3cd0c738b37b428f9a9d70c765a0eb7
Detections:
win_pony_auto win_pony_g0
SH256 hash:
ac0982daefe56934ecdff44e272a1cb853c4423794ab91c9946a69705a502bc5
MD5 hash:
a01818e80183a700e865524a3c859c20
SHA1 hash:
ce340366997fe0c579d8c6c854c73f7e6942680c
Detections:
win_dbatloader_g1
SH256 hash:
1d70353ef02fee85ccd47fac8dc0f1f7d4308910e314960e73755a5cc177487c
MD5 hash:
b1eda95aab23cd1b67fd8a053ede78bf
SHA1 hash:
9dfa88981910b984797357b1a5b49a9f4eca1d89
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments