MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 66805e6f758115e77f635b2c469fd0c44629ac1994f972a36be52116820c9e9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Pony
Vendor detections: 7
| SHA256 hash: | 66805e6f758115e77f635b2c469fd0c44629ac1994f972a36be52116820c9e9d |
|---|---|
| SHA3-384 hash: | eb23382a923d4225c63fdb0185e40f0ba27c2b0a3440a4f004957cbf733d0d60aba0845d924decf0de9e471a305d0257 |
| SHA1 hash: | f1c10fa2f9519597342a2d4a8b85230eae347ec5 |
| MD5 hash: | 3dae0f081b9728a4e9299ca7366d4225 |
| humanhash: | speaker-oranges-iowa-don |
| File name: | DHL AWB 13042500307_PDF.exe |
| Download: | download sample |
| Signature | Pony |
| File size: | 285'184 bytes |
| First seen: | 2020-07-03 06:17:47 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 6144:npRDkeVztAccX5AtJltEUBj8c4QTh89bCmeO:pRRc5AtJLf6bQTh8 |
| Threatray | 213 similar samples on MalwareBazaar |
| TLSH | 0E549E35231D6F9BD164B934A01666010D797D3F2A13D73DBC4F35AA38B1BC48A63AB2 |
| Reporter |  abuse_ch |
| Tags: | DHL Downloader.Pony exe Pony |
abuse_ch
Malspam distributing Downloader.Pony:HELO: cpanel3.centrin.net.id
Sending IP: 202.146.241.47
From: DHL EXPRESS© <amelia@sinokor.co.id>
Subject: Electronic invoice generated by DHL Express_Invoice 03-07-2020: Air Waybill no 13042500307
Attachment: DHL AWB 13042500307_PDF.gz (contains "DHL AWB 13042500307_PDF.exe")
Pony C2:
http://mci-consultant.id/ol/panelnew/gate.php
Intelligence
File Origin
# of uploads :
1
# of downloads :
455
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Detection(s):
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Status:
Malicious
First seen:
2020-07-03 06:19:05 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
pony
Similar samples:
+ 203 additional samples on MalwareBazaar
Result
Malware family:
pony
Score:
10/10
Tags:
discovery rat spyware stealer family:pony
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetThreadContext
Checks for installed software on the system
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Deletes itself
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.