MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e10bf3065a34afa9f249b7ebff5e4e6822811748066bf93850438f2ba06d795. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e10bf3065a34afa9f249b7ebff5e4e6822811748066bf93850438f2ba06d795
SHA3-384 hash: 7cc826f44ab365e3a36155b35c510e5c879a6b33099f9dfe3aa8705b597cb857caba6eb297f87feec402fa1253832c31
SHA1 hash: 10415544e4a4ba8b0b14c6e3e7063b8bf4307268
MD5 hash: 245a775fcc804a2cb4b39d9a9f3dd86d
humanhash: quiet-black-angel-quebec
File name:245a775fcc804a2cb4b39d9a9f3dd86d.exe
Download: download sample
Signature Pony
Create hunting rule
File size:186'272 bytes
First seen:2023-01-11 21:05:22 UTC
Last seen:2023-01-11 22:30:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'070 x AgentTesla, 20'023 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 3072:uefRcOLrkoOVtBc9zrozjwOgyxs8XHJ8VVM:ucq6OjBsozjwZ90
Threatray 618 similar samples on MalwareBazaar
TLSH T18D040A2438EF101AF173FF756FD879EADA9FB6723B0A646A104103478A12E41ED9253D
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe Pony signed

Code Signing Certificate

Organisation:RiverCert Corporation
Issuer:RiverCert Corporation
Algorithm:md5WithRSAEncryption
Valid from:2015-03-18T05:29:58Z
Valid to:2016-03-17T05:29:58Z
Serial number: 00
Intelligence: 331 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 7f8fe6364b57f6a28a63b5a8992bd79985e04f6280bee5aab2d8a48ad1fcc5e2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Pony C2:
http://freashalbany.site11.com/gate.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
pony
Create hunting rule
ID:
1
File name:
245a775fcc804a2cb4b39d9a9f3dd86d.exe
Verdict:
Malicious activity
Analysis date:
2023-01-11 21:08:41 UTC
Tags:
trojan pony fareit stealer
Link:
https://app.any.run/tasks/e09a3b9a-42f3-49c5-8d5d-cae7a71c9a41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/352070/
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.3295.18236.5528.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Gathering data
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3881990b-a1ad-4c56-a7ab-92d8e2604e6d
Result
Threat name:
Lokibot, Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149908
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected Lokibot Info Stealer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782640 Sample: pdNGf7oYq5.exe Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 5 other signatures 2->40 7 pdNGf7oYq5.exe 1 4 2->7         started        11 invoice.exe 3 2->11         started        13 invoice.exe 2 2->13         started        process3 file4 30 C:\Users\user\AppData\Local\...\invoice.exe, PE32 7->30 dropped 32 C:\Users\user\...\invoice.exe:Zone.Identifier, ASCII 7->32 dropped 42 Writes to foreign memory regions 7->42 44 Allocates memory in foreign processes 7->44 46 Injects a PE file into a foreign processes 7->46 15 notepad.exe 7->15         started        18 notepad.exe 12 7->18         started        20 notepad.exe 1 7->20         started        26 2 other processes 7->26 48 Antivirus detection for dropped file 11->48 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 22 notepad.exe 12 11->22         started        24 notepad.exe 1 12 13->24         started        signatures5 process6 signatures7 54 Detected Lokibot Info Stealer 15->54 56 Tries to steal Mail credentials (via file registry) 15->56 28 conhost.exe 20->28         started        58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->58 60 Tries to harvest and steal ftp login credentials 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e10bf3065a34afa9f249b7ebff5e4e6822811748066bf93850438f2ba06d795/
Threat name:
ByteCode-MSIL.PUA.Creprote
Create hunting rule
Status:
Malicious
First seen:
2015-05-08 10:41:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
29 of 41 (70.73%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyil6mdfunfpvhzetn7l75pe42bcqeluqbtl7e4faq4pfoqg26kq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
4d54c2d7ba1dd250900016f795d91b662b6dc92e3bcd089a9ea74ab7e12b09fd
Pony
4fbb201bac972c243d392f1191e76e16d56e01c5ebcea6e826ecc7236e50d37b
Pony
5fe98959812226a5a14c763862049f5b386f31c4db31424af1d7f9494a79619c
Pony
8da2ab3205cdc8a7b727873fad191870001ad65c3607afbe829d12696f5ae282
Pony
d01094068850316eea6453c751393fe219f3a4b2e6dc3cb4ae27c78a2dad82b6
Pony
d3e8a314209b568a8161c36aba3c799860ec55c867a4d9ded2183657d0e37eed
Pony
+ 608 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony collection rat spyware stealer upx
Link:
https://tria.ge/reports/230111-zxqm8aac6y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
UPX packed file
Pony,Fareit
Malware Config
C2 Extraction:
http://freashalbany.site11.com/gate.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dc15cb3e-365f-45d2-9bcc-d447611f52c7
Unpacked files
SH256 hash:
3e002eafe8356bea8471b100181efb8826e271f6d0f13e566465bdce88a243f2
MD5 hash:
c28b8f803ac810b0a308e04cc6e26b6e
SHA1 hash:
da9ae5ce4bb1dfa404d249397b740c619411ef32
Detections:
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
Link:
https://www.unpac.me/results/0bc65a29-5eb2-4bca-87b2-f925d9a74e72/
SH256 hash:
3b4e0ceb4c2965088a99c7d753541ed618025b1863399009aeb3f5451e403917
MD5 hash:
9d0316a09fbdee76e3e176d6d86912a5
SHA1 hash:
ea5f0f991c124743d0c2099c96184d2e188f6968
Link:
https://www.unpac.me/results/0bc65a29-5eb2-4bca-87b2-f925d9a74e72/
SH256 hash:
5e10bf3065a34afa9f249b7ebff5e4e6822811748066bf93850438f2ba06d795
MD5 hash:
245a775fcc804a2cb4b39d9a9f3dd86d
SHA1 hash:
10415544e4a4ba8b0b14c6e3e7063b8bf4307268
Link:
https://www.unpac.me/results/0bc65a29-5eb2-4bca-87b2-f925d9a74e72/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e10bf3065a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/5e10bf3065a34afa9f249b7ebff5e4e6822811748066bf93850438f2ba06d795

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352070/

Comments