MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ac71a4c514e59461dc4987a54704e1f1d7e9dced054acfca7758d55cc8e4964f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Pony
Vendor detections: 13
| SHA256 hash: | ac71a4c514e59461dc4987a54704e1f1d7e9dced054acfca7758d55cc8e4964f |
|---|---|
| SHA3-384 hash: | cf51dcdb049ab24d472050c1fd98d4f1cd09459e8569420ad963a80eedd9d87d6279aaedb68b4f449c882eb339c6aa61 |
| SHA1 hash: | 62df5ab21fdce64587af336036b7415842ee8eaa |
| MD5 hash: | 7da0c504b12418fb839d87140818db86 |
| humanhash: | red-two-finch-georgia |
| File name: | AC71A4C514E59461DC4987A54704E1F1D7E9DCED054AC.exe |
| Download: | download sample |
| Signature | Pony |
| File size: | 135'168 bytes |
| First seen: | 2021-10-28 16:07:07 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | cf41296a7498c98b2bfee3a2379f63b9 (1 x Pony) |
| ssdeep | 3072:oRBayq0GDxP0CDqM3N7SO9iESEXrm0PloBr/Aoeof1X:6BaypGPqgN7TIESCm0PloxT |
| Threatray | 352 similar samples on MalwareBazaar |
| TLSH | T1A9D34A82EADB775AE882C5FC19B9A78DF11D9F372F248967DD8007085339A45ED201AC |
| Reporter |  abuse_ch |
| Tags: | exe Pony |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| http://www.hummingbirdhamlet.com/wp-content/upgrade/upgrade.php | https://threatfox.abuse.ch/ioc/239320/ |
| http://yourdentalfirst.com/wp-includes/SimplePie/SimplePie.php | https://threatfox.abuse.ch/ioc/239321/ |
| http://www.realdealutah.com/wp-contents/themes/themes.php | https://threatfox.abuse.ch/ioc/239322/ |
| http://aycenergy.com/wp/wp-admin/navigation.php | https://threatfox.abuse.ch/ioc/239323/ |
| http://zoemeiresort.com/wp-includes/pomo/pomo.php | https://threatfox.abuse.ch/ioc/239324/ |
| http://www.iconicglam.com/wp-admin/network/extension.php | https://threatfox.abuse.ch/ioc/239325/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
658
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Fareit
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP POST request
Stealing user critical data
Malware family:
Pony
Verdict:
Malicious
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Threat name:
Win32.Infostealer.Fareit
Status:
Malicious
First seen:
2019-04-22 05:56:54 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
pony
Similar samples:
+ 342 additional samples on MalwareBazaar
Result
Malware family:
pony
Score:
10/10
Tags:
family:pony collection discovery rat spyware stealer suricata
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
outlook_win_path
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads data files stored by FTP clients
Reads user/profile data of web browsers
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Pony,Fareit
Malware Config
C2 Extraction:
http://yourdentalfirst.com/wp-includes/SimplePie/SimplePie.php
http://zoemeiresort.com/wp-includes/pomo/pomo.php
http://www.hummingbirdhamlet.com/wp-content/upgrade/upgrade.php
http://www.icleanthescene.com/wp-content/blogs.dir/blogs.dir.php
http://www.iconicglam.com/wp-admin/network/extension.php
http://www.neapolismessina.com/_oldsite/imggallery/lxpxj.php
http://www.realdealutah.com/wp-contents/themes/themes.php
http://www.techsiara.com/wp-includes/SimplePie/SimplePie.php
http://aycenergy.com/wp/wp-admin/navigation.php
http://zoemeiresort.com/wp-includes/pomo/pomo.php
http://www.hummingbirdhamlet.com/wp-content/upgrade/upgrade.php
http://www.icleanthescene.com/wp-content/blogs.dir/blogs.dir.php
http://www.iconicglam.com/wp-admin/network/extension.php
http://www.neapolismessina.com/_oldsite/imggallery/lxpxj.php
http://www.realdealutah.com/wp-contents/themes/themes.php
http://www.techsiara.com/wp-includes/SimplePie/SimplePie.php
http://aycenergy.com/wp/wp-admin/navigation.php
Unpacked files
SH256 hash:
aa35117ecf30ea1d5690a2d9d7e545d60ab794c0b29c1ca6b0dc8cba874e750c
MD5 hash:
b875f79a326e4fcdff05b2e5642227ad
SHA1 hash:
4b1cb2c3c4e995ae92a17bce48363b4dcf6943c1
Detections:
win_pony_g0
win_pony_auto
SH256 hash:
ac71a4c514e59461dc4987a54704e1f1d7e9dced054acfca7758d55cc8e4964f
MD5 hash:
7da0c504b12418fb839d87140818db86
SHA1 hash:
62df5ab21fdce64587af336036b7415842ee8eaa
Malware family:
Pony
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.