MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0
SHA3-384 hash: 8860c6c1651829eba260049f68db1d84100b16daa80cf5e66a711e330343cf6c3c73f22b93f9519d0617a25940e745fd
SHA1 hash: 01728691e041dfc0b2e757394b40438e561ba7b2
MD5 hash: 3ddac7136e99d1aa4c3cdf4869ea4656
humanhash: sweet-tango-lamp-lima
File name:swift_7436623.exe
Download: download sample
Signature Pony
Create hunting rule
File size:417'280 bytes
First seen:2020-10-14 16:35:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:musyw0gTTPrv4XQDwQr6MgfuZvDDTDMl3X8K/ipUmY8tRAgwjxqDBhDGw:mDZvPmQ8c6pf+DHDcnoKmYyRijxGbD
Threatray 115 similar samples on MalwareBazaar
TLSH 9194E025338A9F21F57D97B320A0522013FAA2C59727EB5E7F8853C91963F40B752E1B
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Malspam distributing Pony:

HELO: changhong.com
Sending IP: 95.211.208.25
From: sales <li1.zheng@changhong.com>
Subject: RE: Payment contract invoice
Attachment: swift_7436623.iso (contains "swift_7436623.exe")

Loki C2:
http://tradesgroups.com/rex/panel/gate.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
462
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70960/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.1932.29014.21430.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Lokibot Pony
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491532
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected Lokibot Info Stealer
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Pony
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 16:16:38 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uafg7zj3p2gt6wvz3c4kwiizzhj7zprligq7vvvst3jx4sj2foqa._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
3304692b98947be42789e37a03aa03804b66df6235cc20d8611d7aa42c27c7aa
Pony
40f51d4232f6412e60e95d7a20ea4dd8167434871cae87f1a07f7325feb9c6ca
Pony
46f8fc3fce1ea9a75ddf3756a7bcdd1fea6b5d86717dfef472a4177d4bb8ab8e
Pony
6c2fa9a9e49c002d659c7da5b809d0762b9fea676d3ce785675460335fe59af7
Pony
87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8
Pony
9c762a54ea7ec5d94ffe7f65206afe72200bd72bd7f7e8abbc0f96a01365a09d
Pony
be7cc3afa9779f63e5d661e96c4af347c30b10b349f9303bcb4f38e5f995d6a2
Pony
d1b6aaf16fc5e9ffbe13411dfbefe5c0c7dd222c727852da8fc9fb39a88ed2ae
Pony
d9f43f0b6e44588cc526f36493bbbec4b49da176395e4a55ff9373d573593077
Pony
f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
Pony
+ 105 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
discovery rat spyware stealer family:pony evasion
Link:
https://tria.ge/reports/201014-pqj36r939e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Checks installed software on the system
Maps connected drives based on registry
Checks BIOS information in registry
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Pony,Fareit
Unpacked files
SH256 hash:
a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0
MD5 hash:
3ddac7136e99d1aa4c3cdf4869ea4656
SHA1 hash:
01728691e041dfc0b2e757394b40438e561ba7b2
Link:
https://www.unpac.me/results/d013af1d-c6d1-4f05-bd0e-8a47b3067991/
SH256 hash:
97f0b7916d32e62e767a190e3ca1d51af9c1e7056511d4f184d76dce51f19e81
MD5 hash:
8fa175626e2f26fd307847581ade131f
SHA1 hash:
733161fde9d26028a0fc2363a09be56b045e8859
Link:
https://www.unpac.me/results/d013af1d-c6d1-4f05-bd0e-8a47b3067991/
SH256 hash:
86307b6a995b2a72f4ca0eb6eb08e86ba8fc06553394eee1fc0984c0115fe95e
MD5 hash:
154d4840cc903d21c7742605d4a00355
SHA1 hash:
75ec6c7f9601707647b4d97cb8e74a19080474e7
Detections:
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
Link:
https://www.unpac.me/results/d013af1d-c6d1-4f05-bd0e-8a47b3067991/
SH256 hash:
ece363cd81a4fefb1518bf0212a9315e1b16f9bd8b9a62297174fa460312e965
MD5 hash:
e75559ab27c527ae6cf6b1f4f05d698f
SHA1 hash:
d59c13022aacfed5ec822863ad8b424e1a634858
Link:
https://www.unpac.me/results/d013af1d-c6d1-4f05-bd0e-8a47b3067991/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/d013af1d-c6d1-4f05-bd0e-8a47b3067991/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

iso dfc8bea365ff5d81ebdd46e4e453951b21f690c635f5040f8163568515694d2d

Pony

Executable exe a00a6fe53b7e8d3f5ab9d8b8ab2119c9d3fcbe2b41a1fad6b29ed37e493a2ba0

(this sample)

  
Dropped by
MD5 55393db0540b0362f77a8d0e98b86f1a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70960/
  
Dropped by
SHA256 dfc8bea365ff5d81ebdd46e4e453951b21f690c635f5040f8163568515694d2d

Comments