MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a1866277075324e5408e0eb2919f0a8929879169e42ce2deb1dbc272b0b009f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 6 File information Comments

SHA256 hash:	9a1866277075324e5408e0eb2919f0a8929879169e42ce2deb1dbc272b0b009f
SHA3-384 hash:	b23e936b4f74310059bc09c9150f7cf11c8a4ac289455e1b26355ad6799485e270b9f74f6052566a0e3c953bc44f5162
SHA1 hash:	1f4f03681a249f3221fbc78258aa4d5b1c1dfe5f
MD5 hash:	08ad2ec6f88872e01c608f0ad73025ae
humanhash:	robert-enemy-harry-spring
File name:	Bank Details.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	489'984 bytes
First seen:	2021-09-23 02:20:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:GlmtiK5o0M1uTEK2HgLRn1sn8a5KNc7KlaILEG:O+Fo0M1GKALR1snicsNL
Threatray	326 similar samples on MalwareBazaar
TLSH	T1A8A412186AAD833ADD6A8FFD5165300187B1D116F543FBCE1EA8F1E1AE4FF42042166B
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://global-popular.com/faco/panel/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://global-popular.com/faco/panel/gate.php	https://threatfox.abuse.ch/ioc/225564/

Intelligence

File Origin

# of uploads :

# of downloads :

598

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Bank Details.exe

Verdict:

Malicious activity

Analysis date:

2021-09-23 02:21:13 UTC

Tags:

trojan pony fareit stealer

Link:

https://app.any.run/tasks/36d8ac74-c15b-467e-8e51-1783820cde1c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Fareit

Link:

https://www.capesandbox.com/analysis/190448/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.26929.UNOFFICIAL

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2f7568cc-8fc9-43ce-8a46-e64deb49d3b1

Result

Threat name:

Lokibot Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/856113

Signature

.NET source code contains potential unpacker

Detected Lokibot Info Stealer

Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

pony

Link:

https://mwdb.cert.pl/sample/9a1866277075324e5408e0eb2919f0a8929879169e42ce2deb1dbc272b0b009f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-23 02:21:05 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=timgmj3qouze4vai4dvssgpqvcjjq6iwtzbm4lpldw6cokylacpq._file

Verdict:

malicious

Label(s):

pony

Pony

622b4966cead9f36806f4f8f382925142849f5f8434a3e22396f923ecc228f65

Pony

bb065fba0b0a7994b0e5b928b0ded9a6f890a34871f1dd8df2f8c1940a4a8ab5

Pony

bfe85b846350851dd4f83dfed498ae60f85d4129329c24d831567609c8ab553e

Pony

ceb40b25f6ccefa258ca5e9dab520e63280fbb2fdcb2c9cf89df17defd3b6f24

Pony

e5a12cf4cce9ec8ee1d09275355384486d66ea924e5ea38ef879fa6a2e31cafb

Pony

f0883adc5b8236f709c190d5fef08f4bcca554f9e56c7519eb1d34353348cbe5

Pony

+ 316 additional samples on MalwareBazaar

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony discovery rat spyware stealer suricata

Link:

https://tria.ge/reports/210923-cs1ajaggfk/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks installed software on the system

Deletes itself

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Pony,Fareit

suricata: ET MALWARE Fareit/Pony Downloader Checkin 3

suricata: ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98

Malware Config

C2 Extraction:

https://global-popular.com/faco/panel/gate.php

Unpacked files

SH256 hash:

0f0e956d25fc281eaf449d19efdd6beb5cbac83a03641adb2782a2da499fd77c

MD5 hash:

2ad0ffdd73e8ff35a745a8efa29ad2a4

SHA1 hash:

eba503093eb385dca6f917a37dbc1a364da30929

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/7031b92d-2131-4345-9b55-0983f796cbb2/

SH256 hash:

3937d716a5202a159c512b4063880e1705d37e7ed3e11ade7581561c63d611a8

MD5 hash:

9aaf781f37ab43c0d10a968f6430932c

SHA1 hash:

eb89fc46a1f8fdc380060fdd598c7fca50e65f1c

Link:

https://www.unpac.me/results/7031b92d-2131-4345-9b55-0983f796cbb2/

SH256 hash:

85b7a2536c1f7a19eaff034e1316ed5a95ba43f2032fc7d57db73e4df361fc90

MD5 hash:

e5de4b49ca4eec2439f0018bda1e1890

SHA1 hash:

cbd5a64a3779d4b01ad8243f258f7d184354691c

Link:

https://www.unpac.me/results/7031b92d-2131-4345-9b55-0983f796cbb2/

SH256 hash:

cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7

MD5 hash:

71a894ff252c767b80d65ab1e54fda2b

SHA1 hash:

bcc4ff628585ca28b8b0f2c30e63049b910d4d49

Link:

https://www.unpac.me/results/7031b92d-2131-4345-9b55-0983f796cbb2/

SH256 hash:

9a1866277075324e5408e0eb2919f0a8929879169e42ce2deb1dbc272b0b009f

MD5 hash:

08ad2ec6f88872e01c608f0ad73025ae

SHA1 hash:

1f4f03681a249f3221fbc78258aa4d5b1c1dfe5f

Link:

https://www.unpac.me/results/7031b92d-2131-4345-9b55-0983f796cbb2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a1866277075324e5408e0eb2919f0a8929879169e42ce2deb1dbc272b0b009f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Fareit Create hunting rule
Author:	kevoreilly
Description:	Fareit Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_pony_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/190448/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample