MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce
SHA3-384 hash:	91617d4d03895bf4ddd26885d98dc31c1e7891a307a9e51db39490edd702e196433b3530b7763ac70360e3945250a857
SHA1 hash:	b96b08d5cf31ecb0e3067e326b95333b116f3dba
MD5 hash:	8b88f2fbdc3a518dc989a33667ef5ba9
humanhash:	saturn-april-nuts-paris
File name:	gunzipped
Download:	download sample
Signature	Pony Create hunting rule
File size:	798'208 bytes
First seen:	2020-09-25 13:19:30 UTC
Last seen:	2020-09-25 13:48:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	971465ba55aa2969c976f7f768bcd887 (2 x AgentTesla, 1 x Matiex, 1 x Pony)
ssdeep	12288:eRWVDU5/k9qEX4H8HTPz29gd/zKelytqTE7Q/cxJrP6QsraAd7E:eRgV9lX4ePztJzKe4QTnExJrP6B/+
Threatray	112 similar samples on MalwareBazaar
TLSH	3C058E23F2A14837C5632938DC1B6778A926BE513A24AF462FF5DC4CBF397503825297
Reporter	abuse_ch
Tags:	Pony

abuse_ch

Malspam distributing unidentified malware:

HELO: mxten.stunnermedia.com
Sending IP: 66.115.170.52
From: MD Moin <purchase@darwish-tdg.qa>
Reply-To: purchase@darwish-tdg.qa
Subject: Request For Quotation.
Attachment: QUOTATION_242020,9.pdf.gz (contains "gunzipped")

Intelligence

File Origin

# of uploads :

# of downloads :

520

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/65832/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Brute forcing passwords of local accounts

Result

Threat name:

Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/475165

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-09-25 13:03:36 UTC

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j6qclsla73u3ihuflubf3s5x4klmcv65gd2cxesgg73whzfdydha._file

Result

Malware family:

pony

Score:

10/10

Tags:

spyware discovery rat stealer family:pony

Link:

https://tria.ge/reports/200925-gj2dkxk84e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

Unpacked files

SH256 hash:

4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce

MD5 hash:

8b88f2fbdc3a518dc989a33667ef5ba9

SHA1 hash:

b96b08d5cf31ecb0e3067e326b95333b116f3dba

Link:

https://www.unpac.me/results/2f0e3589-192f-4ed0-b44a-824cb81ab6a5/

SH256 hash:

e759b0c33680d57c9fddcb2c04fac9e39b592eeb03e206782efcf4e702b18214

MD5 hash:

432410042df19b35f554436e008ffb63

SHA1 hash:

e3df82ff3b35b0b686170641d4c3401ebb8c319e

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/2f0e3589-192f-4ed0-b44a-824cb81ab6a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

gz 5c83ffb90747aeeb7f76bf991cee403487725509a30e49a2771afe23e5b5b26b

Pony

exe 4fa025c960fee9b41e855d025dcbb7e296c157dd30f42b924637f763e4a3c0ce

(this sample)

Dropped by

MD5 341c680bfc73a3e2b36090917c9832dd

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 5c83ffb90747aeeb7f76bf991cee403487725509a30e49a2771afe23e5b5b26b

Cape

https://www.capesandbox.com/analysis/65832/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample