MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16
SHA3-384 hash: dc80de01d1b7c9af9a96c8e635950706432d3486940dc2873f41ea0223d3d1951519aaffe9fd14aa97e74667f7a6d15a
SHA1 hash: 0fa43517145a230ede87a7f87175c110fa0bb77c
MD5 hash: 8834c2e853ca17ff0e5bac717c3db46a
humanhash: timing-arkansas-north-black
File name:ORIGINAL BILL OF LADDING_PDF.exe
Download: download sample
Signature Pony
Create hunting rule
File size:703'488 bytes
First seen:2020-07-20 07:33:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:VO4NYd1q9I6/kVdSC0Dycod+ik4g8y7e3Trf4UlOSoD:VOldudWYrEaDUboD
Threatray 235 similar samples on MalwareBazaar
TLSH 12E49DC595241435C7BF1EBA0E63C6B057746E49F0F75B2A2781BEDB3A7A382D401E22
Reporter abuse_ch
Tags:Downloader.Pony exe Maersk Pony


Avatar
abuse_ch
Malspam distributing Downloader.Pony:

HELO: ip-102-236-static.velo.net.id
Sending IP: 222.165.236.102
From: MAERSK LINE <aming@sinokor.co.id>
Subject: RE: Shipment Update
Attachment: ORIGINAL BILL OF LADDING_PDF.gz (contains "ORIGINAL BILL OF LADDING_PDF.exe")

Pony C2:
http://smkrantimula.sch.id/ek/panelnew/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28556/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/390948
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:35:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=geovisxs22fhzqvuw4x4bwxwboei6bqp4gc6wh3hog2jrubfz4la._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
841e400462718d0c71b30ac5c90768c409485806146ee50bfc2f866913ffcf49
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b2d579828599ae4e265f77899466dc005e7685b50dcbf6817388ea22d404ab2c
Pony
d01f1ad8b4e08a70621ab7d9907d551bc238a990737e45060252998c059bb0fa
Pony
e044b87f7a7d2a17a7dd8939838407a27d07347f93c5c53d5abaefac8413a7b0
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 225 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
spyware discovery rat stealer family:pony
Link:
https://tria.ge/reports/200720-12sf3e4g8a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz c66adf5bee7143defd20b1b290e86c298d1df2f22e11c49412e2c7d65419602f

Pony

Executable exe 311d544af2d68a7cc2b4b72fc0daf60b888f060fe185eb1f6771b498d025cf16

(this sample)

  
Dropped by
MD5 f794c67559592419ca909fd193b48f84
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c66adf5bee7143defd20b1b290e86c298d1df2f22e11c49412e2c7d65419602f
Cape
Cape
https://www.capesandbox.com/analysis/28556/

Comments