MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 489f3a394942157dbc0ed01c09989288c1a87a2d7b80a6382a4338094b35d710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	489f3a394942157dbc0ed01c09989288c1a87a2d7b80a6382a4338094b35d710
SHA3-384 hash:	aea4dbf12e64b91ea6ca0140d994d0d2418f31df45f4f73259f1ee38469943d15e74d2d612f9d47b83d48a53df528771
SHA1 hash:	8b546cede088ececf790ac1cafb02cf5a0366c8e
MD5 hash:	9c36d806f114ad981ed65f3763e04131
humanhash:	quiet-william-hawaii-triple
File name:	Sverka maj.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	191'552 bytes
First seen:	2020-05-26 08:19:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	10f459a72d95e0912e5fc24662dbfdf6 (1 x Pony)
ssdeep	1536:6SdSYYlMkGbCQIg2VLew4jN2YxfVOmFBzxMGFA/UdO1GW0Oxj99WykhcqL7gAht1:Z8B6k/QI5CwQHVOWpyG2/UGGpXBtEK
Threatray	145 similar samples on MalwareBazaar
TLSH	C014BE83B5C9E83DF8CA197764998A7391E64CB21B47AA8331F83F953F257E04385067
Reporter	abuse_ch
Tags:	Downloader.Pony exe Pony

Code Signing Certificate

Organisation:	GDITUVVWZFAHWMWLWE
Issuer:	GDITUVVWZFAHWMWLWE
Algorithm:	sha1WithRSA
Valid from:	May 25 21:38:20 2020 GMT
Valid to:	Dec 31 23:59:59 2039 GMT
Serial number:	0887DC8E2069D1B84519EDA76518198C
Thumbprint Algorithm:	SHA256
Thumbprint:	887DB25158934CBA499EB80581FE0F697FE72DE9255B40AE437B0A5B1B80C4C6
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Malspam distributing Downloader.Pony:

HELO: ligazn.ru
Sending IP: 91.232.132.185
From: Елена Быкова <fond@blago.info>
Reply-To: anastasbobrova64@rambler.ru
Subject: =?utf-8?B?0J/QsNC60LXRgiDQtNC+0LrRg9C80LXQvdGC0L7QsiDR?==?utf-8?B?gSDQvNC+0LrRgNGL0LzQuCDQv9C10YfQsNGC0Y/QvNC4?=
Attachment: Sverka maj.001 (contains "Sverka maj.exe")

Pony C2:
http://142.202.190.19/p/z05857687.php

Intelligence

File Origin

# of uploads :

# of downloads :

143

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.Generic12.AOUE.3057.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Grp

Status:

Malicious

First seen:

2020-05-26 12:52:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

9/10

Tags:

spyware

Link:

https://tria.ge/reports/201109-wqpp9xck9j/

Behaviour

Runs ping.exe

Script User-Agent

Suspicious use of WriteProcessMemory

Deletes itself

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

rar edc12b00df9b14ff11d99f6b98bf439d7544d1e99ebffff4a6b55e633a4fd94b

Pony

exe 489f3a394942157dbc0ed01c09989288c1a87a2d7b80a6382a4338094b35d710

(this sample)

Dropped by

MD5 c9f5c952928877b758b56a95dde47c9b

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 edc12b00df9b14ff11d99f6b98bf439d7544d1e99ebffff4a6b55e633a4fd94b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample