MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afdf78e26e10793941ceeec156433348f6b050d79f86e46b88f5755bc9c3d148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Pony


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments

SHA256 hash: afdf78e26e10793941ceeec156433348f6b050d79f86e46b88f5755bc9c3d148
SHA3-384 hash: dea224da6908d76b4c21e9ff9ba85f60a63e1cefe5da685bf41a28758237df061f054732e834e559534e08a7a79c1f34
SHA1 hash: a887c69811cf126e17a3f4cf0c241daa65365be6
MD5 hash: aafff539597334410c592b28f4a521c7
humanhash: steak-solar-grey-saturn
File name:AFDF78E26E10793941CEEEC156433348F6B050D79F86E.exe
Download: download sample
Signature Pony
File size:237'568 bytes
First seen:2023-04-30 11:00:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 97f04e360350a96024827db89e6c2d32 (1 x Pony)
ssdeep 6144:WSZrtUbaNpKEHcqoh5Iwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww2VD3L:8eKE2h5RhTp
Threatray 20 similar samples on MalwareBazaar
TLSH T19834AE41ECD4E022D523D17E5E2B46E514E36C354F2EE7463222BADBF46ACC7A2ADD01
TrID 35.7% (.EXE) Win32 Executable (generic) (4505/5/1)
16.3% (.ICL) Windows Icons Library (generic) (2059/9)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 34300005606f0d16 (1 x Pony)
Reporter abuse_ch
Tags:exe Pony


Avatar
abuse_ch
Pony C2:
http://185.145.129.36/v6/gate.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
708
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0031.exe
Verdict:
No threats detected
Analysis date:
2023-04-23 01:04:11 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Result
Threat name:
Lokibot, Pony
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Lokibot Info Stealer
Detected unpacking (changes PE section rights)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Pony
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 856626 Sample: AFDF78E26E10793941CEEEC1564... Startdate: 30/04/2023 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 9 wscript.exe 1 2->9         started        11 AFDF78E26E10793941CEEEC156433348F6B050D79F86E.exe 3 2->11         started        process3 file4 15 filename.exe 9->15         started        33 C:\Users\user\AppData\...\filename.exe, PE32 11->33 dropped 53 Detected unpacking (changes PE section rights) 11->53 55 Detected Lokibot Info Stealer 11->55 57 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 11->57 59 Tries to steal Mail credentials (via file registry) 11->59 18 AFDF78E26E10793941CEEEC156433348F6B050D79F86E.exe 1 14 11->18         started        signatures5 process6 dnsIp7 61 Antivirus detection for dropped file 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 Detected unpacking (changes PE section rights) 15->65 69 2 other signatures 15->69 21 filename.exe 14 15->21         started        35 myp0nysite.ru 18->35 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->67 25 cmd.exe 1 18->25         started        signatures8 process9 dnsIp10 37 myp0nysite.ru 21->37 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->47 49 Tries to harvest and steal ftp login credentials 21->49 51 Tries to harvest and steal browser information (history, passwords, etc) 21->51 27 cmd.exe 1 21->27         started        29 conhost.exe 25->29         started        signatures11 process12 process13 31 conhost.exe 27->31         started       
Threat name:
Win32.Infostealer.PonyStealer
Status:
Malicious
First seen:
2017-07-25 17:46:34 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
33 of 37 (89.19%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:pony collection discovery rat spyware stealer
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Pony,Fareit
Malware Config
C2 Extraction:
http://185.145.129.36/v6/gate.php
Unpacked files
SH256 hash:
afdf78e26e10793941ceeec156433348f6b050d79f86e46b88f5755bc9c3d148
MD5 hash:
aafff539597334410c592b28f4a521c7
SHA1 hash:
a887c69811cf126e17a3f4cf0c241daa65365be6
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments