MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Pony

Vendor detections: 8

Intelligence 8 IOCs YARA 8 File information Comments

SHA256 hash:	bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5
SHA3-384 hash:	d19a66ff71acafdebeffc59b9b58305f0990c41437e2d046fb86a0ffeaa7d4cd5478361cbd1d39269b924513972d392c
SHA1 hash:	10b2f8667db53eaf1b85a209d9b80b834425167f
MD5 hash:	7e9c8822be0f73073ce2cc5ef5a13c96
humanhash:	kansas-pasta-stairway-four
File name:	434.dll
Download:	download sample
Signature	Pony Create hunting rule
File size:	375'808 bytes
First seen:	2020-07-13 16:54:21 UTC
Last seen:	2020-08-02 07:34:16 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	61168847faa2db02ccd55c68e9af89be (2 x Pony)
ssdeep	3072:fxRLnzLHwWTwM+2Msgp81p3NXjFcVoOLOWQkj1o6IKykpbtb25Ffi+9ceq5:ZRUewsS819twhQ01oMFh+9c
Threatray	525 similar samples on MalwareBazaar
TLSH	EA84E026EC2F8A46CCAB777650752F43CAC09D3526C8060AD8D95479F64708FA93DBE3
Reporter	James_inthe_box
Tags:	dll Pony

Intelligence

File Origin

# of uploads :

# of downloads :

460

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Hancitor

Link:

https://www.capesandbox.com/analysis/25480/

Detection(s):

SecuriteInfo.com.Mal.Cerber-AL.10171.29724.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Sending an HTTP GET request

Sending an HTTP POST request

Reading critical registry keys

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a service

Creating a file

Searching for the window

Connection attempt

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Brute forcing passwords of local accounts

Detection:

pony

Link:

https://mwdb.cert.pl/sample/bd6840cc208517847e130db0c847e715ba80a88e210e6383b37c1d0381877ee5/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-07-13 16:54:09 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvuebtbaqulyi7qtbwymqr7hcw5ibkeoeehgha5tpqoqhamhp3sq._file

Verdict:

malicious

Label(s):

pony

gozi

emotet

Result

Malware family:

gozi_ifsb

Score:

10/10

Tags:

evasion spyware trojan discovery banker family:ursnif rat stealer family:pony family:gozi_ifsb

Link:

https://tria.ge/reports/200713-qhgl5exm1x/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SendNotifyMessage

Checks whether UAC is enabled

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Drops file in System32 directory

Modifies system certificate store

Looks up external IP address via web service

Checks for installed software on the system

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Executes dropped EXE

Ursnif, Dreambot

Pony,Fareit

Gozi, Gozi IFSB

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	hancitor Create hunting rule
Author:	J from THL <j@techhelplist.com>
Description:	Memory string yara for Hancitor

Rule name:	pony Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify Pony

Rule name:	Ursnif Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory
Reference:	internal research

Rule name:	win_hancitor_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_hancitor_g2 Create hunting rule
Author:	mak

Rule name:	win_isfb_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_pony_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/25480/

URLhaus

https://urlhaus.abuse.ch/url/412511/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample