MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d
SHA3-384 hash: fc0826a641d1ff22f09839a19e0d55a3afba9263364e3cbe60c0ba4ebcf82894bd226203ed3e557326c82f8ae765205b
SHA1 hash: ccb0788634c7809cf787af2e855f5bb29d2a2534
MD5 hash: 2a4382cfda9b990027750d254ea17cc3
humanhash: triple-winter-comet-quebec
File name:Paket dokumentov konec iyulya.exe
Download: download sample
Signature Pony
Create hunting rule
File size:1'118'224 bytes
First seen:2020-07-21 10:46:40 UTC
Last seen:2020-07-21 11:44:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b1ee636b23388a235e40871dd4aa161 (1 x Pony)
ssdeep 3072:3/bW/Yx00yuhUb+SI/ZlhfZYG1R+LZUebDldVY3IQa+bwRUiUSPBjEH:vau00yrqSI/Zfq2db7iUSy
Threatray 142 similar samples on MalwareBazaar
TLSH 8435D345A2B7CF29FD65B733966172211E2FFCE181A4398D25443B64ED3AA004F31BE6
Reporter abuse_ch
Tags:Downloader.Pony exe Pony


Avatar
abuse_ch
Malspam distributing Downloader.Pony:

HELO: smtp.ugramail.ru
Sending IP: 217.20.80.59
From: Жанна Шарапова <analitika@ugramail.ru>
Reply-To: Жанна Шарапова <tarasovaek65@rambler.ru>
Subject: =?utf-8?B?0JfQsNC60YDRi9Cy0LDRjtGJ0LjQtSDQtNC+0Lot0YLR?==?utf-8?B?iyAyMS4wNw==?=
Attachment: Paket dokumentov konec iyulya.001 (contains "Paket dokumentov konec iyulya.exe")

Pony C2:
http://139.180.165.173/p/z05857687.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
437
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30072/
Detection(s):
SecuriteInfo.com.Mal.EncPk-APV.30315.471.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Mal.EncPk-APV.23945.2699.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 10:48:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wwkcoic3rdm43czyx5gjt6ic2vuqqw3qrkplhrwiw3mkr2t2gyoq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00
Pony
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32
Pony
785fb441663997067c0126c5574423d01242220e107db86c847ad8ea30752729
Pony
97ba4ad5b02bc8812864b06941778432faf60a667c0279c0c7c092b76e91b9cc
Pony
9be6e55ff75a4a8571940411678d521216fc0bd61cbe9d049e10dfd41bdd73fc
Pony
a4923677e96515d7fc80fad3a4d602650b5b2c5159bd0a1a49ab54b77c80e0d5
Pony
c41afec81d70066b62ddbfae7e4ec8aca49d0cc3618241aa2605d35d3250bd98
Pony
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
Pony
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
Pony
fb30601d90268e316d5bbbe9e78bc1ad8acb4fe262d66b0a3f403425ad78f15b
Pony
+ 132 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
rat spyware stealer family:pony discovery
Link:
https://tria.ge/reports/200721-gavdp84eza/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Script User-Agent
Modifies system certificate store
Accesses cryptocurrency wallets, possible credential harvesting
Checks installed software on the system
Reads data files stored by FTP clients
Deletes itself
Reads user/profile data of web browsers
Pony,Fareit
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b5398425056a88da0725af533a94f05d

Pony

Executable exe b59427205b88d9cd8b38bf4c99f902d569085b708a9eb3c6c8b6d8a8ea7a361d

(this sample)

  
Dropped by
MD5 b5398425056a88da0725af533a94f05d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30072/

Comments