MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f
SHA3-384 hash: 6a9e30b00cca2f9783936a671e233d6592b7f6f7cdc3b490a45d07ee8344b89ba5f26bde22183e4fa8dd8ffe386cc379
SHA1 hash: 41a81a5b383f2fa8936cff9c1c7d00096f202243
MD5 hash: 180512f19b80562669451bd32a14e7de
humanhash: juliet-purple-edward-winner
File name:384CCD374A7B0AD96C05C598A8805AF2C0171554A8CAA.exe
Download: download sample
Signature Pony
Create hunting rule
File size:507'904 bytes
First seen:2021-07-14 17:26:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f33b931ff1d50f0cef09aafbe4eadc1 (1 x Pony)
ssdeep 12288:IxGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGS:IGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGT
Threatray 2'697 similar samples on MalwareBazaar
TLSH T1B0B4E01380A66ABCCEAB46FFD510F142F25B558A1EE05C3DD0C91F025D619EABED482F
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://wellgam.com/bambam/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://wellgam.com/bambam/gate.php https://threatfox.abuse.ch/ioc/160524/

Intelligence

File Origin
# of uploads :
1
# of downloads :
637
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
384CCD374A7B0AD96C05C598A8805AF2C0171554A8CAA.exe
Verdict:
No threats detected
Analysis date:
2021-07-14 17:28:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d100a6cf-1b17-4786-b307-ecec537eb414

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171790/
Detection(s):
Win.Malware.Fareit-6938608-0
Create hunting rule

Win.Malware.Fareit-6938631-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8077ca5-5c33-488b-9e41-afcfc13c1292
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816457
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected Lokibot Info Stealer
Detected unpacking (changes PE section rights)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2019-04-03 10:38:26 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbgm2n2kpmfns3afywmkrac26labofkuvdfkk2zyhnqppkch4jxq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0089a67b8891a809e2c7699b1d97e0d1286756c801aecc20a200a13b049ecb94
Pony
117ae3b6d9239584da7887db5daee6c240e9e58d2b4f6bcafa9b1a5ef4194d20
Pony
17febcec21b3156aec42aea1f3b70e45b0ea57572547b483aeb1614a6d5a4d89
Pony
26429a83373a49db5ad7801f324d8f1ce0aafd687ee405a44cb8d6ebebf65c15
Pony
27563e3971b4f2baf6bf551323b1538809038aa456d5e0c02dd5e6a902b8f0e6
Pony
3ec89e73e39d8f49eb7af879ca10a3b172a155b50cffd2e98dd4826c4284fd49
Pony
55fbd4afb3b387dcab2c4ccb60e2ced461773add94567b99207ccd7faa3ed05f
Pony
96beaff70c51e04f38db0943eddd24ecc142ef2815d536b82655e25fbf5a54db
Pony
9e3fdcc393fc96ce693041533b4ecc9e43d57ad1bca40c99d07713dc90d39bd4
Pony
ef4cb9aea5d837610a28160c179ef3c4f381f84a8cbdd3464563800c53a95f15
Pony
+ 2'687 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony discovery rat spyware stealer
Link:
https://tria.ge/reports/210714-y9tdztbz76/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
http://wellgam.com/bambam/gate.php
Unpacked files
SH256 hash:
384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f
MD5 hash:
180512f19b80562669451bd32a14e7de
SHA1 hash:
41a81a5b383f2fa8936cff9c1c7d00096f202243
Link:
https://www.unpac.me/results/909292d6-c04e-4448-80ba-57a2674a329b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/384ccd374a7b0ad96c05c598a8805af2c0171554a8caa56b383b60f7a847e26f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Fareit
Create hunting rule
Author:kevoreilly
Description:Fareit Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171790/

Comments