MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff
SHA3-384 hash:	9c897796861739f7795b6599c7af4f23d47cc770441f1e35a8588b13a4433565bb14f1cbb4167889de7cfa03f88d67da
SHA1 hash:	e4581240bbb01ed6c76a1a7f4baccfaf80a0989a
MD5 hash:	3448bd5bfb42260c58d727ae038a3692
humanhash:	green-fix-bakerloo-north
File name:	Dokumenty, sverka za ves' aprel'.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	1'210'432 bytes
First seen:	2020-05-21 09:53:14 UTC
Last seen:	2020-05-21 11:15:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a4353610e5ff8a9b5525ddaf8c291b61 (1 x Pony)
ssdeep	3072:0xa7GgxSwctWmARynSh5ZI0J+fkuz5v6sKKGvsqYaiXf6TfTz54:0xa71c0mARN5ZdJTuzd6sKGaiXfQq
Threatray	151 similar samples on MalwareBazaar
TLSH	D6459EC3B1D4246CF4DE127BB8E90E76A2E61CE60B97694610B03F963F31AD143D476A
Reporter	abuse_ch
Tags:	exe Pony

Code Signing Certificate

Organisation:	DJHCOWXJYJQAGPIOVM
Issuer:	DJHCOWXJYJQAGPIOVM
Algorithm:	sha1WithRSA
Valid from:	May 20 09:57:18 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	367BDDC5A0044883418AE89D0D87AB0C
Thumbprint Algorithm:	SHA256
Thumbprint:	8183BCD1C0CF3077636B2C783DDF2AAD2059ADB7F573B28ACCC29FDC9DC3582B
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Malspam distributing Pony:

HELO: mail.letuin.ru
Sending IP: 5.8.179.65
From: Валентина Рыбакова <hrm1-spb-sz@letuin.ru>
Subject: =?utf-8?B?0JTQvtC60YPQvNC10L3RgtGLINC60L7QvdC10YYg0L/R?==?utf-8?B?gNC+0YjQu9C+0LPQviDQvNC10YHRj9GG0LA=?=
Attachment: Dokumenty, sverka za ves aprel.001 (contains "Dokumenty, sverka za ves' aprel'.exe")

Pony C2:
http://142.202.188.254/p/z05857687.php

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.FileRepMalware.25751.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Rtm

Status:

Malicious

First seen:

2020-05-21 06:00:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 30 (83.33%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ex7dssp7wd5uttbhtexysvmmiwv53j3y4522ld66izd7wnw4v77q._file

Result

Malware family:

n/a

Score:

9/10

Tags:

spyware

Link:

https://tria.ge/reports/201109-bx41mt7gxa/

Behaviour

Runs ping.exe

Script User-Agent

Suspicious use of WriteProcessMemory

Deletes itself

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

rar a0a2d1fc3ad4683f8cdd5ab29312f5c515e8543404926a94db641022c9ab40f8

Pony

exe 25fe3949ffb0fb49cc27992f89558c45abdda778e775a58fde4647fb36dcafff

(this sample)

Dropped by

MD5 aaadb684ed709d76869a3f281cc0df46

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 a0a2d1fc3ad4683f8cdd5ab29312f5c515e8543404926a94db641022c9ab40f8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample