MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea
SHA3-384 hash: cad45231f94285c1ab6c18c6323bc6b7b6041a344596277112f3e3b229be45f30171698398567f9397489e3d43efd741
SHA1 hash: 9a2ec0abbde02b61d56990882ea6c43d833114b3
MD5 hash: 56921bed6e4dd3ba4064557d453e403e
humanhash: cardinal-minnesota-neptune-may
File name:512.dll
Download: download sample
Signature Pony
Create hunting rule
File size:375'808 bytes
First seen:2020-07-15 21:31:44 UTC
Last seen:2020-07-15 22:37:20 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 61168847faa2db02ccd55c68e9af89be (2 x Pony)
ssdeep 3072:zxRLnzLHwWTwM+2Msgp81p3NXjFcVoOLOWQkj1o6IKykpbtb25Ffi+9Qeq5:lRUewsS819twhQ01oMFh+9Q
Threatray 480 similar samples on MalwareBazaar
TLSH 1484E026EC2F8946CCAB777650762F43CAC09D3426C8060AD8D95479F64708FA93DBE3
Reporter James_inthe_box
Tags:dll Pony

Intelligence

File Origin
# of uploads :
2
# of downloads :
450
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Hancitor
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26248/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.58746.25547.15278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Reading critical registry keys
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a service
Creating a file
Searching for the window
Connection attempt
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Brute forcing passwords of local accounts
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a1ea6e27f13d729c388d0cf8a22f07407bf52290d0b68f4d4da1637d3a2b8eea/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 21:31:27 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhvg4j7rhvzjyoenbt4kelyhib57kiuq2c3i6tknufrx2orlr3va._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
emotet
Create hunting rule
Similar samples:
4188d06ab94a8883fd4864b3690168649de6f1ae86d8b2c6a2778f7f46a60e02
Pony
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32
Pony
52a24d465b42683adfa19511061a7b6a3aa3ec87c375c8a710ec3983ddbe0431
Pony
9be6e55ff75a4a8571940411678d521216fc0bd61cbe9d049e10dfd41bdd73fc
Pony
bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
Pony
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
Pony
d277383b7a558d59181872c5436d2cf117daef8298004a937ffebddcbd6e956f
Pony
e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf
Pony
e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d
Pony
fa8e5817b7a1e2a8129b1c6df41ccc378b6e44372de4c27edba38d6a9d1d40d1
Pony
+ 470 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
spyware discovery rat stealer family:pony
Link:
https://tria.ge/reports/200715-wrfqa4r2zx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks installed software on the system
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:hancitor
Create hunting rule
Author:J from THL <j@techhelplist.com>
Description:Memory string yara for Hancitor
Rule name:pony
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Pony
Rule name:win_hancitor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/26248/

Comments