MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d
SHA3-384 hash: 652f89830e1587042d1ddf0cfd5685eb0778107ee135fb5a5f7a65e5800c9e12fdc75e8ae9fbff44ff2092370523e5a3
SHA1 hash: 9a8aafab89e7b515f45e8c5ff045cdb848df532f
MD5 hash: efdb2a0f1577b376fc6e416136498b57
humanhash: august-uncle-green-friend
File name:eInvoicing_pdf.bat.exe
Download: download sample
Signature Pony
Create hunting rule
File size:987'656 bytes
First seen:2020-10-05 13:28:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8dadb07b7d4cd20e1b2cc994c690a7d3 (7 x ModiLoader, 3 x Loki, 1 x Pony)
ssdeep 12288:xB/Z3LDx5poUjzEKGsMDTOVeryD+X1pSlRk1/jYGloIZLIyADyJCC5jdmp65dy3q:DImI8hXXhb/oN3he9KUIddHlLJ
Threatray 119 similar samples on MalwareBazaar
TLSH 65258D12B252D432D03216749F6A82ECC92D7FA13D54684B36E93F7F2E362D2741A94F
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68252/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Brute forcing passwords of local accounts
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/481579
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293330 Sample: eInvoicing_pdf.bat.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 96 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Pony 2->39 41 3 other signatures 2->41 8 eInvoicing_pdf.bat.exe 13 2->8         started        process3 dnsIp4 29 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49732 GOOGLEUS United States 8->29 31 discord.com 162.159.138.232, 443, 49727, 49729 CLOUDFLARENETUS United States 8->31 33 doc-0c-9o-docs.googleusercontent.com 8->33 43 Writes to foreign memory regions 8->43 45 Allocates memory in foreign processes 8->45 47 Creates a thread in another existing process (thread injection) 8->47 49 Injects a PE file into a foreign processes 8->49 12 notepad.exe 4 8->12         started        15 ieinstal.exe 8->15         started        signatures5 process6 file7 27 C:\Users\Public27atso.bat, ASCII 12->27 dropped 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        process8 process9 21 conhost.exe 17->21         started        23 reg.exe 1 1 17->23         started        25 conhost.exe 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 06:20:35 UTC
File Type:
PE (Exe)
Extracted files:
103
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g5l5btpymiz5tsqttvau3v5rzmm25asfcreq65d7zsjrz6pnougq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
044ead01325ba352582421e78cce54811b6075e28486a8d1f4a9542da786f228
Pony
40bcf1b92cac08e72eb025659bb892a41926ebd655f448ff5544ece312986987
Pony
4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
82c531ee47fd52c78ed90b259be7908208ae6657a75643fce70df85eb0cd64a3
Pony
b24205394b92b61e4058e30a94528aa34cf37b3d930c3197d91f33f8fd173cf4
Pony
b55bc5be4e26953b510e035aaa1f821babf4f641e830a80e37fe8d6ba34fab29
Pony
be2574eff410b1b63255c93f82e398c50b7af0f7431786e49b1dc922fbb5a910
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 109 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
spyware trojan family:modiloader rat stealer family:pony
Link:
https://tria.ge/reports/201005-pwe5asvys6/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Reads data files stored by FTP clients
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Pony,Fareit
Unpacked files
SH256 hash:
3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d
MD5 hash:
efdb2a0f1577b376fc6e416136498b57
SHA1 hash:
9a8aafab89e7b515f45e8c5ff045cdb848df532f
Detections:
win_dbatloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/a1113f2c-fa3f-41b2-8f43-171d71b84993/
SH256 hash:
23b69e59d0e34b75f5b1f1dc71cc4fbb079686b6c57f0c41d21315b81421de41
MD5 hash:
68f9a79be614ab70b60450e934aacaee
SHA1 hash:
81997dd86fab42de9950e3ca7884e2c7a7f14ab8
Detections:
win_dbatloader_g0
Create hunting rule
Link:
https://www.unpac.me/results/a1113f2c-fa3f-41b2-8f43-171d71b84993/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3757d0cdf86233d9ca139d414dd7b1cb19ae824514490f747fcc931cf9ed750d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/68252/

Comments