MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e802539738578152d3255774e831b71bbc21d798bb672223e326c80e430713a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e802539738578152d3255774e831b71bbc21d798bb672223e326c80e430713a
SHA3-384 hash: 121c12f213d1e8fcf54b1981cade11840ca0eb9b74fd9fd3032aa8bf6302f4cc4329496f91bdb1ae6a6e3de8fdbd1fda
SHA1 hash: 5215f8eaf7ad33df0c2734fc4f1adeeb8d96b0b4
MD5 hash: a770baa7bd793c8fad7b09701029810c
humanhash: floor-nevada-kentucky-magazine
File name:COVID-19_UPDATE_PDF.exe
Download: download sample
Signature Pony
Create hunting rule
File size:972'288 bytes
First seen:2020-04-03 04:47:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e1fea4e1fcb1753c55c4b7f3406dc8c2 (2 x AgentTesla, 1 x Pony, 1 x Loki)
ssdeep 12288:EbZqJ+db/pbUwTDvtqU+VPWZhBDKF/OGEw3ua/hbA9JcLPptTOAO:64IzofNENJLKua/hbA9ChI/
Threatray 133 similar samples on MalwareBazaar
TLSH D0256B26B7E4D736C07369FD8C5212A8D9313E605A37A101EFEBED489A39AC0F5163D1
Reporter jarumlus
Tags:COVID-19 Downloader.Pony Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-03 00:08:18 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2ackoltqv4bkljskv3u5ay3og54ehlzro3heir6gjwibzbqoe5a._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
2dba22bb151cb9c5e35304b1a6215374d6857898d217b721f9b5a6e8d973576d
Pony
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
Pony
6168fd7705599e810cba4c0954acb5cdfa8e03ae92ed679a9e538a09da08a7de
Pony
70b3e86ab4bda10e5ccb441fb356f193ee69f709b9d827b8f1bfd0077a64316e
Pony
754b203cb7ca6224a217e4187151adb437574b95fe15fd1bb7ab887cffad8bce
Pony
9026e9b714998846a26087ed7f5a276b1399204a1e34d469571a7301ce720931
Pony
a8af98897cc2adfa6868c15ad536d7359f749ff3bb8cf9be11c7e45d437dc37f
Pony
b0f0758152599d38ebd0f485f435536f73819ae3fcdddbef8a182b8e06eaa01d
Pony
e2d51d5dea8e3b54091d4575a79b4a535cd201404048f77045c06cd57e79a637
Pony
e4b839be39665555c0637a45d7835cf5aed0633b9d3b3c72b0c3710555cf2eb0
Pony
+ 123 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::VirtualAllocEx
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments


Avatar
commented on 2020-04-03 11:15:01 UTC

Pony C2:
http://ommaterial.com/Broken/gate.php