MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31
SHA3-384 hash: a0273bf42d9769baef77fae55a2d2077e8ee68ea19153298d563201db7770cc1aacd1e89475fe602ee9536ea4f266a25
SHA1 hash: 5dd72939d56890c89991a22393b1376aa426ddff
MD5 hash: 430b7a1c0eeebd1d898c1698fe8c3089
humanhash: johnny-edward-tennessee-kentucky
File name:430B7A1C0EEEBD1D898C1698FE8C3089.exe
Download: download sample
Signature Pony
Create hunting rule
File size:421'888 bytes
First seen:2026-02-25 18:10:11 UTC
Last seen:2026-02-25 18:36:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4208def63ba62dc81f4d7e36c67633a9 (1 x Pony)
ssdeep 6144:fO/Lg5YFDcw2PcW5v64zHpZsnqBpSXddf6KRTL:fO/Lg+oVPcUy+JZsqpSXddfNRX
Threatray 500 similar samples on MalwareBazaar
TLSH T19094D08276CF5CCAEBF24D740B6A9BDE41A491E48461B09F577CE1E56A3F60293CD320
TrID 81.1% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.4% (.EXE) Win64 Executable (generic) (6522/11/2)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 9f1849ca9b2d171b (5 x AgentTesla, 1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://servicelearning.thu.edu.tw/good/quakes/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://servicelearning.thu.edu.tw/good/quakes/gate.php https://threatfox.abuse.ch/ioc/1754604/

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
GuLoader Hexa
Details
Link:
https://research.acce.ciphertechsolutions.com/results/e71440f8-5c53-48fb-811a-cfdfb07436af/
Malware family:
pony
Create hunting rule
ID:
1
File name:
430B7A1C0EEEBD1D898C1698FE8C3089.exe
Verdict:
Malicious activity
Analysis date:
2026-02-25 18:12:18 UTC
Tags:
stealer trojan pony fareit auto-startup qrcode
Link:
https://app.any.run/tasks/b2f604a0-a1ee-4179-bdaf-f4a09c7b3c1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54586/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.25669.14567.381.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=699f3b15c950ab5d9ab198d2
Tags:
autorun cerber lien zeus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Restart of the analyzed sample
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Creating a file
Stealing user critical data
Enabling autorun by creating a file
Brute forcing passwords of local accounts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerber pony visual_basic
Link:
https://www.filescan.io/uploads/699f3b1397feb4afd65a9a94/reports/22eb560c-2d01-4765-9334-6a1c9ba77cde/overview
Verdict:
Malicious
Labled as:
PonyStealer.Generic
Link:
https://www.hybrid-analysis.com/sample/2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31
Verdict:
Malicious
File Type:
exe x32
Detections:
Backdoor.Androm.HTTP.C&C Trojan-PSW.Win32.Fareit.sb Trojan.Win32.Vebzenpak.sb Trojan-Downloader.Agent.HTTP.Download Trojan-PSW.Win32.Tepfer Trojan.Win32.Agent.sb Trojan-PSW.Fareit.HTTP.Download Trojan-PSW.Fareit.HTTP.C&C Trojan-PSW.Win32.Fareit Trojan.Win32.VBKrypt.sb Trojan.Win32.Inject.sb HEUR:Trojan-Dropper.Win32.Agent.sb Trojan-PSW.Fareit.HTTP.ServerRequest Trojan.Win32.VBKryjetor.akre PDM:Trojan.Win32.Generic Trojan.Win32.VBKryjetor Trojan.Win32.Foxhiex.sb
Link:
https://opentip.kaspersky.com/2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31/results?tab=lookup
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05b63ab9-43fc-4d30-99e8-ff2a5d9fc912
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1874912
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Drops VBS files to the startup folder
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Pony trojan / infostealer detected
Potential malicious VBS script found (suspicious strings)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1874912 Sample: l6dr0JYM1Y.exe Startdate: 25/02/2026 Architecture: WINDOWS Score: 100 55 sounion.thu.edu.tw 2->55 57 servicelearning.thu.edu.tw 2->57 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 11 other signatures 2->83 10 wscript.exe 2->10         started        13 l6dr0JYM1Y.exe 3 5 2->13         started        16 chrome.exe 2->16         started        19 chrome.exe 2->19         started        signatures3 process4 dnsIp5 97 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->97 99 WScript reads language and country specific registry keys (likely country aware script) 10->99 21 filename.exe 10->21         started        24 filename.exe 10->24         started        49 C:\Users\user\AppData\...\filename.exe, PE32 13->49 dropped 51 C:\Users\user\AppData\...\filename.vbs, data 13->51 dropped 101 Detected unpacking (changes PE section rights) 13->101 103 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 13->103 105 Tries to steal Mail credentials (via file registry) 13->105 107 2 other signatures 13->107 26 l6dr0JYM1Y.exe 1 14 13->26         started        29 Acrobat.exe 55 13->29         started        53 192.168.2.5, 138, 443, 49433 unknown unknown 16->53 31 chrome.exe 16->31         started        file6 signatures7 process8 dnsIp9 85 Antivirus detection for dropped file 21->85 87 Multi AV Scanner detection for dropped file 21->87 89 Detected unpacking (changes PE section rights) 21->89 95 2 other signatures 21->95 33 filename.exe 24->33         started        59 sounion.thu.edu.tw 140.128.96.228, 49698, 49729, 80 ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC Taiwan; Republic of China (ROC) 26->59 91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->91 93 Tries to steal Mail credentials (via file / registry access) 26->93 36 cmd.exe 26->36         started        38 AcroCEF.exe 118 29->38         started        61 ogads-pa.clients6.google.com 108.177.122.95, 443, 49723, 49724 GOOGLEUS United States 31->61 63 plus.l.google.com 173.194.219.113, 443, 49721 GOOGLEUS United States 31->63 65 3 other IPs or domains 31->65 signatures10 process11 signatures12 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->69 71 Tries to steal Mail credentials (via file / registry access) 33->71 73 Tries to harvest and steal ftp login credentials 33->73 75 Tries to harvest and steal browser information (history, passwords, etc) 33->75 40 cmd.exe 33->40         started        42 conhost.exe 36->42         started        44 AcroCEF.exe 38->44         started        process13 dnsIp14 47 conhost.exe 40->47         started        67 23.63.158.36, 443, 49722 AKAMAI-ASUS United States 44->67 process15
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86
Link:
https://app.malva.re/file/430b7a1c0eeebd1d898c1698fe8c3089
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31/
Verdict:
Malicious
Threat:
Family.PONY
Link:
https://tip.neiki.dev/file/2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31
Threat name:
Win32.Infostealer.Pony
Create hunting rule
Status:
Malicious
First seen:
2017-04-22 19:01:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqfddfrlkno46d75cd3enthqksnqpewtvi55oqc2q4jpbf7uduyq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
4f0257eb02c159faeaf23524870573bccea009d5ad307f9bfc3635901063fe75
Pony
838a75e33a187235ab198d6d013b440cdce381b0948903a898a3e621ea5f610a
Pony
b593466df2eb855e58671d6f361c691e4be0f638f1fa17166965e613927684ea
Pony
ba1957340084a89fb5d8297165784d3726d1accb8c14981cc7c261be15f28e9f
Pony
d5c49c68fa5f905c4d513dbae6cb7867a374fe454778b1b99d786475ca9c0c35
Pony
error
Pony
+ 490 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony adware collection credential_access discovery rat spyware stealer
Link:
https://tria.ge/reports/260225-wr9blafy8c/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Pony family
Pony,Fareit
Malware Config
C2 Extraction:
http://servicelearning.thu.edu.tw/good/quakes/gate.php
Unpacked files
SH256 hash:
2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31
MD5 hash:
430b7a1c0eeebd1d898c1698fe8c3089
SHA1 hash:
5dd72939d56890c89991a22393b1376aa426ddff
Link:
https://www.unpac.me/results/b1a66c68-2232-42fc-9c78-fa8cee2ceadd/
SH256 hash:
2059749a4b5fe2198ce661592b1564c86910fd7919082d621ebc9dab02b42fee
MD5 hash:
442a1b85fbd2914e6ece427d187b6c9f
SHA1 hash:
7832d7e717e366d71fa62d099a3c3b2503a27431
Detections:
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
malware_windows_pony_stealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Link:
https://www.unpac.me/results/b1a66c68-2232-42fc-9c78-fa8cee2ceadd/
SH256 hash:
1fe25d0fc578168c5fce20144fd7bd9b00b810290e7bb396f4daeb9f7aefaf80
MD5 hash:
0f59e77730703d9729c8d0a465477ebe
SHA1 hash:
cc67dc78ff331db5fb33a201ca3dfaa1de2f0aa2
Detections:
win_pony_g0
Create hunting rule
malware_windows_pony_stealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Link:
https://www.unpac.me/results/b1a66c68-2232-42fc-9c78-fa8cee2ceadd/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2c0a31962b53/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2c0a31962b535dcf0ffd10f646ccf0549b0792d3aa3bd7405a8712f097f41d31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54586/

Comments