MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
SHA3-384 hash:	cb2ede8f404de527b9d595b451607f33bc23c090019ca99125f10681d9e76b8e26b9a958b3d4748cf02ae07188904d12
SHA1 hash:	5ae202d3d0b37f2ac9c8620744aefef0137a4ebb
MD5 hash:	6248eff8299320d8658ce95bd92b3ca7
humanhash:	maine-friend-cup-queen
File name:	Swift docs.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	622'080 bytes
First seen:	2020-06-22 06:20:34 UTC
Last seen:	2020-06-22 06:41:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	53e988b05dd87faa3607b92ae121c8dc (13 x AgentTesla, 5 x DarkComet, 4 x Loki)
ssdeep	12288:qVdoK1+r6XRBuSAAZJu0z53gFnlgJokftRr6LGVu:+Cxr6RACjHJoEyLSu
Threatray	146 similar samples on MalwareBazaar
TLSH	C1D49E22E2B10433C163167D5C1F5378B826BE51792899C6ABE5DC7C9F3B282353B297
Reporter	abuse_ch
Tags:	DHL exe Pony

abuse_ch

Malspam distributing Pony:

HELO: delivery.com
Sending IP: 45.143.222.116
From: DHL SECURED SERVICE <dhl@delivery.com>
Subject: RE: DHL ONLINE SHIPPING PARCEL NOTIFICATION/INVOICE
Attachment: DHL RECEIPT.rar (contains "Swift docs.exe")

Pony C2:
http://jitk.nusamandiri.ac.id/tp/panelnew/gate.php

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/12399/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

pony

Link:

https://mwdb.cert.pl/sample/49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335/

Threat name:

Win32.Trojan.CryptInject

Status:

Malicious

First seen:

2020-06-22 06:22:04 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jhzdu2vapliwc7qj2btibj7ckrf2rwvjffjikqc3psbkxfvyum2q._file

Result

Malware family:

pony

Score:

10/10

Tags:

discovery rat spyware stealer family:pony

Link:

https://tria.ge/reports/200624-6fqeb55q2a/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks for installed software on the system

Deletes itself

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Pony,Fareit

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ffea649f3b5ac99b5e8d6b9f3f093b91

Pony

exe 49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335

(this sample)

Dropped by

MD5 ffea649f3b5ac99b5e8d6b9f3f093b91

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/12399/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample