MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5
SHA3-384 hash: 17bcae16e2230641a423acd4edcba4b52cbb68dce6936bacf551796293d491076e9d224cc76a0b5e7212d0fbbdcfbcd0
SHA1 hash: 9e5086f58b06aa94a29ffb2c92f7c803f508935a
MD5 hash: 8ab4319a009e5a381ea2c88421632ea4
humanhash: echo-equal-tango-six
File name:Dlya sverki 13.07.2020.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'475'600 bytes
First seen:2020-08-13 10:43:18 UTC
Last seen:2020-08-13 12:24:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 778a0555c71ecafbca88ff303e0b936c (1 x Pony)
ssdeep 3072:6oRywL88yl0+otU7wnvRHlHPG3FCEN2/UGGpXOOfYKF3:6S8TlNQJn5HlH+3vI/loeOfBt
Threatray 112 similar samples on MalwareBazaar
TLSH 976580C3B45B2C5CFFDE023BB8EACA26A1D25C9609432901F1713F55BF221B553C5A9A
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Malspam distributing Pony:

HELO: neruo.nerungri.edu.ru
Sending IP: 79.133.68.53
From: Елена Симонова <gym@nerungri.edu.ru>
Reply-To: Елена Симонова <tarasovaek69@rambler.ru>
Attachment: Dlya sverki 13.07.2020.001 (contains "Dlya sverki 13.07.2020.exe")

Pony C2:
http://67.205.148.45/viewtopic.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
603
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45096/
Detection(s):
SecuriteInfo.com.Trojan.SpyBot.699.14005.10352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Sending an HTTP GET request to an infection source
Brute forcing passwords of local accounts
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/425882
Signature
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 08:32:52 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=usjdm57jmuk5p7ea7lj2jvqcmufvwlcrlg6qugsjvnklo7ea4dkq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
4188d06ab94a8883fd4864b3690168649de6f1ae86d8b2c6a2778f7f46a60e02
Pony
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32
Pony
785fb441663997067c0126c5574423d01242220e107db86c847ad8ea30752729
Pony
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
Pony
9be6e55ff75a4a8571940411678d521216fc0bd61cbe9d049e10dfd41bdd73fc
Pony
b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d
Pony
c41afec81d70066b62ddbfae7e4ec8aca49d0cc3618241aa2605d35d3250bd98
Pony
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
Pony
e3d26ec0477d9578aaa7762c27514f91c1c9503935c9d1f48cf34698de2ac9cf
Pony
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
Pony
+ 102 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
rat spyware stealer family:pony discovery
Link:
https://tria.ge/reports/200813-7ez2gr1bw2/
Behaviour
Runs ping.exe
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Pony

rar d008c984b764b8434a318537498fed636330534b0fc49caf8206e752f99a588b

Pony

Executable exe a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5

(this sample)

  
Dropped by
MD5 274126369a33d41ae314e8a9303c8d5a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45096/
  
Dropped by
SHA256 d008c984b764b8434a318537498fed636330534b0fc49caf8206e752f99a588b

Comments