MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5dabd8862d5b62888b4d17eb07112cf04a67787a8b7bb1318c64d250c4940698. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5dabd8862d5b62888b4d17eb07112cf04a67787a8b7bb1318c64d250c4940698
SHA3-384 hash: 648602dc13b42ef9a62cc0e3067d8adb7fcd00a066b007e0821d8d64ac3186ccbc5ec8fc06312e4b345dc24e8d15a4ab
SHA1 hash: a478b32f80e56fa6cbab47f35f0ad6665311cc08
MD5 hash: e861bc977060496603cd588ed6183e75
humanhash: don-virginia-hotel-one
File name:a478b32f80e56fa6cbab47f35f0ad6665311cc08
Download: download sample
Signature Pony
Create hunting rule
File size:235'520 bytes
First seen:2022-11-20 17:25:15 UTC
Last seen:2022-11-20 18:32:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:vmG3Z4C4QdER68zCuf99S2k8w/n5iKhJMu:vmG3+ZF9Sok5nhJM
Threatray 581 similar samples on MalwareBazaar
TLSH T17F34CE5027FC4B26EAFD57FA54B1A4044375A6339813F709AFC270EA2DA37C0558AB27
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:exe Pony

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
US US
Vendor Threat Intelligence
Malware family:
pony
Create hunting rule
ID:
1
File name:
a478b32f80e56fa6cbab47f35f0ad6665311cc08
Verdict:
Malicious activity
Analysis date:
2022-11-20 17:28:13 UTC
Tags:
trojan pony fareit stealer sinkhole
Link:
https://app.any.run/tasks/647ffd25-b49d-455f-9c33-2c824f6f47aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/336431/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.46479.11400.27841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Running batch commands
Stealing user critical data
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Brute forcing passwords of local accounts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe fareit packed pony shell32.dll
Link:
https://www.filescan.io/uploads/637a632aa0efd596b82efa99/reports/2f493b41-c034-4cf5-b331-507c1bc4556a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff692e62-2d8e-48de-a91f-48aaa7851d50
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117630
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 750342 Sample: bycNj13dz1.exe Startdate: 20/11/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 11 other signatures 2->52 8 CLpespylACw.exe 5 2->8         started        11 bycNj13dz1.exe 7 2->11         started        process3 file4 54 Antivirus detection for dropped file 8->54 56 Multi AV Scanner detection for dropped file 8->56 58 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 8->58 60 Machine Learning detection for dropped file 8->60 14 CLpespylACw.exe 14 8->14         started        18 schtasks.exe 1 8->18         started        36 C:\Users\user\AppData\...\CLpespylACw.exe, PE32 11->36 dropped 38 C:\Users\...\CLpespylACw.exe:Zone.Identifier, ASCII 11->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD48A.tmp, XML 11->40 dropped 42 C:\Users\user\AppData\...\bycNj13dz1.exe.log, ASCII 11->42 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 11->62 64 Injects a PE file into a foreign processes 11->64 20 bycNj13dz1.exe 1 14 11->20         started        22 schtasks.exe 1 11->22         started        signatures5 process6 dnsIp7 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->66 68 Tries to harvest and steal ftp login credentials 14->68 70 Tries to harvest and steal browser information (history, passwords, etc) 14->70 24 cmd.exe 1 14->24         started        26 conhost.exe 18->26         started        44 kanavagronomy.in 107.6.74.76, 49700, 49701, 80 VOXEL-DOT-NETUS United States 20->44 28 cmd.exe 1 20->28         started        30 conhost.exe 22->30         started        signatures8 process9 process10 32 conhost.exe 24->32         started        34 conhost.exe 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5dabd8862d5b62888b4d17eb07112cf04a67787a8b7bb1318c64d250c4940698/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 11:19:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
33 of 41 (80.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwv5rbrnlnrirc2nc7vqoejm6bfgo6d2rn53cmmmmtjfbreua2ma._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
11d8da5aedad9fde99211e94796aba422762ee6943f359c313626faf2eb0638f
Pony
27d1e735572f83321a266037a5f451e145008e308d6278c63a6ef106e2d298a5
Pony
78c42daa9bd978e2e2ca039a54f167f5090681124f402fa9c9bd69a2dd23bc26
Pony
96b1ce824a3687c29b0cb8663c62a09545eb713a3dcf776c29c9a85a393e5d1c
Pony
977c4348075fea725b12f615548b5c586ad1abbaa00c9c51b972278f46adacc5
Pony
97d23ffd00c0dd37730804366759beb11de41f3f5d245014e976a57d667a5ccd
Pony
d1b6aaf16fc5e9ffbe13411dfbefe5c0c7dd222c727852da8fc9fb39a88ed2ae
Pony
f22ea9b80af6dab15179a98494ece17216381d9b334c6bb2a130040eeafaf614
Pony
f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
Pony
f79be9655ab5fa236f5b81bc4af8538e91e4dbb3f6ee25d14891c6bec26681ae
Pony
+ 571 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony collection discovery rat spyware stealer
Link:
https://tria.ge/reports/221120-vzt17saf59/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
http://kanavagronomy.in/star/panel/gate.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3156cfd-16b3-48a8-a7ce-af73e83a2b50
Unpacked files
SH256 hash:
3485809e8b48e2ee3145c6310831c34a6c00898583636799997efa12d47d3ad8
MD5 hash:
23e2b6b23ac5372a4266756f4c81abb3
SHA1 hash:
a09382c8e89937499820546fde25e2a93ac2f00b
Detections:
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
Link:
https://www.unpac.me/results/7b81b9e6-f11d-40e5-a54c-147f1327e16e/
Parent samples :
d634843da16ff74a676a748989cd01916cd86278dc96c0d45fa9872dd78ba251
f272777ee69921d167509fdf27ad55f4deb671a9063854d63bef679aaa31d1ba
5dabd8862d5b62888b4d17eb07112cf04a67787a8b7bb1318c64d250c4940698
SH256 hash:
16e27e6592c597e0db6a23b7051533d615c9e9bceb41d9c8ece46e6289fd9add
MD5 hash:
5135e1389557021c3743e8d6b6c53dd7
SHA1 hash:
2b5fc787b97b9d37fc8c9303a49480cc141d7195
Link:
https://www.unpac.me/results/7b81b9e6-f11d-40e5-a54c-147f1327e16e/
SH256 hash:
5dabd8862d5b62888b4d17eb07112cf04a67787a8b7bb1318c64d250c4940698
MD5 hash:
e861bc977060496603cd588ed6183e75
SHA1 hash:
a478b32f80e56fa6cbab47f35f0ad6665311cc08
Link:
https://www.unpac.me/results/7b81b9e6-f11d-40e5-a54c-147f1327e16e/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5dabd8862d5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336431/

Comments