MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31e2c221f9f8be9acb89fcffe8b305dfeea554eefeb898ec8c6711e0398a6a1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31e2c221f9f8be9acb89fcffe8b305dfeea554eefeb898ec8c6711e0398a6a1b
SHA3-384 hash: 3f56bc53f4ec865d9ef12865cb2905eed429e787d5c51d0089ad88c44fc91a480c2e446049330b16431f27c5f62c1bdb
SHA1 hash: 68eecad5c9072fb1a8e82336a4bcf25c843a52bb
MD5 hash: ae0fba1cd6af06e2f518796fda6decc9
humanhash: beryllium-saturn-seventeen-table
File name:AE0FBA1CD6AF06E2F518796FDA6DECC9.exe
Download: download sample
Signature Pony
Create hunting rule
File size:34'816 bytes
First seen:2021-07-12 16:36:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd3adc5077b3a19a8142a087013e6a1b (7 x Pony)
ssdeep 768:yu4vtPBr4vKYrGCm8jaalTHpN5oxFNYwalnZ:ilevKZ0lTHbYYXZ
Threatray 259 similar samples on MalwareBazaar
TLSH T1A1F2E147B3A86B7FD9C54A77C28BDADCA14CF963184E228065202BB675BF5432D1C310
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://andmarquez.com/tablet/panelnew/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://andmarquez.com/tablet/panelnew/gate.php https://threatfox.abuse.ch/ioc/159871/

Intelligence

File Origin
# of uploads :
1
# of downloads :
592
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AE0FBA1CD6AF06E2F518796FDA6DECC9.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 16:40:10 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/250743fc-ef7a-4a6c-8479-700252530b51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171172/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.PonyStealer-9831667-0
Create hunting rule

Win.Trojan.Fareit-403
Create hunting rule

Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea0a9481-8239-4bef-b114-30211320fd66
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815049
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31e2c221f9f8be9acb89fcffe8b305dfeea554eefeb898ec8c6711e0398a6a1b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2016-10-29 00:07:00 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghrmeipz7c7jvs4j7t76rmyf37xkkvho724jr3emm4i6aomkninq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
479c2742f5d9d61607933d59d483390286c627282b2f820d50aa72bb08fd536f
Pony
504b55a6e93fcfac9ac20bfc51c2c116e5ed3bd9c6a6cb36efcd6161d3ec1e2f
Pony
5ee70bdf6cfa9c2742889a7c724fa6940e40c64d6ab420303ea6e031ae3d6ce4
Pony
88c63762f85d92709ec567c3a3de9363589c4dd8777e469e5722851c5d3ed5a3
Pony
a3411c5d36b751a2fac427e0132b30b683543013bfea2eb68fe66b7ca914d0eb
Pony
a5f5fc2f6e2c6e6318be4a81aff84d55ecdaa21e6ef6871c44fa409ebdada7e4
Pony
a87c76402548fdef67c57b5c17c18b9650f31afb1f5b57e1b8addea30b976ba5
Pony
d0439ade62a8cc3e52a07cded43c9453326cd427bd7d265d5e15dcf222deaa2c
Pony
d6972a4198a158626c3ba370b33e9d41c730979fbc4e4627f01f0ee25639a2f7
Pony
f515d67b069dfb177559d773b872dfeacadbfbdb4dde4a7903357b6dc181087f
Pony
+ 249 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer upx
Link:
https://tria.ge/reports/210712-ja5ypmcgka/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Unpacked files
SH256 hash:
a090d6b07bf0116dc71b19d5f3fbd1c2d5701b8b8071d589a59583db976c9b6c
MD5 hash:
6d3167bd1a3e2ad535165e7b4d131aa3
SHA1 hash:
6c4b22ee93195019beaaccdcc5e3cbf59f1a1e06
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/7039506b-71a1-4bed-b011-495aa70e2769/
SH256 hash:
31e2c221f9f8be9acb89fcffe8b305dfeea554eefeb898ec8c6711e0398a6a1b
MD5 hash:
ae0fba1cd6af06e2f518796fda6decc9
SHA1 hash:
68eecad5c9072fb1a8e82336a4bcf25c843a52bb
Link:
https://www.unpac.me/results/7039506b-71a1-4bed-b011-495aa70e2769/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/31e2c221f9f8be9acb89fcffe8b305dfeea554eefeb898ec8c6711e0398a6a1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Fareit
Create hunting rule
Author:kevoreilly
Description:Fareit Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171172/

Comments