MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 280c0b36b6fa306389e7873dadf56eb45437c8a208640ff36d61a3e271c94ef7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 5 File information Comments

SHA256 hash:	280c0b36b6fa306389e7873dadf56eb45437c8a208640ff36d61a3e271c94ef7
SHA3-384 hash:	273d176d0342a92151e5d6ecc0b59d48b135ba3a5a718eb8c71931f15e618e240f89b30cb21d9b8c16b1e4137c5b4cd9
SHA1 hash:	03f819c02a27cd288cef5271f5641e4202ce8c68
MD5 hash:	78fc660b1b04227c15f484fa6d7ccec9
humanhash:	apart-green-network-four
File name:	280C0B36B6FA306389E7873DADF56EB45437C8A208640.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	747'520 bytes
First seen:	2022-04-23 19:11:02 UTC
Last seen:	2022-04-23 19:29:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	75ba56893d6bafec0e1f2892f1de8884 (1 x Pony)
ssdeep	12288:BinYMOTCKo5yHzN2DbyV1zDFADvgNIPWjauCFgOvya/Nk5rcwa/Nv:B4oTyQZ2fyV11ADlP6Agk7B/Nv
TLSH	T1E8F49D22F2905C37D1B31A389D5B57A8AD3EBE102A3899462BF51C4C4F397523D393A7
TrID	33.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 30.5% (.SCR) Windows screen saver (13101/52/3) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 6.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://onlygoodman.com/iki/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://onlygoodman.com/iki/gate.php	https://threatfox.abuse.ch/ioc/530500/

Intelligence

File Origin

# of uploads :

# of downloads :

1'272

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

pony

ID:

File name:

pony.exe

Verdict:

Malicious activity

Analysis date:

2022-04-24 01:27:21 UTC

Tags:

trojan pony fareit stealer

Link:

https://app.any.run/tasks/1b66a2ca-8d02-4ccd-82c1-a96d7f278fee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Pony

Link:

https://www.capesandbox.com/analysis/266089/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.1932.18412.8120.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Sending a custom TCP request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Query of malicious DNS domain

Sending an HTTP POST request to an infection source

Sending an HTTP GET request to an infection source

Brute forcing passwords of local accounts

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe exploit fareit greyware keylogger lokibot packed replace.exe

Link:

https://www.filescan.io/uploads/62644f856541a10d00a8c4e7/reports/e2950127-28d3-4d41-8628-d46343ef7b98/overview

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1353a7a6-68d4-4637-ac60-2d35f4962ba8

Result

Threat name:

Lokibot Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/981895

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected Lokibot Info Stealer

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

pony

Link:

https://mwdb.cert.pl/sample/280c0b36b6fa306389e7873dadf56eb45437c8a208640ff36d61a3e271c94ef7/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2018-01-23 00:58:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

38 of 42 (90.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fagawnvw7iyghcphq46235lowrkdpsfcbbsa743nmgr6e4ojj33q._file

Verdict:

malicious

Label(s):

pony

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony collection discovery rat spyware stealer suricata

Link:

https://tria.ge/reports/220423-xvyvpsaagj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

suricata: ET MALWARE Fareit/Pony Downloader Checkin 3

suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Unpacked files

SH256 hash:

b486fddb904819bd66d3175b347b714dd4319c6bf7ddccd007435c9da03e695e

MD5 hash:

a238f69d72b136b4839e54122384cd60

SHA1 hash:

3fe9ac0aca983445da7117b35ef9d385dd9ac565

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/f8997b6c-5d56-4af2-9366-92c0ebeb6c10/

SH256 hash:

280c0b36b6fa306389e7873dadf56eb45437c8a208640ff36d61a3e271c94ef7

MD5 hash:

78fc660b1b04227c15f484fa6d7ccec9

SHA1 hash:

03f819c02a27cd288cef5271f5641e4202ce8c68

Link:

https://www.unpac.me/results/f8997b6c-5d56-4af2-9366-92c0ebeb6c10/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/280c0b36b6fa306389e7873dadf56eb45437c8a208640ff36d61a3e271c94ef7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Fareit Create hunting rule
Author:	kevoreilly
Description:	Fareit Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	myGozi Create hunting rule

Rule name:	pdb2 Create hunting rule

Rule name:	win_pony_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/266089/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample