MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8
SHA3-384 hash: 182326af33aca79f02e6782c17d4fb94e9ec8ba9d3a8e64b813eb7d534fd408c3cbf428c743ee8b7a1cb1817d5c97718
SHA1 hash: 28d179381e016a2bc67fbe9a09dc20b66668151c
MD5 hash: 007a3ad1dc604fcb59d435c42360a78e
humanhash: mockingbird-east-paris-robert
File name:NewOrder2407220.exe
Download: download sample
Signature Pony
Create hunting rule
File size:349'696 bytes
First seen:2020-07-25 07:33:45 UTC
Last seen:2020-07-25 08:57:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:hTbzBjd7VR7HAMi2HuhxWrowsWT3c4Ku799dOBAx2FnJ3EfsO:ZzLVtHAMi2HuhxWroIT3cXu7FOW2FnJu
Threatray 116 similar samples on MalwareBazaar
TLSH 4474A284A7EC4749F0BF3E327CB599A40976BCE6AD75E71E0986148C1C32F80D961F26
Reporter abuse_ch
Tags:Downloader.Pony exe MailChannels Pony


Avatar
abuse_ch
Malspam distributing Downloader.Pony:

HELO: dragonfly.birch.relay.mailchannels.net
Sending IP: 23.83.209.51
From: Alastair Broom <orders@radmarm.com>
Reply-To: info@industralmail.com
Subject: Door Inquiry
Attachment: NewOrder2407220.zip (contains "NewOrder2407220.exe")

Pony C2:
http://agnrg.com/images/Jp/panel/gate.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
489
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32337/
Detection(s):
SecuriteInfo.com.Variant.Bulz.5843.19791.15777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Creating a file
Reading critical registry keys
Sending an HTTP POST request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Brute forcing passwords of local accounts
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397870
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251115 Sample: NewOrder2407220.exe Startdate: 25/07/2020 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for dropped file 2->57 59 7 other signatures 2->59 9 NewOrder2407220.exe 3 2->9         started        process3 file4 45 C:\Users\user\AppData\Roaming\WRESTRDT.exe, PE32 9->45 dropped 47 C:\Users\...\WRESTRDT.exe:Zone.Identifier, ASCII 9->47 dropped 65 Maps a DLL or memory area into another process 9->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->67 13 RegAsm.exe 1 14 9->13         started        17 NewOrder2407220.exe 1 9->17         started        signatures5 process6 dnsIp7 51 agnrg.com 204.13.233.248, 49716, 49717, 80 DATACATE-AS1US United States 13->51 69 Detected Lokibot Info Stealer 13->69 71 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 13->71 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->73 75 Tries to steal Mail credentials (via file registry) 13->75 19 cmd.exe 1 13->19         started        77 Maps a DLL or memory area into another process 17->77 21 RegAsm.exe 14 17->21         started        25 NewOrder2407220.exe 17->25         started        27 NewOrder2407220.exe 17->27         started        29 2 other processes 17->29 signatures8 process9 dnsIp10 31 conhost.exe 19->31         started        49 agnrg.com 21->49 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 Tries to harvest and steal ftp login credentials 21->63 33 cmd.exe 1 21->33         started        35 WerFault.exe 25->35         started        37 WerFault.exe 27->37         started        39 WerFault.exe 29->39         started        signatures11 process12 process13 41 conhost.exe 33->41         started        43 WerFault.exe 33->43         started       
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 07:35:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7obmuufeg4zfbff27sgnuonkbd4hsrhzkvalihkntgrdnr52o4a._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
Pony
40bcf1b92cac08e72eb025659bb892a41926ebd655f448ff5544ece312986987
Pony
49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
Pony
80b9257f924aef8ac5a1a724234ddcd6b67bee79819202bb7b5d4586b35164c7
Pony
82c531ee47fd52c78ed90b259be7908208ae6657a75643fce70df85eb0cd64a3
Pony
9026e9b714998846a26087ed7f5a276b1399204a1e34d469571a7301ce720931
Pony
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
Pony
e4b839be39665555c0637a45d7835cf5aed0633b9d3b3c72b0c3710555cf2eb0
Pony
f711673ec31f884e59192cc360b841efc1c77b0d0b41787bea5424ae520f9989
Pony
fe966a744b83daaecb2b4b01adc7204e42d3f98955e142e78d7a948709185d27
Pony
+ 106 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
spyware discovery rat stealer family:pony
Link:
https://tria.ge/reports/200725-kn9qbsm4yx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d5159da1bd5ebaf53db9f8855779c5d6

Pony

Executable exe 87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8

(this sample)

  
Dropped by
MD5 d5159da1bd5ebaf53db9f8855779c5d6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32337/

Comments