MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Pony


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
SHA3-384 hash: 9d80d71a2ebe93222a064ccad64e267ac4c5c6d5e3a0c3765139484f907ea07e36623a3c8417e081c723e7fcd116d2fb
SHA1 hash: f2653fe0c33d2704647c30e1ffe285c67ecd6e66
MD5 hash: b85a427b9c8d95d8d7387ca53abc45f0
humanhash: enemy-pennsylvania-ink-mockingbird
File name:b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
Download: download sample
Signature Pony
Create hunting rule
File size:719'274 bytes
First seen:2023-07-07 11:11:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:RquErHF6xC9D6DmR1J98w4oknqOKw59XxYRcjnn+ClOq60XDv8OOTHiBHi:Url6kD68JmloO5TYI1lOq6sb8hTHAi
Threatray 6 similar samples on MalwareBazaar
TLSH T1A8E4DF563697AC09FCACBA310DA69560C860ED717864CEBA61B4FB3E59332049F3171F
File icon (PE):PE icon
dhash icon f9f1c0c8f123e6e6 (9 x Pony)
Reporter adrian__luca
Tags:exe Pony

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
pony
Create hunting rule
ID:
1
File name:
b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
Verdict:
Malicious activity
Analysis date:
2023-07-07 11:10:53 UTC
Tags:
fareit pony trojan stealer
Link:
https://app.any.run/tasks/ae135df6-906b-4d9a-b716-1053b0b47ca7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fareit
Create hunting rule
Link:
https://www.capesandbox.com/analysis/410500/
Detection(s):
Win.Trojan.Autoit-9946827-0
Create hunting rule

Win.Malware.Azorult-6971822-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
Сreating synchronization primitives
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Stealing user critical data
Enabling autorun
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Brute forcing passwords of local accounts
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64a7f3028583eaadb34f665a/reports/7aea77c9-9750-4ad7-adb0-e4e1c4ea98c1/overview
Verdict:
Malicious
Labled as:
Trojan.AutoIT.Generic
Link:
https://www.hybrid-analysis.com/sample/b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6579dfb7-c9df-4a56-8f16-da9927023322
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-18 23:00:33 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
29 of 38 (76.32%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxkdgajj3gerk3fw36h4tkk6djc4jvl3rbjm6x3sbsakbjvesnpq._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
112be48ba85ddaefc4aa6397e8a1728693c62231749dc3ce98af586283fc53e2
Pony
a10a1ba5f4445a910d14fd72af43f010c503dd08e31ac2c1a84f15e568455115
Pony
d8625f328129d3591d0b6f88fe62ec6ab38248a0b56e2a260eef04b6c414f42b
Pony
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:pony collection discovery rat spyware stealer upx
Link:
https://tria.ge/reports/230707-natwkshe7w/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Pony,Fareit
Malware Config
C2 Extraction:
http://185.79.156.18/bit/03/gate.php
Unpacked files
SH256 hash:
1a3e037affe1ad6c887bb5aa7806269aa1d4d2fe0754bf6c89d04354e3cb2e65
MD5 hash:
6c0c3b11cdd1bc1c23e75cb684d8baba
SHA1 hash:
27e838d1431bc06a8185b461fc6d4e838a6d1567
Detections:
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
Link:
https://www.unpac.me/results/84d0b575-a636-49a8-b6a7-dae68f2f253c/
Parent samples :
e80b1723280023b1125b739fcbc94b46da10a4c702c39ca419189d052700d132
7c4e0b95c73cc6c75ad1c74bc4bb7ea27444015c9934a000cf183eb5d4948a3b
71e95791dbf20e5b43bb75b1d40de9fe8cc56db5c08f8933f8bc7033765bcb33
359085ce4ec341aac7c0d129418e257a0e570f058855a0ddf81a3bbc70bdbe0d
399ff9fc9b00cd465bf4ebe51c05b2252efd5631afa01d90543aa3ee68e48832
c82b062d79bbce1df07ed3dfe3d72faf33edd98a883f36344cc8cd4da9ffa36b
d53dd7d82baec5078999c4aa1d81e2cdb0f137f6950030070a99736ff757a7c0
395c6151624f73b39fdfd282534279878b433efb964bcc15cad2e4f818d89eb8
b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
SH256 hash:
d2ee7080b56e606f467cd78b9096ba7a2ba35559fa1137a5dd1e9202e848724d
MD5 hash:
418a028bc825b6c5edd154b9d357c53f
SHA1 hash:
3c5b046a4263a714e72d06fcf4f85989541a11d5
Link:
https://www.unpac.me/results/84d0b575-a636-49a8-b6a7-dae68f2f253c/
SH256 hash:
1a3e037affe1ad6c887bb5aa7806269aa1d4d2fe0754bf6c89d04354e3cb2e65
MD5 hash:
6c0c3b11cdd1bc1c23e75cb684d8baba
SHA1 hash:
27e838d1431bc06a8185b461fc6d4e838a6d1567
Detections:
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
win_pony_auto
Create hunting rule
win_pony_g0
Create hunting rule
Link:
https://www.unpac.me/results/84d0b575-a636-49a8-b6a7-dae68f2f253c/
Parent samples :
e80b1723280023b1125b739fcbc94b46da10a4c702c39ca419189d052700d132
7c4e0b95c73cc6c75ad1c74bc4bb7ea27444015c9934a000cf183eb5d4948a3b
71e95791dbf20e5b43bb75b1d40de9fe8cc56db5c08f8933f8bc7033765bcb33
359085ce4ec341aac7c0d129418e257a0e570f058855a0ddf81a3bbc70bdbe0d
399ff9fc9b00cd465bf4ebe51c05b2252efd5631afa01d90543aa3ee68e48832
c82b062d79bbce1df07ed3dfe3d72faf33edd98a883f36344cc8cd4da9ffa36b
d53dd7d82baec5078999c4aa1d81e2cdb0f137f6950030070a99736ff757a7c0
395c6151624f73b39fdfd282534279878b433efb964bcc15cad2e4f818d89eb8
b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
SH256 hash:
d2ee7080b56e606f467cd78b9096ba7a2ba35559fa1137a5dd1e9202e848724d
MD5 hash:
418a028bc825b6c5edd154b9d357c53f
SHA1 hash:
3c5b046a4263a714e72d06fcf4f85989541a11d5
Link:
https://www.unpac.me/results/84d0b575-a636-49a8-b6a7-dae68f2f253c/
SH256 hash:
b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
MD5 hash:
b85a427b9c8d95d8d7387ca53abc45f0
SHA1 hash:
f2653fe0c33d2704647c30e1ffe285c67ecd6e66
Link:
https://www.unpac.me/results/84d0b575-a636-49a8-b6a7-dae68f2f253c/
Malware family:
Pony
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5d4330129d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Fareit
Create hunting rule
Author:kevoreilly
Description:Fareit Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:pony
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify Pony
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Windows_Trojan_Pony_d5516fe8
Create hunting rule
Author:Elastic Security
Rule name:win_pony_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.pony.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/410500/

Comments