MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7cdc8b7106b1a8e673bc7e9d0565e38e8e7c9d1200212da0e18f13fa86f4297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 12

Intelligence 12 IOCs 3 YARA 5 File information Comments

SHA256 hash:	a7cdc8b7106b1a8e673bc7e9d0565e38e8e7c9d1200212da0e18f13fa86f4297
SHA3-384 hash:	02208b6a7ceefc4b831441c15315eadaf2bea348e309069967913ac623b09bb8eef85fb6b0c4ce60ca1d10f348c90a71
SHA1 hash:	9c6a3aeae79ea78c20b24c23330f8ef4b45ad32a
MD5 hash:	f76b2c2cbe6112811019146cd89f3543
humanhash:	wyoming-montana-yellow-skylark
File name:	A7CDC8B7106B1A8E673BC7E9D0565E38E8E7C9D120021.exe
Download:	download sample
Signature	Pony Create hunting rule
File size:	167'620 bytes
First seen:	2021-09-23 07:56:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7ed0d71376e55d58ab36dc7d3ffda898 (136 x GuLoader, 28 x RemcosRAT, 23 x AgentTesla)
ssdeep	3072:/sKWy9v17kwBD2YzIdfGpl06HeaXK41r8v4SXDplLJOXSVBs9ghs9okic6oI:Yy9v17kwzAGpl06HeMNUDLJOXmu4nca
Threatray	328 similar samples on MalwareBazaar
TLSH	T197F30241B3A3C95FF965057104769D764EA8BF6812233F0B23D03B6BAC725C3A95FA09
File icon (PE):
dhash icon	69ccd4d49696cc71 (22 x ValleyRAT, 13 x Adware.Adload, 8 x CoinMiner)
Reporter	abuse_ch
Tags:	exe Pony

abuse_ch

Pony C2:
http://ipieceofcake.com/wp-content/uploads/2016/04/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://ipieceofcake.com/wp-content/uploads/2016/04/gate.php	https://threatfox.abuse.ch/ioc/225621/
http://namakstan.xyz/wp-content/uploads/2016/06/gate.php	https://threatfox.abuse.ch/ioc/225622/
http://autoset.pro/wp-content/uploads/2016/06/gate.php	https://threatfox.abuse.ch/ioc/225623/

Intelligence

File Origin

# of uploads :

# of downloads :

552

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

A7CDC8B7106B1A8E673BC7E9D0565E38E8E7C9D120021.exe

Verdict:

Malicious activity

Analysis date:

2021-09-23 07:58:17 UTC

Tags:

trojan pony fareit stealer

Link:

https://app.any.run/tasks/f28c6ba4-5626-4e72-9774-b808e646cac9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

pony

Link:

https://www.capesandbox.com/analysis/190684/

Detection(s):

Win.Ransomware.Locky-7551634-0

Malware family:

Pony

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/132da90e-e1bd-46b6-8ca4-52005c7704f9

Result

Threat name:

Lokibot Fareit Pony

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/856268

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Detected Lokibot Info Stealer

Found C&C like URL pattern

Found malware configuration

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Fareit stealer

Yara detected Pony

Behaviour

Behavior Graph:

Download SVG

Detection:

pony

Link:

https://mwdb.cert.pl/sample/a7cdc8b7106b1a8e673bc7e9d0565e38e8e7c9d1200212da0e18f13fa86f4297/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2016-11-25 11:50:46 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=u7g4rnyqnmni4zz3y7u5avs6hduopsoreabbfwqoddyt7kdpiklq._file

Result

Malware family:

pony

Score:

10/10

Tags:

family:pony discovery rat spyware stealer suricata upx

Link:

https://tria.ge/reports/210923-js9mjaahcm/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Pony,Fareit

suricata: ET MALWARE Fareit/Pony Downloader Checkin 2

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

Malware Config

C2 Extraction:

http://ipieceofcake.com/wp-content/uploads/2016/04/gate.php
http://simaran.xyz/wp-content/uploads/2016/07/gate.php
http://mulleroil.trade/wp-content/uploads/2015/10/gate.php
http://namakstan.xyz/wp-content/uploads/2016/06/gate.php
http://autoset.pro/wp-content/uploads/2016/06/gate.php
http://blipportal.com/wp-content/uploads/2016/04/gate.php
http://shumaher.pro/wp-content/uploads/2016/06/gate.php
http://marketinggroup.pro/wp-content/uploads/2016/05/gate.php
http://whiteandbrown.ovh/wp-content/uploads/2016/03/gate.php
http://mariagerecruiting.com/wp-content/uploads/2016/05/gate.php

Unpacked files

SH256 hash:

b2c9ebeff63a878cfb06485953f3d58c0eb915c281ea44c5efb3b0314b5772ad

MD5 hash:

3c92757e7321cd666dac26830ff88b05

SHA1 hash:

c490a6c46dd5af5d6a4f7d1439d2692b875cd401

Detections:

win_pony_g0

win_pony_auto

Link:

https://www.unpac.me/results/801bead0-2a47-4e0d-9fa1-f12ed9e9ce53/

SH256 hash:

df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

MD5 hash:

ca332bb753b0775d5e806e236ddcec55

SHA1 hash:

f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

Link:

https://www.unpac.me/results/801bead0-2a47-4e0d-9fa1-f12ed9e9ce53/

SH256 hash:

a7cdc8b7106b1a8e673bc7e9d0565e38e8e7c9d1200212da0e18f13fa86f4297

MD5 hash:

f76b2c2cbe6112811019146cd89f3543

SHA1 hash:

9c6a3aeae79ea78c20b24c23330f8ef4b45ad32a

Link:

https://www.unpac.me/results/801bead0-2a47-4e0d-9fa1-f12ed9e9ce53/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/a7cdc8b7106b1a8e673bc7e9d0565e38e8e7c9d1200212da0e18f13fa86f4297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Fareit Create hunting rule
Author:	kevoreilly
Description:	Fareit Payload

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	win_pony_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/190684/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample