MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280
SHA3-384 hash: 340c340786870d6ca0926e8343f44bf4dc5ee8cff18bd2b670f9a5efb2057c30919b1f1f2778e2cd1f7961e90f592609
SHA1 hash: 8309c09348332be80133bc913a41dc10204f8870
MD5 hash: 31f1b62f71d96421d814159d79eeff85
humanhash: east-nebraska-ten-salami
File name:6A3D573C5924146DCA7DA9666F0031B1F0A68B1733C34.exe
Download: download sample
Signature Pony
Create hunting rule
File size:147'960 bytes
First seen:2022-03-12 19:06:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 67e1469bc53427d992ffc6930ac5a6b6 (1 x Pony)
ssdeep 3072:Hc1d21pFSSWEaoDo3tYnOZPtHgWn5MH/0pnWD5/na/unW:81d21T3O3t7HFn5MH/EnF
Threatray 6'401 similar samples on MalwareBazaar
TLSH T177E3BF397D2B517BD3F58A73C85A1A14F090BBA6710B2D4F11F2D98CBE62A97BC8104D
File icon (PE):PE icon
dhash icon 8e26d6c9d5cdd5f4 (1 x Pony)
Reporter abuse_ch
Tags:exe Pony signed

Code Signing Certificate

Organisation:74775426139627757148236377924693923521191589117922621294993766952329797842987323748842468323588288723775443239621812122871662442295243673991883563259986648
Issuer:74775426139627757148236377924693923521191589117922621294993766952329797842987323748842468323588288723775443239621812122871662442295243673991883563259986648
Algorithm:sha1WithRSA
Valid from:2013-01-25T10:30:05Z
Valid to:2039-12-31T23:59:59Z
Serial number: -674c6dbb95fa0b41b0f5d0c542056ec3
Thumbprint Algorithm:SHA256
Thumbprint: ddf7c92ee62ff57d9483b80290b9a2641e50cb076dab83327d136810f22b2eee
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Pony C2:
http://62.173.139.212/forum/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://62.173.139.212/forum/gate.php https://threatfox.abuse.ch/ioc/394559/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'533
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Pony
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249839/
Detection(s):
Win.Trojan.138399-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Sending an HTTP POST request
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Brute forcing passwords of local accounts
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9004/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit greyware overlay packed razy shell32.dll zbot
Link:
https://www.filescan.io/uploads/622cef5a0cd58dbd9288512c/reports/f9715ca6-55d2-4bc7-a72a-bcf356d43336/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/766fd33e-9406-4b19-81bd-ff3d646292dc
Result
Threat name:
Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955481
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280/
Threat name:
Win32.Trojan.Zeus
Create hunting rule
Status:
Malicious
First seen:
2013-01-29 10:58:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
36 of 40 (90.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ni6vopczeqkg3st5vftg6abrwhykncyxgpbu3loc5gaah362ukaa._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
1806d28090fbacfecd7f998105128105b92830e971b79948697a3f0210ee30bc
Pony
68b44c46b4512112874ba35dbb4c7ea1e97d900428d0fc9ce0b04aea615d073e
Pony
69ff8732173d5e24f543bf6190f1a9143a91355b93d5a80f55587f1868ed4968
Pony
8feae03951203fbfdf623c8dfadad2cdc10560bc11e28c1fc134492a764833a6
Pony
a3bc503e3bfa3d8fa08154a9fadd285b736d57f551285c73247f5651ebf736d5
Pony
+ 6'391 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony collection discovery rat spyware stealer suricata
Link:
https://tria.ge/reports/220312-xr5tvabhgm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
Unpacked files
SH256 hash:
cc5a4951ce4a1a3e528563917aac8d3e24e91c482260eaf2a0924705b1590e8b
MD5 hash:
8011d3cbe4d01d4abecc2339762216c6
SHA1 hash:
173e211011978ff9e029dfcddfb5847f33592c8a
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/4e75929e-5285-4578-a0ea-9dbde76ed73e/
SH256 hash:
6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280
MD5 hash:
31f1b62f71d96421d814159d79eeff85
SHA1 hash:
8309c09348332be80133bc913a41dc10204f8870
Link:
https://www.unpac.me/results/4e75929e-5285-4578-a0ea-9dbde76ed73e/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6a3d573c5924/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/6a3d573c5924146dca7da9666f0031b1f0a68b1733c34dadc2e98003efdaa280

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249839/

Comments