MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 685600c9a38127f36ac49d03dbd18a82a6585b6aa4ad35a35359d505b94af44e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 685600c9a38127f36ac49d03dbd18a82a6585b6aa4ad35a35359d505b94af44e
SHA3-384 hash: 2986eb08ca67b8d180ea81f5e5daa07c841adf684152772cb6f3af8cf4a3f494d12ce8b5d805d6ba295e2dc713c34c63
SHA1 hash: a6f41858b682a80e8b17c1a963b443788d0970a5
MD5 hash: 46d1c7f8047d8f769cea0e4b3ea739ab
humanhash: alabama-delta-friend-moon
File name:Schyot za proshlyj mesyac.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'023'504 bytes
First seen:2020-07-02 07:58:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3fc2b5f0615adc16502de3605cc3d418 (1 x Pony)
ssdeep 3072:pXWNTuo0ILAuHv5B6YK/5AhNSiMM+WSz48yVkm57ALRx:pX0uGUYv5MN5ILMUcQ57E
TLSH 5125B09B32EB8CB7FC6B37780C321B66456FFCE16E34A14B2690764C29747A64834752
Reporter abuse_ch
Tags:exe geo Pony RUS


Avatar
abuse_ch
Malspam distributing Pony:

HELO: mail.raffer.ru
Sending IP: 37.18.35.45
From: Евгения Овчинникова <evstropova@raffer.ru>
Reply-To: Евгения Овчинникова <tarasovaek54@rambler.ru>
Subject: Док-ы на оплату за прошлый месяц
Attachment: Schyot za proshlyj mesyac.001 (contains "Schyot za proshlyj mesyac.exe")

Pony C2:
http://45.61.136.140/p/z05857687.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
481
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18392/
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/685600c9a38127f36ac49d03dbd18a82a6585b6aa4ad35a35359d505b94af44e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:33:09 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nblabsndqet7g2wetub5xumkqktfqw3kuswtli2tlhkqlokk6rha._file
Verdict:
unknown
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
spyware discovery rat stealer family:pony
Link:
https://tria.ge/reports/200702-gkey6jmzlx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Script User-Agent
Checks for installed software on the system
Accesses cryptocurrency wallets, possible credential harvesting
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f8c0f12223286e2c1a477759ff41df96

Pony

Executable exe 685600c9a38127f36ac49d03dbd18a82a6585b6aa4ad35a35359d505b94af44e

(this sample)

  
Dropped by
MD5 f8c0f12223286e2c1a477759ff41df96
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18392/

Comments